Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / cookie injection with none file
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table
Awarded 540 USD

CVE-2023-38546

cookie injection with none file

Project curl Security Advisory, October 11 2023 - Permalink

VULNERABILITY

This flaw allows an attacker to intentionally inject cookies into a running program using libcurl, if the specific series of conditions are met.

libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers.

libcurl provides a function call that duplicates an easy handle called curl_easy_duphandle.

If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the filename as none (using the four ASCII letters, no quotes).

Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named none - if such a file exists and is readable in the current directory of the program using libcurl, when using the correct file format of course.

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-38546 to this issue.

CWE-73: External Control of filename or Path

Severity: Low

We set it to low because the flaw requires a series of conditions to be met and the likeliness that they shall allow an attacker to take advantage of it is low. Even if the bug could be made to trigger, the risk that a cookie injection can be done to cause harm is additionally also low.

AFFECTED VERSIONS

libcurl is used by many applications, but not always advertised as such!

The (flawed) logic that created this bug existed even before the curl_easy_duphandle() function was added, but it did not become this problem until this API was introduced.

This flaw is not accessible using the curl command line tool.

SOLUTION

Starting in curl 8.4.0, curl not longer stores the filename in the cookie struct.

RECOMMENDATIONS

A - Upgrade curl to version 8.4.0

B - Apply the patch to your local version

C - Call curl_easy_setopt(cloned_curl, CURLOPT_COOKIELIST, "ALL"); right after every curl_easy_duphandle(); call.

TIMELINE

This issue was reported to the curl project on September 14, 2023. We contacted distros@openwall on October 3, 2023.

libcurl 8.4.0 was released on October 11 2023, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!