CVE-2023-27534 - Path Traversal Flaw in curl’s SFTP Implementation (Explained)

---

Summary:  
This post explains CVE-2023-27534, a security vulnerability found in curl’s SFTP implementation (versions less than 8..). This bug lets attackers use the tilde (~) character in specific ways to bypass restrictions and potentially access or run files they shouldn’t. We’ll break down what went wrong, how attackers can use it, and show you real code snippets to understand the scope of the issue.

What is curl?

curl is a widely-used command line tool for transferring data over various protocols (HTTP, SFTP, etc.). It's used everywhere — by system admins, scripts, developers, and even embedded in programs.

About the Bug (CVE-2023-27534)

A core feature of SFTP (SSH File Transfer Protocol) in curl is to let users specify file paths on servers. Typically if you use ~/somefile, you'll access the somefile in your home folder on the remote machine.

What went wrong?

In curl versions before 8.., there was a mishandling of the tilde ~ character in SFTP URLs and file paths. curl tries to be smart with the ~ and replaces it with the path to the user's home directory. But there was a path traversal bug — because curl would replace a tilde even when it wasn’t supposed to.

The vulnerable scenario

- If you crafted a path like /~2/foo (note the / at the start and ~ not at the start), curl would still treat ~2 as someone’s home directory, even though this isn’t the proper behavior.
- This could allow attackers to trick curl into accessing directories they shouldn’t, bypassing filters set by the server or the application using curl.

curl < 8..

(See official advisory)

Exploitation Details

The bug can be abused in any situation where a curl user lets someone else set or influence the file path sent to an SFTP server.

Example Exploit Scenario

Suppose a web service lets users specify a file path over SFTP, but tries to restrict them to a subfolder. For example:

import subprocess

# Path is supposed to be under 'uploads/' only
user_input = input("Enter your desired filename: ")
base_path = "sftp://example.com/uploads/"
full_path = base_path + user_input

# Download file via SFTP
subprocess.run(["curl", full_path])

Let’s say the developer expects only files in /uploads/ to be accessed. An attacker could enter a path like:

~root/secretfile

or

/~2/foo

curl will treat the tilde-prefixed element as a home reference, possibly escaping the intended directory tree.

Command line sample (demonstration)

curl 'sftp://user@host/~2/etc/passwd'

Depending on the SFTP server's setup, this could let a user read files inside user2's home directory, even though that wasn't the developer's intention.

Why does this work?

The function in curl responsible for handling SFTP paths (sftp_parse_url_path) would replace ~* at any path component, not just at the *root* of the path. So /uploads/~2/secret would become /home/user2/secret, bypassing directory restrictions.

Vulnerable code (simplified illustration)

if(path[] == '~') {
   // Expand to home directory
   // ...
}

But, the code did not check if the tilde is at the very beginning of the whole path, not just a path component.

PoC (Proof-of-Concept) on Vulnerable curl

Suppose you have SFTP access as user alice on a server that has both alice and bob user accounts. When you run:

curl -u alice sftp://your.sftp.server/~bob/.ssh/authorized_keys

If the server does not have strict chroot or SFTP directory restrictions, and if the curl client is vulnerable, you may be able to grab files from bob's home you should not be able to.

You could also craft a web request or automate this via a script, similar to the Python example above.

Upgrade curl.

This was fixed in curl 8... Always use the latest version.

Validate user input.

Never trust user-supplied paths, especially ones that might allow directory traversal (like .., ~, etc.).

Harden your SFTP server.

Use chroot jails and set up strict access controls so users are confined to their directories, regardless of what client they use.

Official References

- CVE-2023-27534 Advisory
- curl Security Releases
- Technical blog by Daniel Stenberg

Conclusion

CVE-2023-27534 is a prime example of how a seemingly small logic bug (where a tilde ~ is interpreted too liberally) can escalate into a security vulnerability that puts your data at risk. If you use curl for SFTP transfers or expose SFTP file paths to others, patching is critical. Always sanitize paths, update dependencies, and be alert for edge cases like these in any software that parses file paths or user input.

Timeline

Published on: 03/30/2023 20:15:00 UTC
Last modified on: 04/20/2023 09:15:00 UTC