CVE-2023-46218 - How a Case-Sensitive Flaw in curl Opens the Door to Super Cookies

Date Published: 2024-06-05
Author: [Your Name]

Introduction

In today’s web world, cookies make things convenient but also pose serious risks if mishandled. A recently disclosed vulnerability in curl, tracked as CVE-2023-46218, shows how something as simple as letter case can be a security loophole. This bug lets a malicious HTTP server plant “super cookies” into curl clients, resulting in those cookies being sent to sites they shouldn't be sent to.

In this post, I’ll break down what CVE-2023-46218 is, why it’s dangerous, and how attackers can actually exploit it using a small amount of code. I'll keep the concepts simple so everyone can understand—even if you’re not a security pro.

What Is CVE-2023-46218?

This is a cookie security flaw found in curl before 8.4.. An attacker who controls a server response can set cookies using a mixed-case domain attribute. For example:

Set-Cookie: SESSIONID=evil; domain=co.UK

- The client (curl) is requesting http://curl.co.uk

Here, co.uk (all lowercase) is a listed public suffix in the Public Suffix List (PSL). But due to the bug, curl fails to properly match the mixed-case domain=co.UK against the PSL, and incorrectly accepts the cookie.

As a result: The “super cookie” is sent back to not just the intended site, but also any domain that shares the public suffix, essentially crossing boundaries between unrelated sites. This is a breach of the web’s same-origin policy.

Why Is This Dangerous?

- Data Leakage: Cookies can hold everything from authentication tokens to session IDs. If they’re shared beyond their intended scope, sensitive data can leak across domains.

Cross-Site Tracking: Malicious actors can track users across many domains.

- User Impersonation: Attackers could impersonate a user if the cookie is used for login sessions and gets sent to malicious servers.

Curl’s Flawed Cookie Domain Verification

Curl uses the Public Suffix List to prevent cookies from being set for high-level domains like .com, .uk, or .co.uk. However, curl’s logic was case-sensitive, so co.UK wasn't recognized as the same as co.uk.

Here’s a simplified code snippet to show how this bug could get triggered

import requests

# Attacker's payload: Set a cookie for "co.UK" with a super generic session
malicious_headers = {
    'Set-Cookie': 'SESSIONID=supercookie123; domain=co.UK'
}

# This simulates how a curl client might accept a malicious cookie
def accept_cookie(response_headers, requested_domain):
    cookie_domain = response_headers['Set-Cookie'].split('domain=')[1]
    # BAD: Case-sensitive comparison (vulnerable!)
    if cookie_domain in ['co.uk', '.co.uk']:
        print("Blocked as public suffix")
    else:
        print("Cookie accepted!")
        # Store/sends the cookie for all co.uk subdomains

accept_cookie(malicious_headers, 'curl.co.uk')
# Output: Cookie accepted! (when it should not be)

In reality, curl’s cookie domain validation was supposed to match domains case-insensitively, but failed to do so.

Step-by-Step Attack

1. Setup: Attacker controls HTTP server/set up a malicious endpoint.

Lure Victim: Victim uses curl to make a request to this server.

3. Set Super Cookie: The server sends a Set-Cookie with a mixed-case domain= attribute, like domain=co.UK.

Super Cookie Acceptance: Curl accepts the cookie and will send it to all .co.uk domains.

6. Cross-Site Cookie Leakage: When the victim uses curl (with stored cookies) to connect to another completely different .co.uk site, the super cookie is sent too.

Example Attack (Curl CLI)

# Attacker's server response:
#   Set-Cookie: SESSIONID=evil; domain=co.UK

curl -c cookies.txt http://malicious-attacker.fake

# Later the victim makes another request:
curl -b cookies.txt http://innocent-site.co.uk

# Result: SESSIONID=evil is sent to innocent-site.co.uk

References

- CVE-2023-46218
- Curl Security Advisory (supercookie)
- Public Suffix List
- curl GitHub Issue #12204 *(for technical discussion)*

Upgrade curl: The bug is fixed in curl 8.4.. Make sure you’re using this version or newer.

- Manual Patch: If you can’t upgrade, consider patching curl to do case-insensitive domain checks against PSL.
- Always validate cookies: Be careful when accepting cookies from unknown sources—especially in automation or scripting contexts.

Conclusion

Don’t let the simplicity fool you; CVE-2023-46218 is a prime example of how little details like letter casing can have big impacts on security. Always keep your tools updated, and understand how should-be-safe mechanisms like cookies can turn against you with one small oversight.

If you use curl in scripts, automation, or production, upgrade immediately—and stay safe out there!


*Feel free to share this post and help others be aware of subtle but dangerous security flaws like CVE-2023-46218.*

Timeline

Published on: 12/07/2023 01:15:07 UTC
Last modified on: 01/25/2024 14:15:26 UTC