CVE-2020-8169: Partial password leak over DNS on HTTP redirect

## Summary: From version 7.62 curl and curllib leaks part of user credentials in the plain text DNS request. This happens if the server makes redirect, both 301 and 302 to a relative path (eg header 'Location: /login'). It is NOT an issue in case of absolute redirection (eg header 'Location: https://domain.tld/login'). I was able to make curl/curlib to send a password that started with @ but I believe that more abuse is possible with this attack. What makes is worst is that for eg occasionally run/daemon scripts with curl and authorization credentials this can be triggered by a remote server by switching between absolute/relative without any change on client-side. User secrets are sent in plain text and anybody in the middle can record them. User secrets are sent to the DNS server and can be recorded there. ## Steps To Reproduce: 1. Use curl > 7.61 (tested on all from 7.62 to 7.70 and I was able to exploit it) 1. Find a server with relative redirection (eg https://mareksz.gq/301 or https://mareksz.gq/302) 1. Run 'curl https://mareksz.gq/302 -v -L -u saduser:@S3cr3t' ## Supporting Material/References: Logs from running above steps: / $ curl -V curl 7.66.0-DEV (x86_64-pc-linux-gnu) libcurl/7.66.0-DEV OpenSSL/1.1.1d zlib/1.2.11 nghttp2/1.39.2 Release-Date: [unreleased] Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets / $ curl https://mareksz.gq/302 -v -L -u saduser:@S3cr3t * Trying 194.182.85.202:443... * TCP_NODELAY set * Connected to mareksz.gq (194.182.85.202) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=mareksz.gq * start date: Apr 27 10:32:33 2020 GMT * expire date: Jul 26 10:32:33 2020 GMT * subjectAltName: host "mareksz.gq" matched cert's "mareksz.gq" * issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3 * SSL certificate verify ok. * Server auth using Basic with user 'saduser' > GET /302 HTTP/1.1 > Host: mareksz.gq > Authorization: Basic c2FkdXNlcjpAUzNjcjN0 > User-Agent: curl/7.66.0-DEV > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 302 Moved Temporarily < Server: nginx < Date: Fri, 15 May 2020 08:32:59 GMT < Content-Type: text/html < Content-Length: 138 < Connection: keep-alive < Location: /goto302 < * Ignoring the response-body * Connection #0 to host mareksz.gq left intact * Issue another request to this URL: 'https://saduser@[email protected]/goto302' * Could not resolve host: [email protected] * Closing connection 1 curl: (6) Could not resolve host: [email protected] Trafic pcap'ed: / $ tcpdump 'udp' -vv X.X.X.X:X IP (tos 0x0, ttl 255, id 57291, offset 0, flags [none], proto UDP (17), length 63) _ > _ : [udp sum ok] 27230+ A? [email protected]. (35) X.X.X.X:X IP (tos 0x0, ttl 255, id 55686, offset 0, flags [none], proto UDP (17), length 63) _ > _ : [udp sum ok] 51727+ AAAA? [email protected]. (35) X.X.X.X:X IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 136) _ > _ : [udp sum ok] 27230 NXDomain q: A? [email protected]. 0/1/0 ns: gq. SOA a.ns.gq. info.equatorialguineadomains.com. 1589532137 10800 3600 604800 5 (108) X.X.X.X:X IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 136) _ > _ : [udp sum ok] 51727 NXDomain q: AAAA? [email protected]. 0/1/0 ns: gq. SOA a.ns.gq. info.equatorialguineadomains.com. 1589532235 10800 3600 604800 5 (108) * [attachment / reference] Attached Wireshark screenshot with leaked creds. ## Impact I believe it is rather high. Third-party have control over it part of your credentials are being sent over the network in plain text to the DNS server.