CVE-2023-38545.md: add additional info

RyotaK found a way to exploit the bug by crafting a hostname so that the SOCKS connection completes successfully but to a different hostname and port, and possibly arbitrary data is sent to that different host before the "expected" request is sent on that same connection. The impact is limited because control characters and null are not allowed in the hostname. Ref: https://hackerone.com/ryotak?type=user Closes #308
curl · Nov 19, 2023 · 2816fee · 2816fee
1 parent 5698ed9
commit 2816fee
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/docs/CVE-2023-38545.md b/docs/CVE-2023-38545.md
@@ -91,6 +91,22 @@ Severity: High
 
 HackerOne: https://hackerone.com/reports/2187833
 
+ADDITIONAL INFO
+---------------
+
+Since the posting of this advisory, security researcher
+[RyotaK](https://hackerone.com/ryotak?type=user) has
+[notified](https://github.com/curl/curl-www/pull/308) that even if the buffer
+size is large enough to prevent heap overflow an attacker can still use the
+integer overflow of hostname length in conjunction with a crafted hostname
+longer than 255 characters to make the handshake complete successfully.
+
+In this scenario the crafted hostname contains a destination hostname, port and
+arbitrary data. The SOCKS server successfully connects to that host, sends the
+arbitrary data and then curl sends the "expected" request data on that same
+connection. The impact is limited because curl does not allow control
+characters and null in the hostname.
+
 AFFECTED VERSIONS
 -----------------