Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GnuTLS CURLINFO_TLS_SESSION / CURLINFO_TLS_SSL_PTR type confusion

C
curl
Submitted None
Actions:
View on HackerOne
Reported by nyymi

Vulnerability Details

Technical details and impact analysis

Type Confusion
## Summary: `curl_easy_getinfo` for `CURLINFO_TLS_SESSION` and `CURLINFO_TLS_SSL_PTR` incorrectly return `CURLSSLBACKEND_OPENSSL` in `struct curl_tlssessioninfo` `backend` field for GnuTLS. ``` struct curl_tlssessioninfo { curl_sslbackend backend; void *internals; }; ``` The bug is at https://github.com/curl/curl/blob/2db8ae480fdcae7f005bf847fbbf837821c8184c/lib/vquic/vquic-tls.c#L211 ``` #elif defined(USE_GNUTLS) (void)give_ssl_ctx; /* gnutls always returns its session */ info->backend = CURLSSLBACKEND_OPENSSL; info->internals = ctx->gtls.session; return TRUE; ``` If the caller interprets the `backend` and makes dynamic decision on the value it will parse `gnutls_session_t` as `SSL_CTX ` / `SSL`, leading to type confusion. Example of an affected code can be found from: https://github.com/curl/curl/blob/7c23e88d17e0939b4e01c8d05f430e167e148f4b/docs/libcurl/opts/CURLINFO_TLS_SSL_PTR.md?plain=1#L144 What actually happens when the incorrect pointer is passed to OpenSSL functions is unknown and depends on the specific application code and what functions it will call. At minimum a crash is likely, but other impacts can't easily be ruled out, especially considering wide platform and version support in libcurl. Mitigating factors: For this issue to become an issue, the application must be linked against *both* GnuTLS abd OpenSSL . This seems quite unlikely - but isn't entirely impossible. Either way, as such the impact of this vulnerability is limited. I cannot easily point out any affected applications. ## Affected version 8.15.0 ## Steps To Reproduce: 1. Have app built against both GnuTLS and OpenSSL. 2. Have the app use `curl_easy_getinfo` with either `CURLINFO_TLS_SESSION` or `CURLINFO_TLS_SSL_PTR`. 3. Have code calling OpenSSL functions when `CURLSSLBACKEND_OPENSSL == info->backend`, ## Supporting Material/References: * This bug appears to have been added by commit https://github.com/curl/curl/commit/2db8ae480fdcae7f005bf847fbbf837821c8184c * This report is AI free for your pleasure. Stop the slop! ## Impact ## Summary: Crash, potential unknown other impacts depending on the application code.

Report Details

Additional information and metadata

State

Closed

Substate

Not-Applicable

Submitted

Weakness

Type Confusion