206 matches found
Metalink download sends credentials
When curl is instructed to get content using the Metalink feature, and a user name and password are used to download the Metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl downloads or tries to download the contents from. Often contrar...
CURLOPT_SSLCERT mix-up with Secure Transport
libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the CURLOPTSSLCERT option --cert with the command line tool. When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certifica...
TELNET stack contents disclosure again
curl supports the -t command line option, known as CURLOPTTELNETOPTIONS in libcurl. This rarely used option is used to send variable=content pairs to TELNET servers. Due to flaw in the option parser for sending NEWENV variables, libcurl could be made to pass on uninitialized data from a stack bas...
TLS session caching disaster
libcurl can be tricked into using already freed memory when a new TLS session is negotiated or a client certificate is requested on an existing connection. For example, this can happen when a TLS server requests a client certificate on a connection that was established without one. A malicious...
Schannel cipher selection surprise
libcurl lets applications specify which specific TLS ciphers to use in transfers, using the option called CURLOPTSSLCIPHERLIST. The cipher selection is used for the TLS negotiation when a transfer is done involving any of the TLS based transfer protocols libcurl supports, such as HTTPS, FTPS,...
TELNET stack contents disclosure
curl supports the -t command line option, known as CURLOPTTELNETOPTIONS in libcurl. This rarely used option is used to send variable=content pairs to TELNET servers. Due to flaw in the option parser for sending NEWENV variables, libcurl could be made to pass on uninitialized data from a stack bas...
Automatic referer leaks credentials
libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. libcurl automatically sets the Referer:...
TLS 1.3 session ticket proxy host mix-up
Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes. When using an HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote serve...
trusting FTP PASV responses
When curl performs a passive FTP transfer, it first tries the EPSV command and if that is not supported, it falls back to using PASV. Passive mode is what curl uses by default. A server response to a PASV command includes the IPv4 address and port number for the client to connect back to in order...
Inferior OCSP verification
libcurl offers "OCSP stapling" via the CURLOPTSSLVERIFYSTATUS option. When set, libcurl verifies the OCSP response that a server responds with as part of the TLS handshake. It then aborts the TLS negotiation if something is wrong with the response. The same feature can be enabled with --cert-stat...
FTP wildcard stack overflow
libcurl offers a wildcard matching functionality, which allows a callback set with CURLOPTCHUNKBGNFUNCTION to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries. When this callback returns...
wrong connect-only connection
An application that performs multiple requests with libcurl's multi API and sets the CURLOPTCONNECTONLY option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl picks and uses the wrong connection - and instead picks another one the...
curl overwrite local file with -J
curl can be tricked by a malicious server to overwrite a local file when using -J --remote-header-name and -i --include in the same command line. The command line tool offers the -J option that saves a remote file using the filename present in the Content-Disposition: response header. curl then...
Partial password leak over DNS on HTTP redirect
libcurl can be tricked to prepend a part of the password to the hostname before it resolves it, potentially leaking the partial password over the network and to the DNS servers. libcurl can be given a username and password for HTTP authentication when requesting an HTTP resource - used for HTTP...
TFTP small blocksize heap buffer overflow
libcurl contains a heap buffer overflow in the function tftpreceivepacket that receives data from a TFTP server. It can call recvfrom with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is controlled b...
FTP-KRB double free
libcurl can be told to use kerberos over FTP to a server, as set with the CURLOPTKRBLEVEL option. During such kerberos FTP data transfer, the server sends data to curl in blocks with the 32-bit size of each block first and then that amount of data immediately following. A malicious or broken serv...
Windows OpenSSL engine code injection
A non-privileged user or program can put code and a config file in a known non-privileged path under C:/usr/local/ that makes curl automatically run the code as an OpenSSL "engine" on invocation. If that curl is invoked by a privileged user it can do anything it wants. This flaw exists in the...
TFTP receive buffer overflow
libcurl contains a heap buffer overflow in the function tftpreceivepacket that receives data from a TFTP server. It calls recvfrom with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is entirely...
Integer overflows in URL parser
libcurl contains two integer overflows in the curlurlset function that if triggered, can lead to a too small buffer allocation and a subsequent heap buffer overflow. The flaws only exist on 32-bit architectures and require excessive string input lengths...
NTLMv2 type-3 header stack buffer overflow
libcurl contains a stack based buffer overflow vulnerability. The function creating an outgoing NTLM type-3 header lib/vauth/ntlm.c:Curlauthcreatentlmtype3message, generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from...
SMTP end-of-response out-of-bounds read
libcurl contains a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to smtpendofresp is not null-terminated and contains no character ending the parsed number, and len is set to 5, then the strtol call reads beyond the allocated buffer. The read...
NTLM type-2 out-of-bounds buffer read
libcurl contains a heap buffer out-of-bounds read flaw. The function handling incoming NTLM type-2 messages lib/vauth/ntlm.c:ntlmdecodetype2target does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server...
use after free in handle close
libcurl contains a heap use after free flaw in code related to closing an easy handle. When closing and cleaning up an "easy" handle in the Curlclose function, the library code first frees a struct without clearing the pointer and might then subsequently erroneously write to a struct field within...
SASL password overflow via integer overflow
libcurl contains a buffer overrun in the SASL authentication code. The internal function Curlauthcreateplainmessage fails to correctly verify that the passed in lengths for name and password are not too long, then calculates a buffer size to allocate. On systems with a 32-bit sizet, the math to...
warning message out-of-buffer read
curl contains a heap out of buffer read vulnerability. The command line tool has a generic function for displaying warning and informational messages to stderr for various situations. For example if an unknown command line argument is used, or passed to it in a "config" file. This display functio...
NTLM password overflow via integer overflow
libcurl contains a buffer overrun in the NTLM authentication code. The internal function Curlntlmcoremknthash multiplies the length of the password by two SUM to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the...
SMTP send heap buffer overflow
curl might overflow a heap based memory buffer when sending data over SMTP and using a reduced read buffer. When sending data over SMTP, curl allocates a separate "scratch area" on the heap to be able to escape the uploaded data properly if the uploaded data contains data that requires it. The si...
FTP shutdown response buffer overflow
curl might overflow a heap based memory buffer when closing down an FTP connection with long server command replies. When doing FTP transfers, curl keeps a spare "closure handle" around internally that is used when an FTP connection gets shut down since the original curl easy handle is then alrea...
RTSP bad headers buffer over-read
curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded content. When servers send RTSP responses back to curl, the data starts out with a set of headers. curl parses that data to separate it into a number of headers to deal with those appropriately an...
LDAP NULL pointer dereference
curl might dereference a near-NULL address when getting an LDAP URL. The function ldapgetattributeber is called to get attributes, but it turns out that it can return LDAPSUCCESS and still return a NULL pointer in the result pointer when getting a particularly crafted response. This was a surpris...
FTP path trickery leads to NIL byte out of bounds write
curl can be fooled into writing a zero byte out of bounds. This bug can trigger when curl is told to work on an FTP URL, with the setting to only issue a single CWD command --ftp-method singlecwd or the libcurl alternative CURLOPTFTPFILEMETHOD. curl then URL-decodes the given path, calls strlen o...
RTSP RTP buffer over-read
curl can be tricked into copying data beyond end of its heap based buffer. When asked to transfer an RTSP URL, curl could calculate a wrong data length to copy from the read buffer. The memcpy call would copy data from the heap following the buffer to a storage area that would subsequently be...
HTTP authentication leak in redirects
curl might leak authentication data to third parties. When asked to send custom headers in its HTTP requests, curl sends that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the...
HTTP/2 trailer out-of-bounds read
libcurl contains an out bounds read in code handling HTTP/2 trailers. It was reported that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once...
NTLM buffer overflow via integer overflow
libcurl contains a buffer overrun flaw in the NTLM authentication code. The internal function Curlntlmcoremkntlmv2hash sums up the lengths of the username + password = SUM and multiplies the sum by two = SIZE to figure out how large storage to allocate from the heap. The SUM value is subsequently...
SSL out of buffer access
libcurl contains an out boundary access flaw in SSL related code. When allocating memory for a connection the internal struct called connectdata, a certain amount of memory is allocated at the end of the struct to be used for SSL related structs. Those structs are used by the particular SSL libra...
FTP wildcard out of bounds read
libcurl contains a read out of bounds flaw in the FTP wildcard function. libcurl's FTP wildcard matching feature, which is enabled with the CURLOPTWILDCARDMATCH option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect t...
IMAP FETCH response out of bounds read
libcurl contains a buffer overrun flaw in the IMAP handler. An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that non-existing data with a pointer and the size zero to the deliver-data...
FTP PWD response parser out of bounds read
libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in anonymous or not, it asks the server for the current directory with the PWD command. The server then responds with a 257 response containing the path, inside double...
TFTP sends more than buffer size
When doing a TFTP transfer and curl/libcurl is given a URL that contains a long filename longer than about 515 bytes, the filename is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the original length. This too large value is then used in the...
FILE buffer read out of bounds
When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user stdout or the application's provide callback, which could lead to other private data from the heap to...
URL globbing out of bounds read
curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a...
URL file scheme drive letter buffer overflow
When libcurl is given either 1. a file: URL that does not use two slashes following the colon, or 2. is told that file is the default scheme to use for URLs without scheme ... and the given path starts with a drive letter and libcurl is built for Windows or DOS, then libcurl would copy the path...
TLS session resumption client cert bypass (again)
libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate or no...
--write-out out of buffer read
There were two bugs in curl's parser for the command line option --write-out or -w for short that would skip the end of string zero byte if the string ended in a % percent or \ backslash, and it would read beyond that buffer in the heap memory and it could then potentially output pieces of that...
SSL_VERIFYSTATUS ignored
curl and libcurl support "OCSP stapling", also known as the TLS Certificate Status Request extension using the CURLOPTSSLVERIFYSTATUS option. When telling curl to use this feature, it uses that TLS extension to ask for a fresh proof of the server's certificate's validity. If the server does not...
uninitialized random
libcurl's new internal function that returns a good 32-bit random value was implemented poorly and overwrote the pointer instead of writing the value into the buffer the pointer pointed to. This random value is used to generate nonces for Digest and NTLM authentication, for generating boundary...
Win CE Schannel cert wildcard matches too much
curl's TLS server certificate checks are flawed on Windows CE. This vulnerability occurs in the verify certificate function when comparing a wildcard certificate name as returned by the Windows API function CertGetNameString to the hostname used to make the connection to the server. The...
printf floating point buffer overflow
libcurl's implementation of the printf functions triggers a buffer overflow when doing a large floating point output. The bug occurs when the conversion outputs more than 255 bytes. The flaw happens because the floating point conversion is using system functions without the correct boundary check...
Win CE Schannel cert name out of buffer read
curl's TLS server certificate checks are flawed on Windows CE. This vulnerability occurs in the verify certificate function when comparing a wildcard certificate name as returned by the Windows API function CertGetNameString to the hostname used to make the connection to the server. The pattern...