Headline
CVE-2022-24766: Mitmproxy 8
mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response’s HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request’s body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization. Unless mitmproxy is used to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in mitmproxy 8.0.0 and above. There are currently no known workarounds.
18 Mar 2022_, Maximilian Hils @maximilianhils_
We’re delighted to announce the release of mitmproxy 8, a free and open source interactive HTTPS proxy. This release brings major improvements to mitmweb, our web interface, and new functionality for addon developers.
Web UI Improvements
This release includes a whole bunch of mitmweb improvements, contributed by our fantastic Google Summer of Code 2021 student, Toshiaki Tanaka! Mitmweb now renders TCP and WebSocket flows, offers direct cURL/HTTPie/raw HTTP export, has an experimental command bar, and generally received lots of fine-tuning. On the backend, the entire codebase has been converted to TypeScript. Check out Toshiaki’s blog post for more details!
We are happy to announce that we are again participating in the Google Summer of Code 2022 under the umbrella of the Honeynet project. If you’d like to hack on mitmproxy supported with a nice stipend, check out #5048!
Async Event Hooks
Robert Xiao (@nneonneo) implemented all the low-level plumbing necessary for async event hooks. Addon developers can now simply make their functions async
and don’t have to worry about nasty race conditions anymore. 🎉
New TLS Event Hooks
Mitmproxy has new event hooks to signal TLS handshake success and failure for client and server connections. This enables a few interesting use cases around certificate pinning, for example the dynamic exclusion of domains after the first interception failure. If this interests you, take a look at examples/contrib/tls_passthrough.py!
Security Fixes
- CVE-2022-24766: Fix request smuggling vulnerability reported by @zeyu2001 (@mhils).
Full Changelog
- Support proxy authentication for SOCKS v5 mode (@starplanet)
- Make it possible to ignore connections in the tls_clienthello event hook (@mhils)
- fix some responses not being decoded properly if the encoding was uppercase (#4735, @Mattwmaster58)
- Trigger event hooks for flows with semantically invalid requests, for example invalid content-length headers (@mhils)
- Improve error message on TLS version mismatch (@mhils)
- Windows: Switch to Python’s default asyncio event loop, which increases the number of sockets that can be processed simultaneously (@mhils)
- Add
client_replay_concurrency
option, which allows more than one client replay request to be in-flight at a time. (@rbdixon) - New content view which handles gRPC/protobuf. Allows to apply custom definitions to visualize different field decodings. Includes example addon which applies custom definitions for selected gRPC traffic (@mame82)
- Fix a crash caused when editing string option (#4852, @rbdixon)
- Base container image bumped to Debian 11 Bullseye (@Kriechi)
- Upstream replays don’t do CONNECT on plaintext HTTP requests (#4876, @HoffmannP)
- Remove workarounds for old pyOpenSSL versions (#4831, @KarlParkinson)
- Add fonts to asset filter (~a) (#4928, @elespike)
- Fix bug that crashed when using
view.flows.resolve
(#4916, @rbdixon) - Fix a bug where
running()
is invoked twice on startup (#3584, @mhils) - Correct documentation example for User-Agent header modification (#4997, @jamesyale)
- Fix random connection stalls (#5040, @EndUser509)
- Add
n
new flow keybind to mitmweb (#5061, @ianklatzco) - Fix compatibility with BoringSSL (@pmoulton)
- Added
WebSocketMessage.injected
flag (@Prinzhorn) - Add example addon for saving streamed data to individual files (@EndUser509)
- Change connection event hooks to be blocking. Processing will only resume once the event hook has finished. (@Prinzhorn)
- Reintroduce
Flow.live
, which signals if a flow belongs to a currently active connection. (#4207, @mhils) - Speculative fix for some rare HTTP/2 connection stalls (#5158, @EndUser509)
- Add ability to specify custom ports with LDAP authentication (#5068, @demonoidvk)
- Add support for rotating saved streams every hour or day (@EndUser509)
- Console Improvements on Windows (@mhils)
- Fix processing of
--set
options (#5067, @marwinxxii) - Lowercase user-added header names and emit a log message to notify the user when using HTTP/2 (#4746, @mhils)
- Exit early if there are errors on startup (#4544, @mhils)