
Curl Security Audit - NeutronBoy
https://daniel.haxx.se/blog/2016/11/23/curl-security-audit/
======
zenincognito
Mario and cure53 team are a bunch of great people. I learned a lot by reading
a lot of reports from Cure53 published on their website[1]. Their repos on
Github are a timesaver when looking for XSS. Filedescriptor[2] is a part of
cure53 and has some amazing reports on hackerone.

Mario is as humble as they get in the security scene.Tweet to him or just
follow him generally and you will pick up on how to wreck browser apps.

[1][https://cure53.de/#publications](https://cure53.de/#publications)
[2][http://innerht.ml/](http://innerht.ml/)

------
dorianm
Very impressive results from Cure53: [https://cure53.de/pentest-
report_curl.pdf](https://cure53.de/pentest-report_curl.pdf)

    
    
        CRL -01-001 Malicious server can inject cookies for other servers ( Medium)
        CRL -01-002 ConnectionExists () compares passwords with strequal () ( Medium)
        CRL -01-005 OOB write via unchecked multiplication in base 64_ encode () ( High)
        CRL -01-007 Double - free in aprintf () via unsafe size _t multiplication ( Medium)
        CRL -01-009 Double - free in krb 5 read _ data () due to missing realloc () check ( High)
        CRL -01-011 FTPS TLS session reuse ( Low)
        CRL -01-013 Heap overflow via integer truncation ( Medium)
        CRL -01-014 Negative array index via integer overflow in unescape _ word () ( High)
        CRL -01-021 UAF via insufficient locking for shared cookies ( High)
        Miscellaneous Issues
        CRL -01-003 Ambiguity in curl _ easy _ escape () argument ( Low)
        CRL -01-004 Metalink provides an oracle ( Info)
        CRL -01-006 Potentially unsafe size _t multiplications ( Medium)
        CRL -01-008 % n is supported in format strings ( Low)
        CRL -01-010 Slashes and .. are decoded in file URIs ( Low)
        CRL -01-012 Only the md 5 of the SSH host key fingerprint is checked
        CRL -01-015 Default Compile - time options lack support for PIE and RELRO ( Low)
        CRL -01-016 Unchecked snprintf () calls ( Low)
        CRL -01-017 Permit disabling ( insecure ) fallbacks ( Low)
        CRL -01-018 Null pointer dereference in the RTSP protocol ( Low)
        CRL -01-019 nss _ init _ sslver uses version info from NSS header ( Info)
        CRL -01-020 dup _ nickname () doesn't check for memory allocation failure ( Low)
        CRL -01-022 polarssl _ connect _ step 1() lacks matching unlock ( Info)
        CRL -01-023 ssl _ thread _ setup () leaves mutex buffer partially uninitialised ( Info)

------
sapphire_tomb
I just want to thank Daniel for volunteering his project for this level of
scrutiny, and then putting in the very long hours to address the results of
that process. I know software development is sometimes a thankless task, and I
know he got some rather heavy handed response from Apple when he announced all
these fixes at such "short notice".

~~~
sleepychu
Can you provide more info on the Apple thing? Can't imagine the stance of a
company using a library (for free?) to the library author that would allow any
sort of offence as the "short notice".

------
jzawodn
Awesome to see heavily used (and often embedded) OSS software getting a
sponsored audit like this. I wonder the same could happen for sqlite and
others.

Given the number of vulnerabilities that "state sponsored" folks are likely to
know about, this seems like a very useful defense and a way to increase
confidence in our building blocks.

~~~
nas
It's great that these bugs have been found and fixed. I'm frightened by this
report however. If a well managed open-source project like Curl has this
number of pretty serious bugs that can be found by skilled auditors, what hope
do we have of securing ourselves against state sponsored attacks? Really no
hope, I think. Given the amount code on a modern computer, there must be no
shortage of "zero-day" holes they can use.

Maybe this is not news to most informed people. It shocks me though. I know
the situation is bad, just didn't fully grok how bad.

~~~
perlgeek
This is one of the reasons that people are excited about Rust; it promises to
eliminate a whole class of security bugs that are often found in C
applications and libraries. Without having to resort to managed code.

~~~
cesarb
> Without having to resort to managed code.

Even better: gradually replacing parts of the current C code with Rust code is
possible, while keeping the same API and ABI. IIRC, someone is already trying
it with librsvg.

~~~
steveklabnik
[https://people.gnome.org/~federico/news-2016-10.html#25](https://people.gnome.org/~federico/news-2016-10.html#25)

------
throwbsidbdk
I've consistently wondered why cURL is so popular in languages with a solid
web client(almost everything these days) . I've used it for quick hacks but
definitely nothing in production.

------
72deluxe
Very interesting, the report PDF makes for interesting and informative
reading.

