cURL
Haxx ad
libcurl

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1251 Form boundary string should be truly random

From: brim <brimston3_at_users.sf.net>
Date: Mon, 24 Jun 2013 13:13:01 +0000

Well, let me explain it by analogy. Software PantsAdministrator uses libcurl to RPC multipart post messages to the Pants backend system. For this example it has two functions Remove_Pants and Store_In_Pocket_For_Significant_Other and it stores which function to call as the last argument of the post message list. The Remove_Pants function is only to be called by the user of PantsAdministrator, but Store_In_Pocket_For_Significant_Other takes a text field argument and proxies the call for an external program. PantsAdministrator is not very clever about curl, so it spawns it in its own process which initializes Curl_srand just before calling the curl_easy post mechanism.

Significant_Other uses the TequilaShots program to predict the formboundary and precisely time the proxy event to the system clock of the machine PantsAdministrator is running on, including a %{formboundary}\r\nRemove_Pants line, which overrides the RPC command. Not knowing it should check for %{formboundary} because it doesn't know what curl will select for it, it passes the text field through unaltered.

The RPC is executed with the permissions of PantsAdministrator and now you are wearing no pants, a win for Significant_Other.

------

Basically, since the calling program doesn't know what libcurl is going to choose as form boundary, it can't be required to test for it and libcurl must test, or choose a suitably random form boundary that is very difficult to guess.

---
** [bugs:#1251] Form boundary string should be truly random**
**Status:** open
**Created:** Mon Jun 24, 2013 11:24 AM UTC by Floris
**Last Updated:** Mon Jun 24, 2013 12:29 PM UTC
**Owner:** nobody
The use of predicatable pseudo-random numbers to generate the multipart/form boundary can lead to security issues in software using libcurl.
See: http://localhost.re/p/solusvm-whmcs-module-316-vulnerability
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2013-06-24

These mail archives are generated by hypermail.

donate! Page updated May 06, 2013.
web site info

File upload with ASP.NET