-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
FreeBSD - curl -- multiple vulnerabilities
25 June 2020
AusCERT Security Bulletin Summary
Operating System: FreeBSD
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
CVE Names: CVE-2020-8177 CVE-2020-8169
- --------------------------BEGIN INCLUDED TEXT--------------------
FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports
curl -- multiple vulnerabilities
7.20.0 <= curl < 7.71.0
VuXML ID 6bff5ca6-b61a-11ea-aef4-08002728f74c
curl security problems:
CVE-2020-8169: Partial password leak over DNS on HTTP redirect
libcurl can be tricked to prepend a part of the password to the host name
before it resolves it, potentially leaking the partial password over the
network and to the DNS server(s).
libcurl can be given a username and password for HTTP authentication when
requesting an HTTP resource - used for HTTP Authentication such as Basic,
Digest, NTLM and similar. The credentials are set, either together with
CURLOPT_USERPWD or separately with CURLOPT_USERNAME and CURLOPT_PASSWORD.
Important detail: these strings are given to libcurl as plain C strings and
they are not supposed to be URL encoded.
In addition, libcurl also allows the credentials to be set in the URL,
using the standard RFC 3986 format: http://user:password@host/path. In this
case, the name and password are URL encoded as that's how they appear in
If the options are set, they override the credentials set in the URL.
Internally, this is handled by storing the credentials in the "URL object"
so that there is only a single set of credentials stored associated with
this single URL.
When libcurl handles a relative redirect (as opposed to an absolute URL
redirect) for an HTTP transfer, the server is only sending a new path to
the client and that path is applied on to the existing URL. That "applying"
of the relative path on top of an absolute URL is done by libcurl first
generating a full absolute URL out of all the components it has, then it
applies the redirect and finally it deconstructs the URL again into its
This security vulnerability originates in the fact that curl did not
correctly URL encode the credential data when set using one of the
curl_easy_setopt options described above. This made curl generate a badly
formatted full URL when it would do a redirect and the final re-parsing of
the URL would then go bad and wrongly consider a part of the password field
to belong to the host name.
The wrong host name would then be used in a name resolve lookup,
potentially leaking the host name + partial password in clear text over the
network (if plain DNS was used) and in particular to the used DNS server
CVE-2020-8177: curl overwrite local file with -J
curl can be tricked by a malicious server to overwrite a local file when
using -J (--remote-header-name) and -i (--include) in the same command
The command line tool offers the -J option that saves a remote file using
the file name present in the Content-Disposition: response header. curl
then refuses to overwrite an existing local file using the same name, if
one already exists in the current directory.
The -J flag is designed to save a response body, and so it doesn't work
together with -i and there's logic that forbids it. However, the check is
flawed and doesn't properly check for when the options are used in the
reversed order: first using -J and then -i were mistakenly accepted.
The result of this mistake was that incoming HTTP headers could overwrite a
local file if one existed, as the check to avoid the local file was done
first when body data was received, and due to the mistake mentioned above,
it could already have received and saved headers by that time.
The saved file would only get response headers added to it, as it would
abort the saving when the first body byte arrives. A malicious server could
however still be made to send back virtually anything as headers and curl
would save them like this, until the first CRLF-CRLF sequence appears.
(Also note that -J needs to be used in combination with -O to have any
CVE Name CVE-2020-8169
CVE Name CVE-2020-8177
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----