CVE-2023-27534: SFTP path ~ resolving discrepancy
Project curl Security Advisory, March 20th 2023 - Permalink
VULNERABILITY
curl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (~) character as the first path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs work.
Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element.
Using a path like /~2/foo when accessing a server using the user dan (with home directory /home/dan) would then quite surprisingly access the file /home/dan2/foo.
This can be taken advantage of to circumvent filtering or worse.
We are not aware of any exploit of this flaw.
INFO
CVE-2023-27534 was introduced in commit ba6f20a244, shipped in curl 7.18.0.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory
Severity: Low
AFFECTED VERSIONS
- Affected versions: curl 7.18.0 to and including 7.88.1
- Not affected versions: curl < 7.18.0 and curl >= 8.0.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
RECOMMENDATIONS
A - Upgrade curl to version 8.0.0
B - Apply the patch to your local version
C - Avoid using tilde in SFTP URL paths.
TIMELINE
This issue was reported to the curl project on March 5, 2023. We contacted distros@openwall on March 13, 2023.
curl 8.0.0 was released on March 20 2023, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Harry Sintonen
- Patched-by: Daniel Stenberg
Thanks a lot!