Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-38545 PoC — curl 缓冲区错误漏洞

Source
https://github.com/dbrugman/CVE-2023-38545-POC
Associated Vulnerability
Title:curl 缓冲区错误漏洞 (CVE-2023-38545)
Description:This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.
Description
CVE-2023-38545 POC for the curl command line tool
Readme
# CVE-2023-38545 POC for the curl command line tool

*This POC is based on the earlier POC created by UTsweetyfish, shared in this repository: https://github.com/UTsweetyfish/CVE-2023-38545. Contrary to that POC, this one is for the commandline tool and not the libcurl library, and doesn't require Python and no compilation*

This POC is for the `curl` SOCKS5 heap buffer overflow, and shows how to overflow the receive buffer in the `curl` command line tool. By default, `curl` initializes the receive buffer with a size of 100k, which makes it unsusceptible to CVE-2023-38545. But the size of this buffer can be reduced by setting a rate limit (`--limit-rate`).

To run the POC, first set up a local SOCKS5 proxy using SSH (this requires a locally running SSH server):

```
ssh -fND 10801 localhost
```

Next, run the `poc.sh` scriptt (this requires Netcat (nc) to be installed):

```
./poc.sh
```

It might require several attempts to trigger the buffer overflow. If the overflow is triggered, the script will exit with an error code, and an error message indicating that the execution has been aborted. When the overflow failed, and curl was not impacted, then a message is shown indicating that a host with the name "AAAA...." could not be resolved.

Links:
- https://curl.se/docs/CVE-2023-38545.html
- https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/
File Snapshot

 [4.0K]  /data/pocs/749508eaf9e4a3eda377e859ac2cb72b07197d04
├── [ 235]  poc.sh
└── [1.4K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →