CVE-2016-8620

Vulnerability

Curl's 'globbing' feature in tool_urlglob.c allows users to specify numerical or alphabetical ranges (e.g., [1-5] or [a-z]). Two flaws exist: first, parsing the second unsigned number does not check for a leading minus, so [1--1] converts -1 to the maximum unsigned long, causing an integer overflow and out-of-bounds write on the heap after many iterations; second, when an alphabetical range ends with a dangling hyphen like [L-], the code reads 5 bytes from a buffer that may be only 4 bytes, leading to an out-of-bounds read. This flaw exists only in the curl tool, not in libcurl. Affected versions: curl 7.34.0 to and including 7.50.3. Unaffected: versions before 7.34.0 and after 7.51.0. [3][4]

Exploitation

An attacker can exploit this by providing a crafted URL with a malicious range (e.g., [1--1] or [L-]) to a user running curl. No authentication is required; user interaction (running curl with the crafted URL) is sufficient. The curl tool processes the range, triggering the integer overflow or out-of-bounds read without any special privileges. [3][4]

Impact

Successful exploitation can lead to a heap-based buffer overflow (write) or out-of-bounds read, potentially allowing denial of service or arbitrary code execution in the context of the curl process. The vulnerability is rated as Medium severity. [3][4]

Mitigation

Fixed in curl version 7.51.0, released on November 2, 2016. The fix is implemented in commit fbb5f1aa0326d485d5a7ac643. Users should upgrade to curl 7.51.0 or later. Workarounds include disabling globbing (if possible) or manually validating range inputs. Red Hat and other vendors have backported fixes to their supported versions. [1][3][4]