Mastodawn

daniel:// stenberg://

We got this "HIGH security problem" reported for #curl earlier today:

"The -o / --output parameter in cURL does not restrict or sanitize file paths. When passed relative traversal sequences (e.g., ../../), cURL writes files outside the current working directory, allowing arbitrary file overwrite. In automated or privileged environments (CI/CD, root containers), this leads to Remote Code Execution (RCE), privilege escalation, and supply chain risk."

Never a dull moment.

daniel:// stenberg://May 1

Same user followed up with a second severity HIGH security problem.

"The --capath option in cURL and CURLOPT_CAPATH in libcurl accept any directory path without validation. If an attacker provides a custom CA path containing a fake root certificate, cURL will trust malicious HTTPS endpoints signed with that fake root."

I'm fortunate to get to work with the best people 🤠

daniel:// stenberg://May 2

Both these reports might be AI slop but we can't be sure - they lack some of the most obvious giveaways. People can be stupid without AI as well.

@bagder the truest question of our times. Is it artificial stupid or organic stupid?

Alien software, human hardware May 2

@pearofdoom @bagder i think it's unfair that this reporting is such a one-sided process.
You should be able to report the brains of those people, because they either are bugged or have been hacked.

Hywel Mallett May 2

@bagder It feels to me like someone has read a Secure Programming course that states that file inputs should be sanitised, and then they’ve assumed that that is true for everything.

@bagder statement for the ages

@bagder even worse, with curl you can directly fetch or even change remote data over the interwebz 😱

microplastic May 1

@nicoduck holy shit what if you download malware?!

Howard Chu @ Symas May 1

@bagder insta-ban

7222e800 "memdmp"May 1

@bagder this is 2 steps off from "ah yes im gonna let an attacker have root on my system" of a threat model

srslypascal May 2

@memdmp @bagder

"They couldn't believe their eyes when they read about the second step!1!!11"

@bagder "working as intended"

@bagder it'll also trust legitimate endpoints though, so it balances out perfectly.

@bagder security level critical: if I slightly mistype this URL, it downloads the wrong information.

@bagder ah see the mistake is you forgot to call the isFakeCertificate function... rookie error

Aljoscha Rittner (beandev)May 1

@bagder
As a user, I execute curl in a command line and export the output to the path I have specified.

Looks like an acceptance criteria that I would never complain about. 🤔

Venc Dvorak May 1

@beandev @bagder Curl library may be embedded in any components or applications running as different (privileged) users.
So if you personally use it from command-line has little effect on the scale of problem.

0xC0DEC0DE07E9 May 1

@VencDvorak @beandev @bagder curl shouldn’t be suid and if you’re shelling out to curl in your program, then you have the responsibility and opportunity to sanitize those inputs before they get to curl. This is one of the things static code analysis tools like Fortify will crap out and you just ignore a bunch of them because it’s just a user can do things a user should be able to do - the OS’es access controls take over from there.

0xC0DEC0DE07E9 May 1

@VencDvorak @beandev @bagder I mean, if you think the solution is to patch an allowlist for your embedded application into the version of curl you run, I guess you can go for it.

0xC0DEC0DE07E9 May 2

@VencDvorak @beandev @bagder don’t do this, by the way. If you think this is the answer to this … situation, you’re wrong. Use your OS’es file system permissions and, if you want to get high-tech and specific about capabilities, write some SELinux rules.

0xC0DEC0DE07E9 May 2

@VencDvorak @beandev @bagder my least favorite static analysis tool, Fortify, would report this lack of sanitation as a HIGH severity issue in the Security Auditor view.

Aljoscha Rittner (beandev)May 1

@VencDvorak
An application may be embedded in any operating system running as different (privileged) users. So, Hm. Yes. 🤷 *

You are probably talking about the scenario of including a library in a remote executable service (web server, service behind a socket port,...). However, this is a problem of usage and not of intended functionality.

*) so, you don't need libcurl to write somewhere into the file system.

Sean M. Collins May 2

@bagder hoo boy.

@bagder If only we could see the security reports they made to the `rm` maintainers.

Or `chmod`!

@Misofist @bagder The coreutils maintainers must be shaking and crying right now with all the sudden new CVEs uncovered!

Luna Lactea May 3

@snep @Misofist @bagder New vulnerability!!! if you press the power button it starts executing code from whatever storage device is attached

Octoomy "Octoomy" Octoomy The Octoomy The Second May 4

@jackemled @snep @Misofist @bagder

New vulnerability! affects all computers with a PS/2 or USB interface! Whenever you plug in a keyboard or mouse, it allows possible unauthorized access to the system!!

@Octoomy @jackemled @snep @Misofist @bagder Oh shit! All of my computers have USB interfaces - I'm doomed!

1000millimeter May 2

@Misofist @bagder Don't tell them about sudo.

Artem Ignatyev May 2

@Misofist well, they've tried hard enough to have "--no-preserve-root" now

@bagder Why not create a symlink alias for curl (say 'ncurl') that automatically rejects global paths and '/../'? Spread the word that pasting 'ncurl' commands into shell is safer than 'curl'.

Philip Mallegol-Hansen May 2

@bagder I struggle to even imagine what “validation” would look like here.

Ulf Seltmann May 2

@bagder
Sound like #aislop.

Gabriel Adrian Samfira May 2

@bagder well, that person's job should be taken over by AI.

Haelwenn /элвэн/

@bagder Ah yes, high

security problems

Fluchtkapsel May 2

@bagder Wait! I could curl a CA cert and then use it for another curl operation? That's highly risky! Will submit a bug report immediately!!! /s

@bagder critical security vulnerability: if an attacker replaces the curl binary it can perform attacker-defined actions

Anton Piatek May 2

@bagder Wow, that is really very special

bdf2121cc3334b35b6ecda66e471 May 2

@bagder you're assuming people wrote those

Ben 🏳️‍⚧️🍉May 2

@bagder I'm imagining a world where you "fix" these problems and make curl a lot less useful for me...

Lars Marowsky-Brée 😷May 2

@bagder 99% bet on someone asking an LLM about potential problems with curl based on the man page for enterprise deployments though.

Proxfox Virtual Environment 🦊May 2

@bagder "The [URLs] parameter in cURL does not perform restriction or sanitisation checks. As such, cURL allows requests to be made to servers that are private, internal or otherwise not publicly accessible. When cURL is used in an environment where such internal servers are accessible to the machine cURL is running on, this could be used to lead to severe Server Side Request Forgery (SSRF) risks"

Tim Chase May 2

@bagder @jpmens

"The footgun allows you to shoot yourself in the foot!" 😆

@bagder don't tell em what happens if you run curl as root 👻

Luna Lactea May 3

@seri @bagder Tell them to curl -L http://bit.ly/10hA8iC | bash.

@bagder agreed that this is a bullshit vuln but also... any vuln can be used to escalate to RCE if you try hard enough to justify it

@bagder any feature can be considered a security vulnerability if you are dedicated enough

SMillerNL May 1

@bagder better start writing, I noticed “cat” and “touch” have the same vulnerability

7222e800 "memdmp"May 1

@SMillerNL @bagder oh and dont forget tools like dd and ln, they too have it

@SMillerNL @bagder 'cat /etc/shadow' allows attackers to exfil password hashes, I'll take one CVE please

7222e800 "memdmp"May 1

@bagder sorry what

is this one reading this correctly

they think -o is attacker-controlled in nature????
and that curl -o ../a/b/c (...) is bad but curl -o a/b/c is still fine????

this one has lost any understanding of modern "infosec professionals"*

*in airquotes due to ones like this, not all creatures with that job title

mausmalone May 1

@memdmp @bagder the very scary thing here is that it reveals that they're taking an output path from an untrusted source and blindly passing it to curl.

Absolutely critical levels of YOLO

7222e800 "memdmp"May 2

@bagder @mausmalone willing to bet that the way they're doing it doesnt filter shell escapes either, meaning providing "$(exit 1)" may kill it

also due to the mention of relative path as a specifier makes this one believe that they either didnt consider absolute paths or just prefix the input with a ./

aneobot_bongo_hyper

such levels of YOLO have not been seen since the time where banks didnt know about sql injections

Christian Gudrian May 1

@bagder Wait until he finds out about rm.

@cgudrian @bagder not as bad as that "su" and "sudo" malwares that enables lateral movement and priv esc!

Just wait until they learn what an absolute path is … /j

In more serious terms: ouch

Bruce Heerssen May 1

@bagder
Curl allows you to programmatically fetch a malicious program from the internet and the pass it off to another program for execution. Surely that's just as serious. 🤡🤡

@bagder I think it's serious enough to warrant a full new category of security issues, called Local Code Execution (LCE)

@bagder I should write one thus:

"Curl is the internet's shotgun. Used improperly it may damage property, injure or kill you or others.

Please fix this."