CVE-2022-43552: Use-After-Free Vulnerability in Curl

Curl is a widely-used command line tool and library for transferring data with URLs, supporting multiple protocols like HTTP, HTTPS, FTP, SMTP, and more. The curl library is also embedded within many software applications and libraries, making it a crucial part of the modern web ecosystem.

In this post, we will take a detailed look at CVE-2022-43552, a use-after-free vulnerability discovered in curl versions prior to 7.87.. This vulnerability stems from curl's ability to tunnel virtually all supported protocols through an HTTP proxy, and the issues it encounters when the HTTP proxy denies tunneling specific protocols, in this case SMB and TELNET. We will examine the exploit's details, dive into some code snippets that illustrate the problem, and provide links to the original references for further investigation.

Exploit Details

A use-after-free vulnerability occurs when a program continues using a memory object after it has been freed, which can lead to undefined behavior, crashes, or potentially being exploited by an attacker. In the case of CVE-2022-43552, the issue arises when curl tries to tunnel SMB or TELNET protocols through an HTTP proxy server that denies such requests.

When curl sends a CONNECT request to an HTTP proxy, it expects a 200 status code in response, indicating that the proxy has successfully established a connection to the target server. However, when the proxy denies the tunnel operation for the SMB or TELNET protocols, it might return a different status code (such as 403) that curl must handle gracefully.

In its transfer shutdown code path, curl would use a heap-allocated struct after it had been freed, leading to the use-after-free vulnerability. This could potentially be exploited by an attacker to execute arbitrary code.

A simplified code snippet to demonstrate the issue with the vulnerability is as follows

void conn_shutdown(struct connectdata *conn) {
  if (conn->http_proxy.denied) {
    free(conn->data);
    // conn->data is now a dangling pointer
  }
  ...
  // The struct is still used after it has been freed
  perform_cleanup(conn->data);
}

In the conn_shutdown() function, conn->data is a pointer to a heap-allocated struct. When the HTTP proxy denies the tunnel operation, this pointer is freed, but not set to NULL. Later in the code, the perform_cleanup() function is called using the same dangling pointer, leading to the use-after-free vulnerability.

References

Here is a list of original references to help you dive deeper into the vulnerability and understand the technical details behind it:

1. Official curl Security Advisory: https://curl.se/docs/CVE-2022-43552.html
2. curl GitHub Repository: https://github.com/curl/curl
3. Commit that fixed the vulnerability: https://github.com/curl/curl/commit/7cf1d057d39315d979aabaa11f1b541571a026b3
4. Reporting Use-After-Free Vulnerabilities: https://cwe.mitre.org/data/definitions/416.html

Conclusion

CVE-2022-43552 is a use-after-free vulnerability in curl when tunneling SMB or TELNET protocols through an HTTP proxy that denies such requests. To mitigate the issue, users are advised to update their curl installations to version 7.87. or later. Keeping software up-to-date is vital for ensuring systems remain secure and free from known vulnerabilities. Always monitor security advisories for software you use and promptly update whenever necessary.

Timeline

Published on: 02/09/2023 20:15:00 UTC
Last modified on: 03/28/2023 05:15:00 UTC