CVE-2023-38545: Curl Heap Buffer Overflow Vulnerability in SOCKS5 Proxy Handshake

A critical vulnerability (CVE-2023-38545) has been discovered in the handling of hostname resolution in the curl library, leading to a potential heap buffer overflow when connecting through a SOCKS5 proxy. This vulnerability can be exploited by an attacker to cause a denial-of-service or potentially execute arbitrary code on the affected system. In this post, we will discuss the details of this flaw, how it can be exploited, and provide links to original references for further reading.

Description of the vulnerability

When using a SOCKS5 proxy with the curl library, it is possible to overflow a heap-based buffer during the proxy handshake due to improper handling of hostname resolution. When curl is asked to pass along the hostname to the SOCKS5 proxy for remote resolution, the maximum allowed length of this hostname is 255 bytes. However, if the hostname is detected to be longer, curl is supposed to switch to local name resolution and pass only the resolved address to the proxy.

Due to this bug, a local variable indicating whether the hostname should be resolved locally can be set incorrectly during a slow SOCKS5 handshake. As a result, instead of copying just the resolved address to the target buffer, the too-long hostname is copied, leading to a heap buffer overflow.

The following code snippet demonstrates the issue in the curl library

// curl/src/connect.c
// ...

static CURLcode init_resolve(struct Curl_easy *data, 
    const char *hostname, // <-- User provided URL
    int port, CURL_addrinfo **addr) {
  // ...
  if(strlen(hostname) > MAX_HOSTNAME_LEN) {
    // switch to local resolving if hostname too long
    resolve_locally = TRUE;
  }

  // ...
  if(resolve_locally) {
    // resolve hostname locally
    *addr = Curl_resolver_resolv(data, hostname, port);
  }
  // ...
}

In this example, if the length of the provided hostname exceeds MAX_HOSTNAME_LEN (255 bytes), the resolve_locally variable is set to TRUE, indicating that the hostname should be resolved locally. However, due to the bug, this flag can be set incorrectly during a slow SOCKS5 handshake, causing the too-long hostname to be copied to the target buffer instead of just the resolved address.

For more information on this vulnerability, please refer to the following resources

1. Curl Security Advisory: CVE-2023-38545
2. Curl GitHub Repository: Curl Source Code

Conclusion

The CVE-2023-38545 vulnerability in the curl library is a critical flaw that can lead to a heap buffer overflow when using a SOCKS5 proxy. It is highly recommended that users and developers update their curl library to the latest version to prevent potential exploitation of this vulnerability. Ensure that you are using a curl version that contains a patch for this specific issue.

Timeline

Published on: 10/18/2023 04:15:00 UTC
Last modified on: 10/28/2023 03:15:00 UTC