CVE-2023-38545: Heap overflow vulnerability in curl (SOCKS 5)
Table of Contents
The vulnerability CVE-2023-38545 affects curl, a command line tool and software library used to transfer data to and from a server
On October 11th, 2023 the curl development team has reported a heap buffer overflow vulnerability, classified as High, affecting the handshake in the SOCKS5 proxy component. This vulnerability was reported by Jay Satiro via the HackerOne platform on September 30, 2023.
Curl is a command-line tool and library used to transfer data to or from a server using various network protocols, including HTTP, HTTPS, FTP, FTPS, SCP, SFTP, LDAP, and more. The name cURL stands for Client for URLs, which indicates its primary function: to act as a client for accessing resources via URLs.
What is the vulnerability?
The CVE-2023-38545 vulnerability is located in the handshake of SOCKS5 proxy connections of curl.
SOCKS5 has two different modes of name resolution. Either the client resolves the hostname locally and passes the destination as a resolved address, or the client passes the full hostname to the proxy and lets the proxy itself resolve the host remotely. When the proxy is in charge of resolving the name, it is limited to 255 bytes.
However, if the hostname character string is longer than 255 bytes, curl switches to local name resolution and instead passes on the resolved address only to the proxy. Due to a bug, the local variable meaning «let host resolve the name» could get the wrong value during a slow SOCKS5 handshake, and erroneously copy the too long hostname to the destination buffer instead of copying only the resolved address.
Then, curl will create a protocol framebuffer, where the hostname is memory copied, allowing a buffer overflow to occur on the heap. By default, the framebuffer is 16Kb, although this size is modifiable. For example, the curl CLI tool has it set to 100Kb (although it is possible to modify it using the parameter:
--limit-rate parameter
To exploit it, an attacker could deploy a malicious HTTPS server, which would make a 30X redirect to a URL whose hostname size was between 16Kb and 64kB. If a victim was connected via some application using libcurl through a SOCKS5 proxy (using proxy-resolver mode), and the SOCKS5 proxy was slow enough to cause the local variable bug, this exploit would be possible. The exploit would also be possible if this parameter is set to 64Kb or less:
--limit-rate
This bug was introduced on February 14, 2020, when converting the SOCKS5 handshake code from a blocking function to a non-blocking state machine.
Key features of CVE-2023-38545 vulnerability
The following are the key features of the vulnerability:
- CVE: CVE-2023-38545
- Publication date: 11/10/2023
- Affected software: curl and libcurl.
- CVSS Score: 7.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
- Affected Versions: Version 7.69.0 up to 8.3.0 (this one included)
Mitigation & Vulnerability Solution
The main solution is to urgently update the mentioned libraries and tools. The vulnerability has been fixed since version 8.4.0.
Additionally, the following tips are recommended:
- Do not use CURLPROXY_SOCKS5_HOSTNAME proxies with curl.
- Do not set a proxy environment variable to socks5h://
Vulnerability detection
The details of the vulnerability are complex, so it is recommended to rely on the updates provided by the developers. Applications and systems that make use of these tools and libraries should be version-checked to verify that they have the same or a higher version than 8.4.0.
As part of its emerging vulnerability service, Tarlogic proactively monitors its customers’ perimeter to report, detect and urgently notify the presence of this vulnerability, as well as other critical threats that could have a serious impact on the security of their assets.