Dustin L. Howett1d ago

"curl does not support an option called `-guid`, but if it did, somebody writing a shell script might use it wrong. Clearly this is a security bug in curl" ???

What the hell did I just read?

(h/t to @bagder for linking to curl's hackerone, for additional hilarious reading material)

https://hackerone.com/reports/3648199

curl disclosed on HackerOne: Internal application wrapper or script...

While -guid is not a standard or documented curl command, a Command Injection or Argument Injection vulnerability within a specific application that wraps curl. Security Analysis: curl -guid -url example.com 1. Status of the "-guid" FlagUndocumented/Non-existent: The official curl binary does not recognize a -guid flag. Standard versions will return an "unrecognized option" error.Custom...

HackerOne
Show threadaspragg

@DHowett @bagder Almost every sentence of that report is weirder than the last.

Yes, if you have the ability to overwrite /etc/shadow, and call `system()` with unsanitised untrusted user data in the command line, a shell injection attack could overwrite /etc/shadow. Who would have suspected?

Also, what about `--engine`? How is it relevant to (non-existent) -guid? It's a mystery!

Finally, attachment `curl_guid.mp4`?!? I've reached a state of confusion I wasn't expecting to achieve today.

Apr 6 at 11:30amWeb