This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: [Security] A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!
Type: security Stage: resolved
Components: Versions:
process
Status: closed Resolution: out of date
Dependencies: 30458 32185 Superseder:
Assigned To: Nosy List: cheryl.sabella, christian.heimes, martin.panter, orange, vstinner
Priority: normal Keywords:

Created on 2017-11-20 14:15 by vstinner, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (5)
msg306543 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-20 14:15
Vulnerabilities described below are likely these ones reported in bpo-30500, but it would be nice to double check if *all* reported vulnerabilities have been fixed!
http://python-security.readthedocs.io/vuln/bpo-30500_urllib_connects_to_a_wrong_host.html

--

At July 27, 2017, Orange Tsai (Security Consultant, DEVCORE) reported vulnerabilities in Python, in the code parsing URLs.

Conference: https://www.blackhat.com/us-17/briefings/schedule/#a-new-era-of-ssrf---exploiting-url-parser-in-trending-programming-languages-6292
Slides: https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

His following blog post only contains the vulnerabilities in Python:
http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html

Note: His twitter account, https://twitter.com/orange_8361


== Issue 1 ==

* CR-LF Injection on HTTP protocol
* Smuggling SMTP protocol over HTTP protocol


http://127.0.0.1:25/%0D%0AHELO orange.tw%0D%0AMAIL FROM
>> GET /
<< 421 4.7.0 ubuntu Rejecting open proxy localhost [127.0.0.1]
>> HELO orange.tw
Connection closed

=> "SMTP Hates HTTP Protocol It Seems Unexploitable"

"Gopher Is Good What If There Is No Gopher Support?"

"HTTPS What Won't Be Encrypted in a SSL Handshake?"


== Issue 2 ==

* HTTPS: What Won't Be Encrypted in a SSL Handshake?
* Exploit the Unexploitable - Smuggling SMTP over TLS SNI

https://127.0.0.1□%0D%0AHELO□orange.tw%0D%0AMAIL□FROM...:25/
(...)
>< HELO orange.tw
<< 250 ubuntu Hello localhost [127.0.0.1], please meet you
>> MAIL FROM: <admin@orange.tw>
<< 250 2.1.0 <admin@orange.tw>... Sender ok


== Big Picture ==

Python vulnerable to:

* Python httplib:

  * CR-LF Injection: Path, Host and SNI

* Python urllib: 

  * CR-LF Injection: Host and SNI
  * Host Injection

* Python urllib2

  * CR-LF Injection: Host and SNI
msg306980 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2017-11-26 01:00
The square □ in the strings represents a space.

Issue 1 (CRLF in HTTP request path): it looks like the %0D%0A would have to be decoded by an earlier step in the chain to "http://127.0.0.1:25/\r\nHELO . . .". This becomes like the header injection I mentioned in Issue 30458.

Issue 2 (CRLF in HTTPS host): it seems this doesn’t work in Python as a side effect of Issue 22928 blocking generation of the Host field. But if you add a space you bypass that: "https://host%0D%0A%20SLAVEOF . . .:6379".
msg307418 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2017-12-02 00:56
Issue 32185 proposes to stop sending IP addresses in the TLS SNI protocol. Maybe this will help; it depends if it will catch IP address strings with with whitespace or if there are other ways to inject invalid hostnames.
msg313709 - (view) Author: Cheryl Sabella (cheryl.sabella) * (Python committer) Date: 2018-03-12 22:51
Since issue 32185 has been patched, should this one be revisited to see if that solution helped fixed this one?
msg402393 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2021-09-21 22:21
No activity for 3 years, I close the issue.
History
Date User Action Args
2022-04-11 14:58:54adminsetgithub: 76266
2021-09-21 22:21:09vstinnersetstatus: open -> closed
resolution: out of date
messages: + msg402393

stage: resolved
2018-03-12 22:51:24cheryl.sabellasetnosy: + cheryl.sabella, christian.heimes
messages: + msg313709
2017-12-02 00:56:07martin.pantersetdependencies: + SSLContext.wrap_socket sends SNI Extension when server_hostname is IP
messages: + msg307418
2017-11-26 01:00:28martin.pantersetnosy: + orange, martin.panter
dependencies: + [security][CVE-2019-9740][CVE-2019-9947] HTTP Header Injection (follow-up of CVE-2016-5699)
messages: + msg306980
2017-11-20 14:15:17vstinnercreate