There is an incorrect integer overflow check in Curl_auth_create_plain_message
in lib/vauth/cleartext.c
, leading to a potential heap buffer overflow of controlled length and data. The exploitation seems quite easy, yet the vulnerability can only be triggered locally and does not seem to lead to RCE.
This vulnerability is very similar to CVE-2018-16839 but was introduced later in this commit
zlen = (authzid == NULL ? 0 : strlen(authzid));
clen = strlen(authcid);
plen = strlen(passwd);
/* Compute binary message length. Check for overflows. */
if(((zlen + clen) > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2))) (1)
return CURLE_OUT_OF_MEMORY;
plainlen = zlen + clen + plen + 2; (2)
plainauth = malloc(plainlen); (3)
if(!plainauth)
return CURLE_OUT_OF_MEMORY;
/* Calculate the reply */
if(zlen != 0)
memcpy(plainauth, authzid, zlen); (4)
In (1), zlen + clen
can overflow, making the check for integer overflow useless.
In (2), plainlen
can thus overflow, leading to an incorrect size for memory allocation done in (3).
A heap buffer overflow of controlled size can then occur in (4), as we can compute clen
, plen
and zlen
as needed for the overflow to occur in (1) and (2).
The data in authzid
might be fully controlled and can lead to a trivial exploitation of the heap buffer overflow.
This vulnerability is not trivially triggered, as it requires the authzid
, authcid
and passwd
strings to be controlled by an attacker, and require at least 2 of them to be over 2GB-long, which is not very likely to happen.
Moreover, there are more limitations on strings, as they can not be over 2GB of size, if set through curl_easy mechanisms, but I believe they can be set with no such limitations through configuration files (untested).
I did not include any PoC code for such reasons. I can always try to make one later if necessary.
This might lead to local code execution through a heap buffer overflow, or, in case of unknown usage of libcurl from an application, to RCE (yet not very likely).