Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3671818 by arkss
libcurl keeps a stale data->state.aptr.cookiehost after a request that uses a custom Host: header. On later requests on the same easy handle, when no custom Host: is used, libcurl still reuses that stale value for outgoing cookie selection (lib/http.c:2560-2563) and incoming Set-Cookie attribution (lib/http.c:3561-3567). The stale state is set from the custom-Host: path in lib/http.c:2030-2065 and is not cleared in the non-custom-host path at lib/http.c:2075-2089. I reproduced this on curl 8.19.0 / libcurl 8.19.0 on x86_64 Linux. In the attached PoC, a cookie seeded for victim.internal is leaked to attacker.test, the attacker injects poison=EVIL into the victim jar, and that poisoned cookie is then replayed back to victim.internal on a third request. A ZIP with the PoC source, server script, captured logs, and a fuller write-up is attached.
Reproduced on:
curl 8.19.0 (x86_64-pc-linux-gnu) libcurl/8.19.0 OpenSSL/3.5.5 zlib/1.3.1 brotli/1.2.0 zstd/1.5.7 libidn2/2.3.8 libpsl/0.21.5 libssh2/1.11.1 nghttp2/1.68.1 ngtcp2/1.21.0 nghttp3/1.15.0 librtmp/2.3 mit-krb5/1.22.1 OpenLDAP/2.6.10
Platform:
Linux x86_64
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3697719 by xkilua
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3669637 by joesephdiver
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3642555 by quaccws
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In