libcurl: freeing stack buffer during x509 certificate parsing

Medium

Internet Bug Bounty

Submitted None

Team Summary

Official summary from Internet Bug Bounty

libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. It can detect an invalid field and return error. Unfortunately, when doing so it also invokes free() on a 4 byte local stack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the free() implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploiting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances. Full advisory: https://curl.se/docs/CVE-2024-6197.html

Actions:

View on HackerOne

Reported by z2_

Vulnerability Details

Technical details and impact analysis

Memory Corruption - Generic

Hello, I would like to report a vulnerability here, initially reported by me to the curl project. HackerOne Report: https://hackerone.com/reports/2559516 CVE: CVE-2024-6197 Advisory: https://curl.se/docs/CVE-2024-6197.html Severity: Medium ## Impact By serving a specifically crafted TLS certificate, a malicious server can trigger a `free()` of a buffer located on the stack. This can lead to a crash or to further memory corruptions.

Related CVEs

Associated Common Vulnerabilities and Exposures

CVE-2024-6197 HIGH

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Memory Corruption - Generic