curl: Partial password leak over DNS on HTTP redirect

Summary:

From version 7.62 curl and curllib leaks part of user credentials in the plain text DNS request. This happens if the server makes redirect, both 301 and 302 to a relative path (eg header ‘Location: /login’). It is NOT an issue in case of absolute redirection (eg header ‘Location: https://domain.tld/login’).
I was able to make curl/curlib to send a password that started with @ but I believe that more abuse is possible with this attack.
What makes is worst is that for eg occasionally run/daemon scripts with curl and authorization credentials this can be triggered by a remote server by switching between absolute/relative without any change on client-side.
User secrets are sent in plain text and anybody in the middle can record them. User secrets are sent to the DNS server and can be recorded there.

Steps To Reproduce:

1. Use curl > 7.61 (tested on all from 7.62 to 7.70 and I was able to exploit it)
2. Find a server with relative redirection (eg https://mareksz.gq/301 or https://mareksz.gq/302)
3. Run ‘curl https://mareksz.gq/302 -v -L -u saduser:@S3cr3t’

Supporting Material/References:

Logs from running above steps:

/ $ curl -V
curl 7.66.0-DEV (x86_64-pc-linux-gnu) libcurl/7.66.0-DEV OpenSSL/1.1.1d zlib/1.2.11 nghttp2/1.39.2
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets
/ $ curl https://mareksz.gq/302 -v -L -u saduser:@S3cr3t

• Trying 194.182.85.202:443…
• TCP_NODELAY set
• Connected to mareksz.gq (194.182.85.202) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (IN), TLS handshake, Server key exchange (12):
• TLSv1.2 (IN), TLS handshake, Server finished (14):
• TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
• TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.2 (OUT), TLS handshake, Finished (20):
• TLSv1.2 (IN), TLS handshake, Finished (20):
• SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
• ALPN, server accepted to use http/1.1
• Server certificate:
• subject: CN=mareksz.gq
• start date: Apr 27 10:32:33 2020 GMT
• expire date: Jul 26 10:32:33 2020 GMT
• subjectAltName: host “mareksz.gq” matched cert’s “mareksz.gq”
• issuer: C=US; O=Let’s Encrypt; CN=Let’s Encrypt Authority X3
• SSL certificate verify ok.
• Server auth using Basic with user ‘saduser’
  > GET /302 HTTP/1.1
  > Host: mareksz.gq
  > Authorization: Basic c2FkdXNlcjpAUzNjcjN0
  > User-Agent: curl/7.66.0-DEV
  > Accept: /
  >
• Mark bundle as not supporting multiuse
  < HTTP/1.1 302 Moved Temporarily
  < Server: nginx
  < Date: Fri, 15 May 2020 08:32:59 GMT
  < Content-Type: text/html
  < Content-Length: 138
  < Connection: keep-alive
  < Location: /goto302
  <
• Ignoring the response-body
• Connection #0 to host mareksz.gq left intact
• Issue another request to this URL: ‘https://saduser@S3cr3t@mareksz.gq/goto302’
• Could not resolve host: [email protected]
• Closing connection 1
  curl: (6) Could not resolve host: [email protected]

Trafic pcap’ed:

/ $ tcpdump ‘udp’ -vv
X.X.X.X:X IP (tos 0x0, ttl 255, id 57291, offset 0, flags [none], proto UDP (17), length 63)
_ > _ : [udp sum ok] 27230+ A? [email protected]. (35)
X.X.X.X:X IP (tos 0x0, ttl 255, id 55686, offset 0, flags [none], proto UDP (17), length 63)
_ > _ : [udp sum ok] 51727+ AAAA? [email protected]. (35)
X.X.X.X:X IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 136)
_ > _ : [udp sum ok] 27230 NXDomain q: A? [email protected]. 0/1/0 ns: gq. SOA a.ns.gq. info.equatorialguineadomains.com. 1589532137 10800 3600 604800 5 (108)
X.X.X.X:X IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 136)
_ > _ : [udp sum ok] 51727 NXDomain q: AAAA? [email protected]. 0/1/0 ns: gq. SOA a.ns.gq. info.equatorialguineadomains.com. 1589532235 10800 3600 604800 5 (108)

• [attachment / reference]
  Attached Wireshark screenshot with leaked creds.

Impact

I believe it is rather high. Third-party have control over it part of your credentials are being sent over the network in plain text to the DNS server.