Vigil@nce - cURL: incorrect certificate check via IP Wildcard
April 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can invite cURL users to connect to a malicious IP
site, in order to trigger a Man-in-the-Middle.
– Impacted products: cURL, Slackware
– Severity: 2/4
– Creation date: 26/03/2014
DESCRIPTION OF THE VULNERABILITY
The cURL client can access to a SSL server by using its IP
address, or by using its domain name.
A X.509 certificate can contain the ’*’ character to indicate that
it can be used on servers with the same sub-domain. For example:
w*.example.org
The RFC 2818 forbids wildcard characters in certificates for IP
addresses. For example:
*.2.3.4
However, the libcurl library allows these certificates.
An attacker can therefore invite cURL users to connect to a
malicious IP site, in order to trigger a Man-in-the-Middle.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/cURL-incorrect-certificate-check-via-IP-Wildcard-14474