{“lastseen”:”2025-12-29T16:25:46″,”description”:”## Summary\\n\\nA buffer pointer underflow vulnerability exists in curl’s telnet protocol handler (`lib\/telnet.c`). When processing telnet suboptions in the `CURL_TS_SE` state, the code unconditionally decrements the suboption buffer pointer by 2 (`subpointer -= 2`), even when the `CURL_SB_ACCUM` macro skips writing due to a full buffer. This leads to an out-of-bounds read when `suboption()` and `printsub()` are subsequently called.\\n\\n## Affected Version\\n\\n- All curl versions with telnet support containing this code pattern\\n- Tested on latest curl source from GitHub (master branch)\\n- File: `lib\/telnet.c`\\n- Vulnerable lines: 1210 and 1226\\n\\n## Technical Analysis\\n\\n### Vulnerable Code Pattern\\n\\nIn `lib\/telnet.c`, the `CURL_SB_ACCUM` macro (lines 69-73) conditionally writes to the buffer:\\n\\n“`c\\n#define CURL_SB_ACCUM(x, c) \\\\\\n do { \\\\\\n if(x-\\u003esubpointer \\u003c (x-\\u003esubbuffer + sizeof(x-\\u003esubbuffer))) \\\\\\n *x-\\u003esubpointer++ = (c); \\\\\\n } while(0)\\n“`\\n\\nHowever, in the `CURL_TS_SE` state handling (lines 1207-1211 and 1223-1227), the pointer decrement is unconditional:\\n\\n**Path 1 (line 1207-1211):**\\n“`c\\nCURL_SB_ACCUM(tn, CURL_IAC);\\nCURL_SB_ACCUM(tn, c);\\ntn-\\u003esubpointer -= 2; \/\/ UNCONDITIONAL – causes underflow when buffer is full\\nCURL_SB_TERM(tn);\\n“`\\n\\n**Path 2 (line 1223-1227):**\\n“`c\\nCURL_SB_ACCUM(tn, CURL_IAC);\\nCURL_SB_ACCUM(tn, CURL_SE);\\ntn-\\u003esubpointer -= 2; \/\/ UNCONDITIONAL – causes underflow when buffer is full\\nCURL_SB_TERM(tn);\\n“`\\n\\n### Exploitation Flow\\n\\n1. Malicious telnet server sends suboption data to fill the 512-byte buffer (`SUBBUFSIZE`)\\n2. Server sends `IAC` followed by another byte while buffer is full\\n3. `CURL_SB_ACCUM` macro does nothing (buffer full check passes)\\n4. `subpointer -= 2` executes unconditionally, causing pointer underflow\\n5. `CURL_SB_TERM` sets `subend = subpointer` (now pointing before buffer start)\\n6. `suboption()` is called with corrupted pointer\\n7. `CURL_SB_LEN` macro calculates negative\/wrapped length\\n8. `printsub()` reads out-of-bounds memory in verbose mode\\n\\n### Memory Layout (struct TELNET)\\n\\n“`c\\nstruct TELNET {\\n \/\/ … other fields …\\n struct dynbuf out; \/\/ Contains heap pointers\\n unsigned char subbuffer[512]; \/\/ The suboption buffer\\n unsigned char *subpointer; \/\/ Points into subbuffer\\n unsigned char *subend; \/\/ End marker\\n \/\/ …\\n};\\n“`\\n\\nWhen `subpointer` underflows, it points to the `dynbuf out` structure, which contains heap pointers that may be leaked.\\n\\n## Steps To Reproduce\\n\\n1. Save the attached PoC script as `curl_telnet_poc.py`\\n\\n2. Run the malicious telnet server:\\n“`bash\\npython3 curl_telnet_poc.py -p 2323\\n“`\\n\\n3. In another terminal, connect with curl in verbose mode:\\n“`bash\\ncurl -v telnet:\/\/127.0.0.1:2323\\n“`\\n\\n4. Observe the verbose output for:\\n – Anomalous suboption data in the output\\n – Potential non-printable characters indicating memory leak\\n – Possible crash (depending on memory layout)\\n\\n5. For better observation, build curl with AddressSanitizer:\\n“`bash\\n.\/configure CFLAGS=\\”-fsanitize=address -g\\”\\nmake\\n.\/src\/curl -v telnet:\/\/127.0.0.1:2323\\n“`\\n\\nASan should report an out-of-bounds read.\\n\\n## Supporting Material\/References\\n\\n- Attached: `curl_telnet_poc.py` – Python PoC server script\\n- Source file: https:\/\/github.com\/curl\/curl\/blob\/master\/lib\/telnet.c\\n- Vulnerable lines: 1210, 1226\\n- Related macros: lines 63-76 (CURL_SB_CLEAR, CURL_SB_TERM, CURL_SB_ACCUM, CURL_SB_GET, CURL_SB_LEN)\\n“`\\n\\n## Impact\\n\\n## Impact\\n\\n### Security Impact\\n\\n1. **Information Disclosure (Low-Medium)**: When curl is run in verbose mode (`-v`), the `printsub()` function may read and display memory contents from before the suboption buffer. This could potentially leak:\\n – Heap pointers (useful for ASLR bypass in chained exploits)\\n – Contents of the `dynbuf out` structure\\n – Other sensitive data in adjacent memory\\n\\n2. **Denial of Service (Low)**: Depending on memory layout and access patterns, the out-of-bounds read could cause a crash.\\n\\n### Attack Scenario\\n\\nAn attacker controlling a malicious telnet server could:\\n1. Wait for a victim to connect using `curl -v telnet:\/\/malicious-server`\\n2. Send crafted telnet suboption data to trigger the vulnerability\\n3. Potentially observe leaked memory contents in error messages or logs\\n4. Use leaked heap pointers to aid in exploiting other vulnerabilities\\n\\n### Limitations\\n\\n- Requires victim to connect to attacker-controlled telnet server\\n- Most impactful in verbose mode (`-v` flag)\\n- Telnet protocol is deprecated and rarely used\\n- No direct code execution capability”,”published”:”2025-12-28T16:15:31″,”modified”:”2025-12-29T15:46:46″,”type”:”hackerone”,”title”:”curl: Telnet Suboption Buffer Pointer Underflow in lib\/telnet.c leads to Out-of-Bounds Read”,”source”:””,”references”:””,”id”:”H1:3480712″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3480712″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-29T16:25:46″,”description”:”## Summary\\n\\nA buffer pointer underflow vulnerability exists in curl’s telnet protocol handler (`lib\/telnet.c`). When processing telnet suboptions in the `CURL_TS_SE` state, the code unconditionally decrements…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-33129","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n