Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! #76266

Closed
vstinner opened this issue Nov 20, 2017 · 5 comments
Closed

[Security] A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! #76266

vstinner opened this issue Nov 20, 2017 · 5 comments
Labels
type-security A security issue

Comments

@vstinner
Copy link
Member

BPO 32085
Nosy @vstinner, @tiran, @vadmium, @csabella, @orangetw
Dependencies
  • bpo-30458: [security][CVE-2019-9740][CVE-2019-9947] HTTP Header Injection (follow-up of CVE-2016-5699)
  • bpo-32185: SSLContext.wrap_socket sends SNI Extension when server_hostname is IP
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2021-09-21.22:21:09.158>
created_at = <Date 2017-11-20.14:15:17.542>
labels = ['type-security']
title = '[Security] A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!'
updated_at = <Date 2021-09-21.22:21:09.157>
user = 'https://github.com/vstinner'

    bugs.python.org fields:

    activity = <Date 2021-09-21.22:21:09.157>
actor = 'vstinner'
assignee = 'none'
closed = True
closed_date = <Date 2021-09-21.22:21:09.158>
closer = 'vstinner'
components = []
creation = <Date 2017-11-20.14:15:17.542>
creator = 'vstinner'
dependencies = ['30458', '32185']
files = []
hgrepos = []
issue_num = 32085
keywords = []
message_count = 5.0
messages = ['306543', '306980', '307418', '313709', '402393']
nosy_count = 5.0
nosy_names = ['vstinner', 'christian.heimes', 'martin.panter', 'cheryl.sabella', 'orange']
pr_nums = []
priority = 'normal'
resolution = 'out of date'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue32085'
versions = []
    @vstinner
    Copy link
    Member Author

    Vulnerabilities described below are likely these ones reported in bpo-30500, but it would be nice to double check if *all* reported vulnerabilities have been fixed!
    http://python-security.readthedocs.io/vuln/bpo-30500_urllib_connects_to_a_wrong_host.html

    --

    At July 27, 2017, Orange Tsai (Security Consultant, DEVCORE) reported vulnerabilities in Python, in the code parsing URLs.

    Conference: https://www.blackhat.com/us-17/briefings/schedule/#a-new-era-of-ssrf---exploiting-url-parser-in-trending-programming-languages-6292
    Slides: https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

    His following blog post only contains the vulnerabilities in Python:
    http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html

    Note: His twitter account, https://twitter.com/orange_8361

    == Issue 1 ==

    • CR-LF Injection on HTTP protocol
    • Smuggling SMTP protocol over HTTP protocol

    http://127.0.0.1:25/%0D%0AHELO orange.tw%0D%0AMAIL FROM

    > GET /
    << 421 4.7.0 ubuntu Rejecting open proxy localhost [127.0.0.1]
    > HELO orange.tw
    Connection closed

    => "SMTP Hates HTTP Protocol It Seems Unexploitable"

    "Gopher Is Good What If There Is No Gopher Support?"

    "HTTPS What Won't Be Encrypted in a SSL Handshake?"

    == Issue 2 ==

    • HTTPS: What Won't Be Encrypted in a SSL Handshake?
    • Exploit the Unexploitable - Smuggling SMTP over TLS SNI

    https://127.0.0.1□%0D%0AHELO□orange.tw%0D%0AMAIL□FROM...:25/
    (...)

    < HELO orange.tw
    << 250 ubuntu Hello localhost [127.0.0.1], please meet you
    > MAIL FROM: <admin@orange.tw>
    << 250 2.1.0 <admin@orange.tw>... Sender ok

    == Big Picture ==

    Python vulnerable to:

    • Python httplib:

      • CR-LF Injection: Path, Host and SNI

    • Python urllib:

      • CR-LF Injection: Host and SNI
      • Host Injection

    • Python urllib2

      • CR-LF Injection: Host and SNI

    @vstinner vstinner added the type-security A security issue label Nov 20, 2017
    @vadmium
    Copy link
    Member

    vadmium commented Nov 26, 2017

    The square □ in the strings represents a space.

    Issue 1 (CRLF in HTTP request path): it looks like the %0D%0A would have to be decoded by an earlier step in the chain to "http://127.0.0.1:25/\\r\\nHELO . . .". This becomes like the header injection I mentioned in bpo-30458.

    Issue 2 (CRLF in HTTPS host): it seems this doesn’t work in Python as a side effect of bpo-22928 blocking generation of the Host field. But if you add a space you bypass that: "https://host%0D%0A%20SLAVEOF . . .:6379".

    @vadmium
    Copy link
    Member

    vadmium commented Dec 2, 2017

    bpo-32185 proposes to stop sending IP addresses in the TLS SNI protocol. Maybe this will help; it depends if it will catch IP address strings with with whitespace or if there are other ways to inject invalid hostnames.

    @csabella
    Copy link
    Contributor

    Since bpo-32185 has been patched, should this one be revisited to see if that solution helped fixed this one?

    @vstinner
    Copy link
    Member Author

    No activity for 3 years, I close the issue.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    3 participants
    @vstinner @vadmium @csabella