9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.011 Low
EPSS
Percentile
82.2%
There is an incorrect integer overflow check in Curl_auth_create_plain_message
in lib/vauth/cleartext.c
, leading to a potential heap buffer overflow of controlled length and data. The exploitation seems quite easy, yet the vulnerability can only be triggered locally and does not seem to lead to RCE.
This vulnerability is very similar to CVE-2018-16839 but was introduced later in this commit
zlen = (authzid == NULL ? 0 : strlen(authzid));
clen = strlen(authcid);
plen = strlen(passwd);
/* Compute binary message length. Check for overflows. */
if(((zlen + clen) > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2))) (1)
return CURLE_OUT_OF_MEMORY;
plainlen = zlen + clen + plen + 2; (2)
plainauth = malloc(plainlen); (3)
if(!plainauth)
return CURLE_OUT_OF_MEMORY;
/* Calculate the reply */
if(zlen != 0)
memcpy(plainauth, authzid, zlen); (4)
In (1), zlen + clen
can overflow, making the check for integer overflow useless.
In (2), plainlen
can thus overflow, leading to an incorrect size for memory allocation done in (3).
A heap buffer overflow of controlled size can then occur in (4), as we can compute clen
, plen
and zlen
as needed for the overflow to occur in (1) and (2).
The data in authzid
might be fully controlled and can lead to a trivial exploitation of the heap buffer overflow.
This vulnerability is not trivially triggered, as it requires the authzid
, authcid
and passwd
strings to be controlled by an attacker, and require at least 2 of them to be over 2GB-long, which is not very likely to happen.
Moreover, there are more limitations on strings, as they can not be over 2GB of size, if set through curl_easy mechanisms, but I believe they can be set with no such limitations through configuration files (untested).
I did not include any PoC code for such reasons. I can always try to make one later if necessary.
This might lead to local code execution through a heap buffer overflow, or, in case of unknown usage of libcurl from an application, to RCE (yet not very likely).
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.011 Low
EPSS
Percentile
82.2%