Lucene search

Major_tomH1:872089

HistoryMay 12, 2020 - 4:26 p.m.

curl: Curl_auth_create_plain_message integer overflow leads to heap buffer overflow

2020-05-1216:26:28

major_tom

hackerone.com

EPSS

0.016

Percentile

87.4%

JSON

Summary:

There is an incorrect integer overflow check in Curl_auth_create_plain_message in lib/vauth/cleartext.c , leading to a potential heap buffer overflow of controlled length and data. The exploitation seems quite easy, yet the vulnerability can only be triggered locally and does not seem to lead to RCE.

This vulnerability is very similar to CVE-2018-16839 but was introduced later in this commit

Vulnerability:

  zlen = (authzid == NULL ? 0 : strlen(authzid));
  clen = strlen(authcid);
  plen = strlen(passwd);

  /* Compute binary message length. Check for overflows. */
  if(((zlen + clen) &gt; SIZE_T_MAX/4) || (plen &gt; (SIZE_T_MAX/2 - 2))) (1)
    return CURLE_OUT_OF_MEMORY;
  plainlen = zlen + clen + plen + 2; (2)

  plainauth = malloc(plainlen); (3)
  if(!plainauth)
    return CURLE_OUT_OF_MEMORY;

  /* Calculate the reply */
  if(zlen != 0)
    memcpy(plainauth, authzid, zlen); (4)

In (1), zlen + clen can overflow, making the check for integer overflow useless.

In (2), plainlen can thus overflow, leading to an incorrect size for memory allocation done in (3).

A heap buffer overflow of controlled size can then occur in (4), as we can compute clen, plen and zlen as needed for the overflow to occur in (1) and (2).

The data in authzid might be fully controlled and can lead to a trivial exploitation of the heap buffer overflow.

Limitations:

This vulnerability is not trivially triggered, as it requires the authzid, authcid and passwd strings to be controlled by an attacker, and require at least 2 of them to be over 2GB-long, which is not very likely to happen.

Moreover, there are more limitations on strings, as they can not be over 2GB of size, if set through curl_easy mechanisms, but I believe they can be set with no such limitations through configuration files (untested).

I did not include any PoC code for such reasons. I can always try to make one later if necessary.

Impact

This might lead to local code execution through a heap buffer overflow, or, in case of unknown usage of libcurl from an application, to RCE (yet not very likely).