A recent discovery of a double free vulnerability (CVE-2022-42915) in curl before 7.86. has put many users at risk. This post aims to provide an in-depth look at the exploit, including code snippets and original references. The main goal is to help users understand the issue and take the necessary steps to mitigate the risk associated with it. We'll be using simple American English in an exclusive text format to ensure easy comprehension.

The Issue

Curl, a popular command-line tool and library for transferring data through URLs, has been found to contain a double free vulnerability when used with an HTTP proxy for non-HTTP(S) URL transfers. The affected curl version is 7.77. and earlier.

The problem arises when curl issues a CONNECT request to the proxy, sets up the connection to the remote server, and tunnels the rest of the protocol through. If the HTTP proxy refuses the request (usually due to port restrictions), a non-200 status code is returned to the client. The error and cleanup handling in this scenario are flawed, leading to a double free vulnerability in curl. The vulnerability affects the following schemes used in URLs for transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, and telnet.

## Code Snippet: Flawed Error/Cleanup Handling

res = Curl_proxy_connect(conn, sockfd);
if(!result)
  result = tunnel_callback(*conn, conn->http_proxy.proxytype, tunnel_connecting);
if(result) {
  /* We got an error back from CONNECT. This proxy wouldn't let the target
   * protocol pass as a tunnel. Fail and disconnect.
   */
  if(sockfd)
    Curl_closesocket(/* parameters */);
    
  /* Insert additional cleanup code that is performed on error */
  /* ----- MISSING CODE ----- */

  return CURLE_COULDNT_CONNECT;
}

In the code snippet above, we can see that result contains the error status after the CONNECT request to the proxy. When an error occurs, the socket is closed, but additional cleanup steps are missing. This triggers the double free vulnerability, as memory is freed twice in this scenario.

Original References & Exploit Details

The vulnerability was initially reported by Hanno Böck and recognized by Daniel Stenberg, the original author of curl. For further details about the CVE-2022-42915, please refer to the following links:

1. Original curl Security Advisory: https://curl.se/docs/security/CVE-2022-42915.html
2. curl GitHub commit that fixes the issue: https://github.com/curl/curl/commit/e26c8b5918d2f5a47d2df95dee5eb9d5a066dadb

It is important to note that exploiting this vulnerability requires an attacker to control or influence the HTTP proxy and the URL provided to curl. The attacker would also need to convince the user to use a vulnerable curl version to initiate the transfer. Therefore, the probability of a successful attack is relatively low.

Verify the trustworthiness of the HTTP proxy server being used for curl transfers.

By following these steps, users can reduce the risk associated with CVE-2022-42915 and protect their systems from potential attacks.

Timeline

Published on: 10/29/2022 20:15:00 UTC
Last modified on: 11/14/2022 15:16:00 UTC