daniel:// stenberg://"Arbitrary File Read via file:// Protocol in cURL"
Well, you see... 🤦♂️
curl disclosed on HackerOne: Arbitrary File Read via file://...
cURL’s file:// protocol handler is enabled by default, allowing access to local files on the system. This behavior enables an attacker with the ability to run cURL commands to read arbitrary files on the host by specifying file paths or using directory traversal techniques. Steps to reproduce: 1. Build cURL with default configuration (e.g., ./configure --with-ssl and make). 2. Run...
Lars Wirzenius@bagder Can I get bug bounty for this: curl can let a user download content that hypnotizes the user to delete all their files and backups. This is a remote convincing exploit.
Johannes
Marco "Ocramius" Pivetta@bagder "water is wet"
Cees-Jan Kiewiet 
Kevin Lyda@bagder Hey @pixelbeat I think cat might have this same, uh, "security issue". Might want to publish an advisory for people. See also, cp...
stfn@lyda @bagder @pixelbeat computing would be much, much safer, if files could not be read by any tool, ever
Lazy B0y
Elias Mårtenson@lyda @bagder @pixelbeat did you know what sudo allows an attacker to execute commands as root (assuming they know the password).
CyberFrog@bagder surely they just jammed a single sentence into AI to generate this report.... I wish bug bounty didn't encourage people with the lowest possible skill level to spam 10,000 issues until one of them happens to stick for money sigh
genuine question, would you say you get mostly useful reports on the curl bug bounty program, or are majority just noise that gets closed with no impact? a quick look at the "hacktivity" page shows a depressing stream of nonsense at first glance
genuine question, would you say you get mostly useful reports on the curl bug bounty program, or are majority just noise that gets closed with no impact? a quick look at the "hacktivity" page shows a depressing stream of nonsense at first glance
LisPi
Matthew Booth@bagder "Per project policy for transparency, we want all reports disclosed and made public." 👌
F4GRX Sébastien@bagder Mr Tufan: no thanks found, reputation -5. This is fine.
Agnieszka R. Turczyńska@bagder Wow. This is... something... special...
mage_of_dragons@bagder I don't think you understand the severity of this exploit.
First, it says Severity 9-10, so that automatically means it is the exploit of the century
Second, if an attacker can get access to the curl binary with root permissions, they can just read arbitrary files, compromising the entire system.
Just wait till someone builds the next WannaCry with this
mirabilos@bagder @mage_of_dragons if the attacker does that they generally also can run cat… *sigh*
It’s a fscking command line tool. If you expose them over the network, you’re responsible for securing things yourself.
This is literally curl working as intended.
@mage_of_dragons @bagder but does it have a logo, mascot and a theme song.
Kévin ⏚
Klaus Umbach@bagder Maybe there is a secret contest for "Who creates the most stupid report for curl and gets published?"...
I somehow feel the urge to participate...
@treibholz it's gonna be tough to beat some of the ones we already have received... 😁
Inga stands with 🇺🇦 🇵🇸@bagder well that's clearly CVSS 9.8!
guenther
Leeloo@bagder
I think this is partially the result of a certain Bash bug years ago that got labelled a security hole and called "shellshock".
Yes, it was a bug in bash, but bash executes with the exact same privilege as the user or process invoking bash, so cannot result in privilege escalation. The security hole was never in bash, it was in the (usually PHP) code passing unvalidated input from the webserver to bash.
Those PHP devs got to blame bash for executing unvalidated input, rather that taking the blame for passing unvalidated input to bash, so now want to blame every tool that is capable of doing unintended things simply by passing unvalidated input.
Such as passing a file:// url to curl without validation.
Paco Hope #resist@bagder They even just say it: a person using this program can read files they’re allowed to read.
“An attacker who can run cURL commands on the system can read any local file that the user running cURL has permission to access”
Matt Hardy 3.11 for Workgroups@bagder less Privilege Escalation; more Privilege Exasperation
@bagder I mean, this is quote in-your-face. Usually, the equivalent reports jump through a ridiculous number of hoops just to return to the same thing; exploit requires the user to already have the permission needed to perform the operation directly.
vivi 💫
JennyFluff 
🔜 WHY@bagder next up: critical security issue in cat
cat /etc/shadow lets you see the contents of the file!
cat /etc/shadow lets you see the contents of the file!
Klaus
Þór Sigurðsson@bagder I asked AI to graphically demonstrate my reaction to the uh... bug...report.
The text on screen was not supplied by me - but oh man it fits.
Carlos Sierra@bagder works as intended...
Stéphane Bortzmeyer@bagder cat and more have the same security bug, I've been told.
Brian 
@bortzmeyer @bagder I opened Nautilus and it allowed me to see ALL files in my user folder. 😱
Sérgio Pereira 🇪🇺🇵🇹🏳️🌈@brian @bortzmeyer @bagder GPU drivers facilitate physical attackers to interact with my machine and see it's contents.
Juffo-WupI am seriously considering to switch to windows over this.
Is there no security on Linux at all????
@mndflayr @bortzmeyer @bagder It’s even worse on Windows. Opened “explorer” and it showed to ALL MY DRIVES?? How the fuck does it have this access??
Jean-Baptiste "JBQ" Quéru@bortzmeyer @bagder Now, of course, if you run cat or more or curl as suid root (with full capabilities), things happen, but that's quite literally going to be true of anything that processes files, and it's not the fault of those tools (unless they install themselves like that by default, of course).
Marius Biebel@bagder O_o
Thats like a support ticket for "I've deleted the Internet" while they just moved the internet explorer icon into the trash bin.
Ateş Göral 🔥🐐"Uninhibited IP Access to 127.0.0.1"
Bojidar Marinov@bagder As long as you don't accept redirects to file:// I can't see it 🥲 😂
64kb@bojidar_bg @bagder ooh, now there's an idea. You can imagine some Web 1.0 tool that works this way, maybe even a cURL like tool, where that's ultimately how files are accessed that are represented by http.
trusty falxter 🧠
Anakin: curl's accepting all redirects
Padme: All but to file://, right?
Anakin: ...
Right. Just tested it and it does not redirect (because of course)
@f4grx @bojidar_bg @bagder I wouldn't have expected anything else. I just didn't want to let the joke go.
Simonyou should use that as description in the man page
“FILE Read or write arbitrary local files.”
(Did they even notice they could write files?)
Claudius
Programmer 832-529 🍅@bagder next, you will be telling me if I pipe the output of curl to sudo bash, then an attacker in control of the remote website has RCE! 😵
gunstick
Wolf480pl
Gregory
Timothy Wolodzko@bagder it's even worse, http:// can read arbitrary web pages! all the internet!
kami_kadsethese type of reports are a DDOS-attack against free software projects, wasting dev's time on a grand scale
Ben Zucker 🍰