Join us

cURL audit: How a joke led to significant findings

@faun ・ Apr 19,2023

The Trail of Bits team audited cURL.

They discovered memory corruption bugs, specifically use-after-free issues, double-free issues, and memory leaks through fuzzing cURL's command-line interface (CLI). They used AFL++ fuzzer to generate a large amount of random input data for cURL's CLI and identified vulnerabilities that were fixed in cURL 7.86.0 and 7.87.0.

They also created a Dockerfile to help developers set up a fuzzing harness to immediately fuzz cURL's CLI arguments.

The team notes that CLI exploitation has a relatively limited attack surface but can result in privilege escalation if the affected tool is a SUID binary.

Let's keep in touch!

Stay updated with my latest posts and news. I share insights, updates, and exclusive content.

Unsubscribe anytime. By subscribing, you share your email with @faun and accept our Terms & Privacy.

Give a Pawfive to this post!

Only registered users can post comments. Please, login or signup.

Share with your friends and followers

Start writing about what excites you in tech — connect with developers, grow your voice, and get rewarded.

Join other developers and claim your FAUN.dev() account now!

Publish your first story!

The FAUN

FAUN.dev()

@faun

The FAUN watches over the forest of developers. It roams between Kubernetes clusters, code caves, AI trails, and cloud canopies, gathering the signals that matter and clearing out the noise.