Arbitrary File Read via file:// Protocol in cURL

cURL’s file:// protocol handler is enabled by default, allowing access to local files on the system. This behavior enables an attacker with the ability to run cURL commands to read arbitrary files on the host by specifying file paths or using directory traversal techniques. Steps to reproduce: 1. Build cURL with default configuration (e.g., ./configure --with-ssl and make). 2. Run ./src/curl "file:///etc/passwd" to read the contents of the passwd file. 3. Run ./src/curl "file:///tmp/../../etc/passwd" to demonstrate path traversal access to the same file. 4. Run ./src/curl -s "file:///etc/shadow" | head -c20 to read partial sensitive data from the shadow file. This confirms that arbitrary local files can be accessed via the file:// protocol, which poses a critical security risk. ## Impact An attacker who can run cURL commands on the system can read any local file that the user running cURL has permission to access, including highly sensitive files such as /etc/shadow. This can lead to: Theft of password hashes and credentials. Potential privilege escalation by cracking stolen hashes. Full system compromise through lateral movement or further exploitation. Exposure of confidential configuration or secret files. Overall, this vulnerability compromises system confidentiality and can lead to complete takeover of the affected host.