Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneTsedlmeyerH1:812969
HistoryMar 08, 2020 - 1:06 a.m.

curl: curl still vulnerable to SMB access smuggling via FILE URL on Windows

2020-03-0801:06:41
tsedlmeyer
hackerone.com
9
JSON

Summary:

The released fix for CVE-2019-15601, SMB access smuggling via FILE URL on Windows, leaves curl still vulnerable to SMB access smuggling via FILE URLs.

  • FILE URLs formatted as file:////smb_server/smb_share/file are not filtered.
  • FILE URLs which point to the global DOS name space, ??, and formatted as file:///%3f%3f/UNC/smb_server/smb_share/file_name or file:///%3f%3f/GLOBAL/UNC/smb_server/smb_share/file are not filtered.

Steps To Reproduce:

  1. curl file:////localhost/c$/windows/win.ini
  2. curl file:///%3f%3f/UNC/localhost/c$/windows/win.ini
  3. curl file:///%3f%3f/GLOBAL/UNC/localhost/c$/windows/win.ini

The above examples will return the contents of C:\Windows\win.ini utilizing SMB to fetch the file via the local administrative share for the C drive. This will also work with remote shares.

Impact

A properly crafted URL could cause a user to unknowingly access a remote file.

Related

ibm 3
veracode 1
openvas 4
nessus 2
redhatcve 1
symantec 1
cve 1
cloudfoundry 1
freebsd 1
oracle 1
ibm
ibm
Security Bulletin: cURL vulnerability CVE-2019-15601 impacts IBM Aspera Streaming/IBM Aspera Streaming for Video version 3.9.6.1 and earlier
2020-12-08 18:37:57
Security Bulletin: IBM MQ is affected by a vulnerability within cURL libcurl (CVE-2019-15601)
2020-04-15 10:24:14
Security Bulletin: cURL vulnerability CVE-2019-15601 impacts IBM Aspera High-Speed Transfer Server 3.9.6.2 and earlier and Aspera High-Speed Transfer Endpoint 3.9.6.2 and earlier
2020-12-10 23:59:30
veracode
veracode
Unauthorized Remote File Access
2020-01-08 04:47:16
openvas
openvas
Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2020-1144)
2020-02-25 00:00:00
Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2020-1345)
2020-04-01 00:00:00
Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2020-1376)
2020-04-16 00:00:00
nessus
nessus
EulerOS Virtualization for ARM 64 3.0.6.0 : curl (EulerOS-SA-2020-1345)
2020-04-02 00:00:00
EulerOS 2.0 SP8 : curl (EulerOS-SA-2020-1144)
2020-02-25 00:00:00
redhatcve
redhatcve
CVE-2019-15601
2020-04-14 19:26:09
symantec
symantec
cURL CVE-2019-15601 Remote Security Bypass Vulnerability
2020-01-08 00:00:00
cve
cve
CVE-2019-15601
2020-01-06 17:15:00
cloudfoundry
cloudfoundry
PXC Release update for April 2020 MySQL security patches | Cloud Foundry
2020-08-10 00:00:00
freebsd
freebsd
MySQL Server -- Multiple vulerabilities
2020-04-14 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - April 2020
2020-04-14 00:00:00
JSON
Related for H1:812969
ibm3veracode1openvas4nessus2redhatcve1symantec1cve1cloudfoundry1freebsd1oracle1