Keypoints
- CVE-2023-38545 is a heap buffer overflow in curl’s SOCKS5 proxy handshake that can overflow data->state.buffer when hostname length checks are bypassed.
- The flaw arises from a state machine logic issue in do_SOCKS5 where remote hostname length validation only occurs in the CONNECT_SOCKS_INIT state, allowing overflow if the state machine is interrupted.
- Affected versions: libcurl 7.69.0 through 8.3.0; fixed in curl 8.4.0 and libcurl >= 8.4.0.
- Exploitation requires specific conditions (very long domain names, usage of socks5h:// or equivalent curl options, and CURLOPT_BUFFERSIZE unset or < 65541) and often attacker control of the destination to trigger a long redirect.
- Successful RCE is non-trivial due to heap allocation variability, ASLR, and lack of reliable memory leaks; many PoCs currently cause crashes but not confirmed exploitation.
- Detection for the curl binary can use behavioral rules (example Falco rule detecting curl spawning child processes while using SOCKS options); detection for libcurl requires monitoring post-exploitation behaviors across processes.
- Recommended detection includes Falco rules for suspicious process spawning and existing rules for post-exploitation actions (searching keys/passwords, adding SSH keys, fileless execution, redirecting streams to network).
MITRE Techniques
- [T1203] Exploitation for Client Execution – Overflowing a heap buffer in the SOCKS5 proxy handshake (“…overflow a heap-based buffer in the SOCKS5 proxy handshake.”).
- [T1190] Exploit Public-Facing Application – Using a controlled HTTP 30X redirect to a very long domain name to trigger the overflow (“…cause an HTTP 30X redirect to a very long domain name in order to overflow the buffer.”).
- [T1059] Command and Scripting Interpreter – Launching child processes from curl with SOCKS options, which is unusual and detected by behavioral rules (“…detect processes which are launched that have curl as a parent process and where curl is using SOCKS5.”).
- [T1083] File and Directory Discovery – Searching for private keys or passwords in the aftermath of compromise (“Search Private Keys or Passwords”).
- [T1041] Exfiltration Over Command and Control Channel – Redirecting STDOUT/STDIN to a network connection in a container to exfiltrate data (“Redirect STDOUT/STDIN to Network Connection in Container”).
- [T1055] Process Injection (Fileless techniques) – Fileless execution via memfd_create to run code in-memory without writing to disk (“Fileless execution via memfd_create”).
Indicators of Compromise
- [Software Versions] vulnerable libcurl range – libcurl 7.69.0 up to and including 8.3.0 (fixed in 8.4.0).
- [File Name] cookie injection artifact – file named “none” (CVE-2023-38546 allows cookie injection using a file named none).
- [URLs / References] technical references and fixes – https://github.com/curl/curl/releases/tag/curl-8_4_0, https://hackerone.com/reports/2187833 (walkthrough), and https://github.com/curl/curl/commit/74d5a6fb3b9a96d9f (introducing commit reference).
The vulnerability stems from a logic error in do_SOCKS5’s state machine: hostname length is validated only in the CONNECT_SOCKS_INIT state per the SOCKS5H specification (max 255 chars), but if the handshake reception is delayed and the function re-enters in CONNECT_SOCKS_READ, the socks5_resolve_local flag can remain set to FALSE and skip the length check, allowing a hostname longer than 255 characters to be processed and overflow a heap buffer (data->state.buffer). A successful exploit requires either control of the destination to produce an HTTP 30X redirect to an oversized domain or control over the domain passed to curl, and is complicated by heap allocation variability, ASLR, and the lack of reliable memory disclosure.
When targeting the curl binary, practical exploitation prerequisites include using socks5h:// (or –socks5-hostname / –proxy / –preproxy with SOCKS5), passing an excessively long domain, and having CURLOPT_BUFFERSIZE unset or set below 65541. The same vulnerability in libcurl makes detection harder because the library can be embedded and configured inside arbitrary processes; these runtime conditions may not be visible to network or process-level detectors.
Detection guidance focuses on behavioral monitoring rather than signature matching. For curl as a binary, a Falco rule can flag when curl (proc.pname=curl) is using SOCKS options (e.g., “–socks”, “-x socks”, “–preproxy socks”, or all_proxy/http(s)_proxy environment entries containing “socks”) and spawns child processes—an uncommon behavior that may indicate exploitation or follow-on malicious activity. For libcurl, monitor post-exploitation actions across hosts/containers using existing Falco rules: searching for private keys/passwords, adding SSH authorized_keys, redirecting stdio to network connections, and fileless execution techniques (memfd_create). Prioritize patching vulnerable libcurl/curl versions (upgrade to 8.4.0+) and applying behavioral detection to catch anomalous execution patterns.
Read more: https://sysdig.com/blog/cve-2023-38545/