CVE-2023-27534

SFTP path ~ resolving discrepancy

Project curl Security Advisory, March 20th 2023 - Permalink

VULNERABILITY

curl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (~) character as the first path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs work.

Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element.

Using a path like /~2/foo when accessing a server using the user dan (with home directory /home/dan) would then quite surprisingly access the file /home/dan2/foo.

This can be taken advantage of to circumvent filtering or worse.

INFO

CWE-22: Improper Limitation of a Pathname to a Restricted Directory

Severity: Low

AFFECTED VERSIONS

• Affected versions: curl 7.18.0 to and including 7.88.1
• Not affected versions: curl < 7.18.0 and curl >= 8.0.0
• Introduced-in: https://github.com/curl/curl/commit/ba6f20a244

libcurl is used by many applications, but not always advertised as such!

SOLUTION

• Fixed-in: https://github.com/curl/curl/commit/4e2b52b5f7a3bf50

RECOMMENDATIONS

A - Upgrade curl to version 8.0.0

B - Apply the patch to your local version

C - Avoid using tilde in SFTP URL paths.

TIMELINE

This issue was reported to the curl project on March 5, 2023. We contacted distros@openwall on March 13, 2023.

curl 8.0.0 was released on March 20 2023, coordinated with the publication of this advisory.

CREDITS

• Reported-by: Harry Sintonen
• Patched-by: Daniel Stenberg

Thanks a lot!