/* * CVE-2026-8932 - Reliable Safe/Vulnerable Checker * Author: Ashraf Zaryouh "0xBlackash" * v3 - With version fallback */ #include #include #include #include #define RED "\033[1;31m" #define GREEN "\033[1;32m" #define YELLOW "\033[1;33m" #define RESET "\033[0m" #define URL "https://server.test:8443/" #define RESOLVE "server.test:8443:127.0.0.1" #define CERT "clientA.crt" #define KEY "clientA.key" static size_t write_cb(char *ptr, size_t size, size_t nmemb, void *data) { return size * nmemb; } int main(void) { const char *ver = curl_version(); printf(YELLOW "=== CVE-2026-8932 ===\n" RESET); printf("Author: Ashraf Zaryouh \"0xBlackash\"\n"); printf("Detected: %s\n\n", ver); /* Version-based fallback */ if (strstr(ver, "8.20.0") || strstr(ver, "8.19.") || strstr(ver, "8.18.")) { printf(RED "VULNERABLE (Version match)\n" RESET); printf("libcurl 7.7 - 8.20.0 are affected.\n"); printf("Update to 8.21.0 or newer.\n"); return 1; } /* Dynamic test */ CURL *A = curl_easy_init(); CURL *B = curl_easy_init(); CURLSH *share = curl_share_init(); struct curl_slist *resolve = curl_slist_append(NULL, RESOLVE); curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_CONNECT); curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_SSL_SESSION); /* Setup A */ curl_easy_setopt(A, CURLOPT_URL, URL); curl_easy_setopt(A, CURLOPT_RESOLVE, resolve); curl_easy_setopt(A, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(A, CURLOPT_SSL_VERIFYHOST, 0L); curl_easy_setopt(A, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(A, CURLOPT_SHARE, share); curl_easy_setopt(A, CURLOPT_SSLCERT, CERT); curl_easy_setopt(A, CURLOPT_SSLKEY, KEY); curl_easy_setopt(A, CURLOPT_KEYPASSWD, "aaa"); /* Setup B */ curl_easy_setopt(B, CURLOPT_URL, URL); curl_easy_setopt(B, CURLOPT_RESOLVE, resolve); curl_easy_setopt(B, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(B, CURLOPT_SSL_VERIFYHOST, 0L); curl_easy_setopt(B, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(B, CURLOPT_SHARE, share); curl_easy_setopt(B, CURLOPT_SSLCERT, CERT); curl_easy_setopt(B, CURLOPT_SSLKEY, KEY); curl_easy_setopt(B, CURLOPT_KEYPASSWD, "wrong-password"); CURLcode resA = curl_easy_perform(A); CURLcode resB = curl_easy_perform(B); if (resA == CURLE_OK && resB == CURLE_OK) { printf(RED "VULNERABLE" RESET " → Both requests succeeded\n"); } else { printf(GREEN "SAFE" RESET " → Correct rejection of bad key\n"); } curl_easy_cleanup(A); curl_easy_cleanup(B); curl_share_cleanup(share); curl_slist_free_all(resolve); curl_global_cleanup(); return 0; }