Lucene search

K
hackeroneMajor_tomH1:872089
HistoryMay 12, 2020 - 4:26 p.m.

curl: Curl_auth_create_plain_message integer overflow leads to heap buffer overflow

2020-05-1216:26:28
major_tom
hackerone.com
23

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.011 Low

EPSS

Percentile

82.2%

Summary:

There is an incorrect integer overflow check in Curl_auth_create_plain_message in lib/vauth/cleartext.c , leading to a potential heap buffer overflow of controlled length and data. The exploitation seems quite easy, yet the vulnerability can only be triggered locally and does not seem to lead to RCE.

This vulnerability is very similar to CVE-2018-16839 but was introduced later in this commit

Vulnerability:

  zlen = (authzid == NULL ? 0 : strlen(authzid));
  clen = strlen(authcid);
  plen = strlen(passwd);

  /* Compute binary message length. Check for overflows. */
  if(((zlen + clen) > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2))) (1)
    return CURLE_OUT_OF_MEMORY;
  plainlen = zlen + clen + plen + 2; (2)

  plainauth = malloc(plainlen); (3)
  if(!plainauth)
    return CURLE_OUT_OF_MEMORY;

  /* Calculate the reply */
  if(zlen != 0)
    memcpy(plainauth, authzid, zlen); (4)

In (1), zlen + clen can overflow, making the check for integer overflow useless.

In (2), plainlen can thus overflow, leading to an incorrect size for memory allocation done in (3).

A heap buffer overflow of controlled size can then occur in (4), as we can compute clen, plen and zlen as needed for the overflow to occur in (1) and (2).

The data in authzid might be fully controlled and can lead to a trivial exploitation of the heap buffer overflow.

Limitations:

This vulnerability is not trivially triggered, as it requires the authzid, authcid and passwd strings to be controlled by an attacker, and require at least 2 of them to be over 2GB-long, which is not very likely to happen.

Moreover, there are more limitations on strings, as they can not be over 2GB of size, if set through curl_easy mechanisms, but I believe they can be set with no such limitations through configuration files (untested).

I did not include any PoC code for such reasons. I can always try to make one later if necessary.

Impact

This might lead to local code execution through a heap buffer overflow, or, in case of unknown usage of libcurl from an application, to RCE (yet not very likely).

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.011 Low

EPSS

Percentile

82.2%