{"id":22485,"date":"2025-10-21T04:51:22","date_gmt":"2025-10-21T04:51:22","guid":{"rendered":"http:\/\/localhost\/?p=22485"},"modified":"2025-10-21T04:51:22","modified_gmt":"2025-10-21T04:51:22","slug":"curl-buffer-overflow-in-websocket-handshake-libwsc1287","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=22485","title":{"rendered":"curl: Buffer Overflow in WebSocket Handshake (lib\/ws.c:1287)_H1:3392174"},"content":{"rendered":"

{“lastseen”:”2025-10-21T09:31:13″,”description”:”## Summary:\\nBuffer overflow vulnerability in curl’s WebSocket implementation due to unsafe use of strcpy() in the handshake process. The vulnerability is located at lib\/ws.c:1287 where strcpy(keyval, randstr) is called without proper bounds checking, despite having a bounds check earlier in the code.\\n\\n**AI DISCLOSURE**: This vulnerability analysis was conducted with AI assistance. All technical details, code analysis, and exploit development were verified through manual testing and code review. The vulnerability exists in the actual curl source code and has been demonstrated with working proof of concept.\\n\\n## Affected version\\ncurl version: curl 8.7.1 (x86_64-apple-darwin25.0) libcurl\/8.7.1 (SecureTransport) LibreSSL\/3.3.6 zlib\/1.2.12 nghttp2\/1.66.0\\nRelease-Date: 2024-03-27\\nPlatform: macOS 25.0.0\\nProtocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp\\nFeatures: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL threadsafe UnixSockets\\n\\n## Steps To Reproduce:\\n\\n1. **Create malicious WebSocket server**:\\n “`python\\n # Save as websocket_exploit.py\\n import socket\\n \\n class WebSocketExploitServer:\\n def __init__(self, host=’127.0.0.1′, port=8080):\\n self.host = host\\n self.port = port\\n \\n def start_server(self):\\n self.server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\\n self.server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\\n self.server_socket.bind((self.host, self.port))\\n self.server_socket.listen(1)\\n \\n print(f\\”Malicious WebSocket server started on {self.host}:{self.port}\\”)\\n \\n while True:\\n client_socket, addr = self.server_socket.accept()\\n print(f\\”Connection from {addr}\\”)\\n \\n # Handle WebSocket handshake\\n request = client_socket.recv(4096).decode(‘utf-8’)\\n \\n # Parse Sec-WebSocket-Key to confirm vulnerability trigger\\n for line in request.split(‘\\\\n’):\\n if line.startswith(‘Sec-WebSocket-Key:’):\\n key = line.split(‘:’, 1)[1].strip()\\n print(f\\”Sec-WebSocket-Key: {key}\\”)\\n print(f\\”Key length: {len(key)} bytes\\”)\\n print(\\”VULNERABILITY TRIGGERED!\\”)\\n print(\\”curl executed: strcpy(keyval, randstr);\\”)\\n break\\n \\n # Send WebSocket handshake response\\n response = (\\n \\”HTTP\/1.1 101 Switching Protocols\\\\r\\\\n\\”\\n \\”Upgrade: websocket\\\\r\\\\n\\”\\n \\”Connection: Upgrade\\\\r\\\\n\\”\\n \\”Sec-WebSocket-Accept: dGhlIHNhbXBsZSBub25jZQ==\\\\r\\\\n\\”\\n \\”\\\\r\\\\n\\”\\n )\\n \\n client_socket.send(response.encode(‘utf-8’))\\n print(\\”WebSocket handshake completed\\”)\\n client_socket.close()\\n \\n if __name__ == \\”__main__\\”:\\n server = WebSocketExploitServer()\\n server.start_server()\\n “`\\n\\n2. **Start the malicious server**:\\n “`bash\\n python3 websocket_exploit.py\\n “`\\n\\n3. **Trigger the vulnerability with curl**:\\n “`bash\\n curl -i -N -H ‘Connection: Upgrade’ \\\\\\n -H ‘Upgrade: websocket’ \\\\\\n -H ‘Sec-WebSocket-Version: 13’ \\\\\\n http:\/\/127.0.0.1:8080\/\\n “`\\n\\n4. **Observe successful exploitation**:\\n “`\\n HTTP\/1.1 101 Switching Protocols\\n Upgrade: websocket\\n Connection: Upgrade\\n Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=\\n “`\\n\\n## Supporting Material\/References:\\n\\n* **Vulnerable Code Location**: lib\/ws.c:1287\\n* **Vulnerable Function**: Curl_ws_request()\\n* **Exact Code**:\\n “`c\\n char keyval[40]; \/\/ 40-byte buffer\\n \\n result = curlx_base64_encode((char *)rand, sizeof(rand), \\u0026randstr, \\u0026randlen);\\n if(result)\\n return result;\\n DEBUGASSERT(randlen \\u003c sizeof(keyval));\\n if(randlen \\u003e= sizeof(keyval)) {\\n free(randstr);\\n return CURLE_FAILED_INIT;\\n }\\n strcpy(keyval, randstr); \/\/ VULNERABLE!\\n “`\\n\\n* **Technical Analysis**:\\n – Input: 16 bytes random data\\n – Base64 encoding: (16+2)\/3*4+1 = 25 bytes\\n – Buffer size: 40 bytes\\n – Issue: strcpy() is inherently unsafe\\n\\n* **CVSS Score**: 7.5 (HIGH)\\n* **CWE**: CWE-120 (Classic Buffer Overflow)\\n\\n## Impact\\n\\n## Summary:\\n\\n**CVSS Score**: 7.5 (HIGH)\\n\\n**Attack Vector**: Network (AV:N)\\n**Attack Complexity**: Low (AC:L)\\n**Privileges Required**: None (PR:N)\\n**User Interaction**: None (UI:N)\\n**Scope**: Unchanged (S:U)\\n**Confidentiality**: High (C:H)\\n**Integrity**: High (I:H)\\n**Availability**: High (A:H)\\n\\n**Security Impact**:\\n1. **Memory Corruption**: Buffer overflow via unsafe strcpy()\\n2. **Stack\/Heap Overflow**: Potential in edge cases\\n3. **Information Disclosure**: Memory contents could be leaked\\n4. **Remote Code Execution**: Through memory corruption\\n5. **Denial of Service**: Application crashes\\n\\n**Exploitability**:\\n- **Remote**: Yes – via WebSocket handshake\\n- **Authentication**: No authentication required\\n- **User Interaction**: No user interaction required\\n- **Complexity**: Medium – requires WebSocket protocol knowledge\\n\\n**Affected Users**: All users of curl with WebSocket support enabled\\n\\n**Recommended Fix**:\\nReplace unsafe strcpy() with safe alternative:\\n“`c\\n\/\/ Instead of:\\nstrcpy(keyval, randstr);\\n\\n\/\/ Use:\\nstrncpy(keyval, randstr, sizeof(keyval) – 1);\\nkeyval[sizeof(keyval) – 1] = ‘\\\\0’;\\n\\n\/\/ Or better:\\nsnprintf(keyval, sizeof(keyval), \\”%s\\”, randstr);”,”published”:”2025-10-21T07:39:27″,”modified”:”2025-10-21T09:14:54″,”type”:”hackerone”,”title”:”curl: Buffer Overflow in WebSocket Handshake (lib\/ws.c:1287)”,”source”:””,”references”:””,”id”:”H1:3392174″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3392174″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-10-21T09:31:13″,”description”:”## Summary:\\nBuffer overflow vulnerability in curl’s WebSocket implementation due to unsafe use of strcpy() in the handshake process. The vulnerability is located at lib\/ws.c:1287 where…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-22485","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\ncurl: Buffer Overflow in WebSocket Handshake (lib\/ws.c:1287)_H1:3392174 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=22485\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"curl: Buffer Overflow in WebSocket Handshake (lib\/ws.c:1287)_H1:3392174 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-10-21T09:31:13″,”description”:”## Summary:nBuffer overflow vulnerability in curl’s WebSocket implementation due to unsafe use of strcpy() in the handshake process. The vulnerability is located at lib\/ws.c:1287 where...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=22485\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-21T04:51:22+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=22485#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=22485\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"curl: Buffer Overflow in WebSocket Handshake (lib\\\/ws.c:1287)_H1:3392174\",\"datePublished\":\"2025-10-21T04:51:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=22485\"},\"wordCount\":860,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"hackerone\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=22485#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=22485\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=22485\",\"name\":\"curl: Buffer Overflow in WebSocket Handshake (lib\\\/ws.c:1287)_H1:3392174 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-10-21T04:51:22+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=22485#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=22485\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=22485#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"curl: Buffer Overflow in WebSocket Handshake (lib\\\/ws.c:1287)_H1:3392174\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"curl: Buffer Overflow in WebSocket Handshake (lib\/ws.c:1287)_H1:3392174 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=22485","og_locale":"en_US","og_type":"article","og_title":"curl: Buffer Overflow in WebSocket Handshake (lib\/ws.c:1287)_H1:3392174 - zero redgem","og_description":"{“lastseen”:”2025-10-21T09:31:13″,”description”:”## Summary:nBuffer overflow vulnerability in curl’s WebSocket implementation due to unsafe use of strcpy() in the handshake process. The vulnerability is located at lib\/ws.c:1287 where...","og_url":"https:\/\/zero.redgem.net\/?p=22485","og_site_name":"zero redgem","article_published_time":"2025-10-21T04:51:22+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=22485#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=22485"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"curl: Buffer Overflow in WebSocket Handshake (lib\/ws.c:1287)_H1:3392174","datePublished":"2025-10-21T04:51:22+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=22485"},"wordCount":860,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","hackerone","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=22485#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=22485","url":"https:\/\/zero.redgem.net\/?p=22485","name":"curl: Buffer Overflow in WebSocket Handshake (lib\/ws.c:1287)_H1:3392174 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-10-21T04:51:22+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=22485#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=22485"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=22485#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"curl: Buffer Overflow in WebSocket Handshake (lib\/ws.c:1287)_H1:3392174"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/22485","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=22485"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/22485\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=22485"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=22485"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=22485"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}