Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <r85p1n21-op55-n272-q38p-44pp3qq4o852@unkk.fr>
Date: Wed, 11 Oct 2023 07:59:02 +0200 (CEST)
From: Daniel Stenberg <daniel@...x.se>
To: curl security announcements -- curl users <curl-users@...ts.haxx.se>, 
    curl-announce@...ts.haxx.se, libcurl hacking <curl-library@...ts.haxx.se>, 
    oss-security@...ts.openwall.com
Subject: [SECURITY ADVISORY] curl: CVE-2023-38546

cookie injection with none file
===============================

Project curl Security Advisory, October 11 2023 -
[Permalink](https://curl.se/docs/CVE-2023-38546.html)

VULNERABILITY
-------------

This flaw allows an attacker to insert cookies at will into a running program
using libcurl, if the specific series of conditions are met.

libcurl performs transfers. In its API, an application creates "easy handles"
that are the individual handles for single transfers.

libcurl provides a function call that duplicates en easy handle called
[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).

If a transfer has cookies enabled when the handle is duplicated, the
cookie-enable state is also cloned - but without cloning the actual
cookies. If the source handle did not read any cookies from a specific file on
disk, the cloned version of the handle would instead store the file name as
`none` (using the four ASCII letters, no quotes).

Subsequent use of the cloned handle that does not explicitly set a source to
load cookies from would then inadvertently load cookies from a file named
`none` - if such a file exists and is readable in the current directory of the
program using libcurl. And if using the correct file format of course.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2023-38546 to this issue.

CWE-73: External Control of File Name or Path

Severity: Low

We set it to low because the flaw requires a series of conditions to be met
and the likeliness that they shall allow an attacker to take advantage of it
is low. Even if the bug could be made to trigger, the risk that a cookie
injection can be done to cause harm is additionally also low.

AFFECTED VERSIONS
-----------------

- Affected versions: libcurl 7.9.1 to and including 8.3.0
- Not affected versions: libcurl < 7.9.1 and >= 8.4.0
- Introduced-in: https://github.com/curl/curl/commit/74d5a6fb3b9a96d9f

libcurl is used by many applications, but not always advertised as such!

The (flawed) logic that created this bug existed even before the
`curl_easy_duphandle()` function was added, but it did not become this problem
until this API was introduced.

This flaw is not accessible using the curl command line tool.

SOLUTION
------------

Starting in curl 8.4.0, curl not longer stores the file name in the cookie struct.

- Fixed-in: https://github.com/curl/curl/commit/61275672b46d9abb32857404

RECOMMENDATIONS
--------------

  A - Upgrade curl to version 8.4.0

  B - Apply the patch to your local version

  C - Call `curl_easy_setopt(cloned_curl, CURLOPT_COOKIELIST, "ALL");` right
      after every `curl_easy_duphandle();` call.

TIMELINE
--------

This issue was reported to the curl project on September 14, 2023. We contacted
distros@...nwall on October 3, 2023.

libcurl 8.4.0 was released on October 11 2023, coordinated with the
publication of this advisory.

CREDITS
-------

- Reported-by: w0x42 on hackerone
- Patched-by: Daniel Stenberg

Thanks a lot!

-- 

  / daniel.haxx.se

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.