POST following PUT confusion

Medium

Internet Bug Bounty

Submitted None

Team Summary

Official summary from Internet Bug Bounty

###CVE-2022-32221: POST following PUT confusion ###VULNERABILITY When doing HTTP(S) transfers, libcurl might erroneously use the read callback [(CURLOPT_READFUNCTION)](https://curl.se/libcurl/c/CURLOPT_READFUNCTION.html) to ask for data to send, even when the [CURLOPT_POSTFIELDS](https://curl.se/libcurl/c/CURLOPT_POSTFIELDS.html) option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. We are not aware of any exploit of this flaw. ###INFO The code actually sending wrong data or doing a use-after-free is not present in libcurl code but are only presumed scenarios that might become the outcome of libcurl surprisingly calling the read callback in a situation where it is not expected to. This flaw cannot be triggered with the command line tool. This issue was [reported and managed publicly](https://github.com/curl/curl/issues/9507) before the security impact was properly understood. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-32221 to this issue. CWE-440: Expected Behavior Violation ###Severity: medium ###AFFECTED VERSIONS - Affected versions: libcurl 7.7 to and including [7.85.0](https://curl.se/docs/vuln-7.85.0.html) - Not affected versions: libcurl < 7.7 and >= [7.86.0](https://curl.se/docs/vuln-7.86.0.html) libcurl is used by many applications, but not always advertised as such! ###THE SOLUTION The fix for [CVE-2022-32221](https://github.com/curl/curl/commit/a64e3e59938abd7d6) was committed to the curl git repository and made public before the security impact of this issue become clear to us. The securty impact was not highlighted in the commit message nor surrounding messsaging. ###RECOMMENDATIONS A - Upgrade curl to version [7.86.0](https://curl.se/docs/vuln-7.86.0.html) B - Apply the patch to your local version C - Do not do mix using the read callback and postfields string on a reused easy handle ###TIMELINE This issue was reported to the curl project on September 19, 2022. We contacted distros@openwall on October 18, 2022. libcurl [7.86.0](https://curl.se/docs/vuln-7.86.0.html) was released on October 26 2022, coordinated with the publication of this advisory.

Actions:

View on HackerOne

Reported by robbotic

Vulnerability Details

Technical details and impact analysis

Information Disclosure

The bug I submitted at https://github.com/curl/curl/issues/9507 can have at least a few unintended security issues: Information Disclosure: this bug causes an HTTP PUT to occur when the user intends for an HTTP POST to occur. The user, who intended an HTTP POST, expects the POSTed information to come from CURLOPT_POSTFIELDS. However, as an HTTP PUT is performed instead, the data that is PUT comes from a buffer specified in CURLOPT_READDATA, which may be sensitive information intended for an entirely different host (host1.com below). If CURLOPT_READDATA is not specified, this data could come from stdin! Use after free: using the description above, if the user had already freed the data specified in CURLOPT_READDATA, then the unintended HTTP PUT (which was intended to be an HTTP POST) would attempt to read the freed data specified in CURLOPT_READDATA. ## Impact An attacker could potentially inject data, either from stdin or from an unintended buffer. Further, without even an active attacker, this could lead to segfaults or sensitive information being exposed to an unintended recipient.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$2400.00

Submitted

Weakness

Information Disclosure