CVE-2023-28322 - Information Disclosure Vulnerability in Curl: A Look into HTTP(S) Transfers, Libcurl's Issues and the Exploit Details

A new security vulnerability identified as CVE-2023-28322 has recently been discovered in curl, a popular command-line tool and library for transferring data with URLs. This vulnerability poses a significant risk as it allows an attacker to potentially access sensitive information during HTTP(S) transfers. In this post, we will provide detailed information on the vulnerability, the related code snippets, links to original references, and an in-depth analysis of the exploit.

Vulnerability Details

The CVE-2023-28322 vulnerability is an information disclosure vulnerability that becomes an issue in curl versions prior to v8.1. when performing HTTP(S) transfers. When using libcurl, the library might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set.

This problem occurs if the same handle was previously used to issue a PUT request which used the read callback. As a result, the application might misbehave due to the flaw, causing it to send incorrect data or use memory after it was freed, leading to errors in the second transfer. The vulnerability specifically affects the logic of a reused handle when it is expected to change from a PUT to a POST request.

Here's an example demonstrating how the CVE-2023-28322 vulnerability could occur

// Application code with curl library
// Setting the read callback for a PUT request

CURL *curl_handle;
curl_handle = curl_easy_init();

curl_easy_setopt(curl_handle, CURLOPT_URL, "https://example.com/put";);
curl_easy_setopt(curl_handle, CURLOPT_UPLOAD, 1L);
curl_easy_setopt(curl_handle, CURLOPT_READFUNCTION, read_callback);

// Perform the PUT request
// After this request, the handle is reused for a POST request

curl_easy_setopt(curl_handle, CURLOPT_URL, "https://example.com/post";);
curl_easy_setopt(curl_handle, CURLOPT_POSTFIELDS, "field=value");

CURLcode res = curl_easy_perform(curl_handle);

In the above code, the read_callback function is set for a PUT request. However, when the same handle is reused for a POST request, the CURLOPT_POSTFIELDS option is set, and the read_callback should not be used. Nonetheless, due to the vulnerability, the read_callback function is still called, leading to incorrect data being sent.

Original References

The vulnerability was first reported by Daniel Stenberg, a curl developer. The following links provide more information on the issue:

- CVE Identifier
- Curl Security Advisory
- GitHub Commit Fixing the Issue

Exploit Details

In order to exploit the CVE-2023-28322 vulnerability, an attacker needs to have control over the affected application or be able to influence the input provided to the read_callback function. By doing so, they can gain access to sensitive information that should not be available.

An example of an exploit scenario could be a web application that allows users to upload files to a server via a PUT request and subsequently post a form with user data via a POST request. Due to the vulnerability, the contents of the previously uploaded file might be sent instead of the user data when using the same curl handle, leading to an information disclosure.

To safeguard against this vulnerability, users and developers should upgrade to curl v8.1. or later, which contains a patch that fixes the issue. Furthermore, it is advised to closely review applications using libcurl for PUT and POST requests to ensure proper usage of callbacks and options.

Timeline

Published on: 05/26/2023 21:15:00 UTC
Last modified on: 06/16/2023 16:40:00 UTC