7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
67.5%
From version 7.62 curl and curllib leaks part of user credentials in the plain text DNS request. This happens if the server makes redirect, both 301 and 302 to a relative path (eg header ‘Location: /login’). It is NOT an issue in case of absolute redirection (eg header ‘Location: https://domain.tld/login’).
I was able to make curl/curlib to send a password that started with @ but I believe that more abuse is possible with this attack.
What makes is worst is that for eg occasionally run/daemon scripts with curl and authorization credentials this can be triggered by a remote server by switching between absolute/relative without any change on client-side.
User secrets are sent in plain text and anybody in the middle can record them. User secrets are sent to the DNS server and can be recorded there.
Logs from running above steps:
/ $ curl -V
curl 7.66.0-DEV (x86_64-pc-linux-gnu) libcurl/7.66.0-DEV OpenSSL/1.1.1d zlib/1.2.11 nghttp2/1.39.2
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets
/ $ curl https://mareksz.gq/302 -v -L -u saduser:@S3cr3t
Trafic pcap’ed:
/ $ tcpdump ‘udp’ -vv
X.X.X.X:X IP (tos 0x0, ttl 255, id 57291, offset 0, flags [none], proto UDP (17), length 63)
_ > _ : [udp sum ok] 27230+ A? [email protected]. (35)
X.X.X.X:X IP (tos 0x0, ttl 255, id 55686, offset 0, flags [none], proto UDP (17), length 63)
_ > _ : [udp sum ok] 51727+ AAAA? [email protected]. (35)
X.X.X.X:X IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 136)
_ > _ : [udp sum ok] 27230 NXDomain q: A? [email protected]. 0/1/0 ns: gq. SOA a.ns.gq. info.equatorialguineadomains.com. 1589532137 10800 3600 604800 5 (108)
X.X.X.X:X IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 136)
_ > _ : [udp sum ok] 51727 NXDomain q: AAAA? [email protected]. 0/1/0 ns: gq. SOA a.ns.gq. info.equatorialguineadomains.com. 1589532235 10800 3600 604800 5 (108)
I believe it is rather high. Third-party have control over it part of your credentials are being sent over the network in plain text to the DNS server.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
67.5%