Elevation of Privileges (EoP) vulnerabilities related to the some easy_options on Windows

## Summary An Elevation of Privileges (EoP) vulnerability can occur in a Windows privileged process that uses CURLOPT_COOKIEJAR, CURLOPT_HSTS, or CURLOPT_ALTSVC. This vulnerability arises due to the differences in the implementation of the unlink function between Windows and Linux, as well as the behavior of MoveFileEx, which follows specially crafted links. Given that many components, such as program updaters, frequently use curl with elevated privileges, this issue must be considered a serious concern. ## Affected version libcurl latest version (8.11.1) ## Description libcurl provides easy options such as `CURLOPT_COOKIEJAR`, `CURLOPT_HSTS`, and `CURLOPT_ALTSVC`. For example, when `CURLOPT_COOKIEJAR` is set, the library user can specify a file where cookie information will be stored. Since libcurl is widely used for web communication, it is often utilized in privileged programs that need to communicate with web servers, such as program updaters. The issue is that privileged programs using the aforementioned options may occur a Elevation of Privileges (EoP) vulnerability. Since all three options share a very similar code structure, this explanation will focus on `CURLOPT_COOKIEJAR`. In the `cookie_output` function of `lib/cookie.c`, the output file's `FILE` pointer is obtained via `Curl_fopen`. The `Curl_fopen` function generates a random temporary file based on the file path specified by the library user through `CURLOPT_COOKIEJAR` and returns the `FILE` pointer to this temporary file. Subsequently, `cookie_output` writes the cookie contents to the temporary file and then moves the temporary file to the user-specified file path using `Curl_rename`. Internally, `Curl_rename` calls the `MoveFileExA` API, and if this attempt fails, it tries to delete the temporary file using the `unlink` function. (https://github.com/curl/curl/blob/c5bb4e77e414c1505d800a0091a6d57c7f75d416/lib/cookie.c#L1660) If the file path for storing cookies is in a user-writable location, a specially crafted link in Windows can be used to redirect the calls to `MoveFileExA` or `unlink` to operate on an arbitrary file. The `MoveFileExA` function follows this special link as is, while the `unlink` function, which executes through the Windows C runtime (`unlink() -> remove() -> DeleteFile(WINAPI)`), also follows the link. Through this mechanism, an attacker can leverage a privileged process to achieve **arbitrary file deletion**, which can ultimately lead to **escalation of privilege (EoP) to SYSTEM** using well-known exploitation techniques. At first glance, it may seem that exploiting this issue requires a race condition. However, it can be exploited in a highly reliable manner using **oplocks**. For more details on how arbitrary file deletion can be abused to escalate privileges, refer to the ZDI blog post linked below: (https://www.thezdi.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks) To help understand this issue better, a proof-of-concept (PoC) demonstrating the vulnerability will be provided, along with step-by-step instructions on how to reproduce it in the next section. ## Steps To Reproduce: 1. To reproduce the issue described above, I created a simple program (`curl_EoP.sln`) that sends a web request using libcurl and the `CURLOPT_COOKIEJAR` option. Additionally, `curl_EoP_Exp.sln` demonstrates how this program can be exploited to achieve **high-privilege arbitrary file deletion**. This exploit modifies the deletion of `"C:/ProgramData/curl_EoP/{temporary_file_name}.tmp"` to delete `"C:/Windows/test_file.txt"` instead. ### Steps to Reproduce: 1. Open an **administrator CMD** and create `test_file.txt` by running the following command: ```cmd echo "tempfile" > C:/Windows/test_file.txt ``` 2. Use **Visual Studio C/C++ 2022** to build `curl_EoP_Exp.sln` and `curl_EoP.sln` (x64-Release). - **Note**: `curl_EoP.sln` requires **libcurl**. 3. Run `curl_EoP_Exp.exe` **with normal user privileges**. - **Ignore** any stdout output. 4. Run `curl_EoP.exe` **with administrator or SYSTEM privileges**. 5. As a result of the exploit, **`C:/Windows/test_file.txt` will be deleted**. ## Patch Suggestion The `GetFinalPathNameByHandle` API can be used to retrieve the final destination file path of a specific file handle. By comparing this retrieved path with the expected file name, it is possible to determine whether the path has been manipulated via links. Implement a secure wrapper around functions like `MoveFileExA` and `unlink` that incorporates this logic to prevent exploitation. ## Supporting Material/References: * curl_EoP.zip: source codes of curl_EoP.sln * curl_EoP_Exp.zip: source codes of curl_EoP_Exp.sln * PoC.mp4: A video of reproduce steps ## Impact ## Summary: A medium-privileged attacker can achieve Escalation of Privilege (EoP) to SYSTEM by targeting any privileged program that uses the CURLOPT_COOKIEJAR, or CURLOPT_HSTS, or CURLOPT_ALTSVC options with a user writable path.