Heap-based Buffer Overflow Flaw in cURL Library Using SOCKS5 Proxy

Beforehand, the maintainers of the usual curl insist line utility posted a pre-announcement relating to two vulnerabilities that affected both the curl utility and the libcurl library.

Nonetheless, the itsy-bitsy print of these vulnerabilities were no longer disclosed and were talked about to be disclosed on October 11, 2023.

As per the post, the high-severity vulnerability under the CVE-2023-38545 became once publicly disclosed by Curl. This vulnerability impacts libcurl library from version 7.69.0 to 8.3.0.

On the other hand, to exploit this vulnerability, an utility wishes to be configured to use SOCKS5 proxy modes and could maybe perchance simply try and resolve a hostname with inapplicable length.

cURL Heap-based Buffer Overflow

This heap-based buffer overflow vulnerability exists when an utility the use of a vulnerable version of curl or libcurl makes HTTP requests where a threat actor has sufficient privileges to place of abode the “http_proxy” atmosphere variable. The severity of this vulnerability is being analyzed.

There are requirements for an attacker sooner than executing this attack. This entails

• The utility have to demand socks5h.
• The utility’s negotiation buffer is roughly smaller than 65k.
• The SOCKS server’s “howdy” acknowledge has a extend.

libcurl accepts hostnames up to 65535 bytes. Nonetheless, if the machine’s hostname is longer than the target buffer, the memcpy() function overwrites the buffer into the heap.

The URL parser has to accept the hostname, which limits the place of abode of available byte sequences that could maybe perchance also moreover be copied.

“An overflow is totally that it is advisable maybe also agree with in applications that quit no longer place of abode CURLOPT_BUFFERSIZE or place of abode it smaller than 65541.

Since the curl utility devices CURLOPT_BUFFERSIZE to 100kB by default, it’s no longer vulnerable except price limiting became once place of abode by the user to a price smaller than 65541 bytes/2nd.” reads the advisory by curl.

This particular vulnerability became once reported to curl by a security researcher from Hackerone.

Affected & No longer Affected Products

In accordance with curl, libcurl 7.69.0 to and alongside with 8.3.0 are littered with this vulnerability. libcurl sooner than 7.69.0 has been confirmed to be no longer littered with this vulnerability.

Curl has advised users no longer to use CURLPROXY_SOCKS5_HOSTNAME proxies with curl and no longer to place of abode a proxy atmosphere variable to socks5h://.

A total portray about this vulnerability has been published by Curl, which offers detailed files in regards to the exploitation, parameters energetic, and other files.

Users of curl and libcurl are recommended to strengthen to essentially the most unusual version, 8.4.0, to repair this vulnerability from getting exploited by threat actors.