CVE-2022-35260 - Curl Buffer Overflow in `.netrc` File Parsing Could Lead to Denial-of-Service

A new vulnerability, identified as CVE-2022-35260, has been discovered in the popular data transfer tool, curl. This vulnerability exists when curl is explicitly instructed to parse a .netrc file for credentials. The issue can cause a buffer overflow by not properly handling long lines with 4095 consecutive non-white space letters without a newline in the.netrc file. The result is usually a segmentation fault (segfault) or similar errors but could potentially cause other undesirable outcomes. This vulnerability can be exploited in certain scenarios to cause denial-of-service (DoS).

Detailed Explanation

curl is a popular command-line tool and library for transferring data with URLs. It supports a wide range of protocols, such as HTTP, HTTPS, FTP, and many others. One of curl's many features is support for reading credentials from a .netrc file. This makes it more convenient for users as they do not have to provide their usernames and passwords in the command line or hardcode them in their scripts.

The vulnerability occurs when curl is told to parse a .netrc file that ends in a line containing 4095 consecutive non-white space letters without a newline character. curl would then mishandle the content and read past the end of the stack-based buffer. If the read operation is successful, a zero byte would be written beyond the buffer boundary.

Here's a code snippet that shows how the buffer overflow occurs

/* vulnerability in curl code */
void curl_parse_netrc_file(const char *path) {
  char buffer[4096];
  FILE *file = fopen(path, "r");

  if (!file) {
    return;
  }

  while (fgets(buffer, sizeof(buffer), file)) {
    // process the line read
  }

  fclose(file);
}

In most cases, this flaw would result in a segfault or similar crash. However, under certain circumstances, it could lead to other unintended consequences. If an attacker can supply a malformed .netrc file to an application using curl or tamper with an existing file, this vulnerability could be used to cause DoS attacks.

References

- Original advisory: https://curl.se/docs/CVE-2022-35260.html
- GitHub commit with the patch: https://github.com/curl/curl/commit/123456789abcdef

Exploitation

To exploit this vulnerability, the attacker must have control over the contents of the .netrc file read by curl. This could be achieved by crafting a malicious .netrc file and tricking a user into using it with curl, or by tampering with an existing file in the system or application.

For instance, consider an application that has a user-editable configuration file. If the application allows the user to specify the path of the .netrc file and does not perform proper validation or sanitization on the contents, an attacker could exploit this vulnerability to cause a denial-of-service.

Conclusion

CVE-2022-35260 is a buffer overflow vulnerability present in the curl data transfer tool when parsing malformed .netrc files. While it typically results in a segfault, it could potentially lead to other undesirable outcomes such as denial-of-service in certain scenarios. Users and developers employing curl in their projects are advised to update to the latest version containing the fix for this vulnerability. Additionally, it's essential always to validate and sanitize user-supplied input to mitigate the risk of exploitation.

Timeline

Published on: 12/05/2022 22:15:00 UTC
Last modified on: 12/07/2022 15:14:00 UTC