From 0d7868ccb9a6b242490fcabe46a33f452cfef23b Mon Sep 17 00:00:00 2001 From: "Demi M. Obenour" Date: Thu, 19 Mar 2020 11:41:39 -0400 Subject: [PATCH 1/2] Add hyper request smuggling vulnerability --- crates/hyper/RUSTSEC-2020-0000.toml | 36 +++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 crates/hyper/RUSTSEC-2020-0000.toml diff --git a/crates/hyper/RUSTSEC-2020-0000.toml b/crates/hyper/RUSTSEC-2020-0000.toml new file mode 100644 index 000000000..5eaefdd8a --- /dev/null +++ b/crates/hyper/RUSTSEC-2020-0000.toml @@ -0,0 +1,36 @@ +# Before you submit a PR using this template, **please delete the comments** +# explaining each field, as well as any unused fields. + +[advisory] +id = "RUSTSEC-0000-0000" +package = "hyper" +date = "2020-03-19" +title = "Flaw in hyper allows request smuggling by sending a body in GET requests" +url = "https://github.com/hyperium/hyper/issues/1925" +categories = ["format-injection"] +keywords = ["http", "request-smuggling"] + +# Vulnerability aliases, e.g. CVE IDs (optional but recommended) +# Request a CVE for your RustSec vulns: https://iwantacve.org/ +#aliases = ["CVE-2018-XXXX"] + +# Enter a short-form description of the vulnerability here (mandatory) +description = """ +Vulnerable versions of hyper allow GET requests to have bodies, even if there is +no Transfer-Encoding or Content-Length header. As per the HTTP 1.1 +specification, such requests do not have bodies, so the body will be interpreted +as a separate HTTP request. + +This allows an attacker who can control the body and method of an HTTP request +made by hyper to inject a request with headers that would not otherwise be +allowed, as demonstrated by sending a malformed HTTP request from a Substrate +runtime. This allows bypassing CORS restrictions and may allow remote code +execution in certain scenarios, such as if there is an exploitable web server +listening on loopback. + +The flaw was corrected in hyper version 0.12.35. +""" + +# Versions which include fixes for this vulnerability (mandatory) +[versions] +patched = [">= 0.12.35"] From 91eed8534666cc93b27fd06bf768d1eb4e28e6ee Mon Sep 17 00:00:00 2001 From: "Demi M. Obenour" Date: Mon, 30 Mar 2020 18:57:51 -0400 Subject: [PATCH 2/2] Note that another vulnerability is needed for RCE Also make some trivial changes to pass the linter. --- ...TSEC-2020-0000.toml => RUSTSEC-0000-0000.toml} | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) rename crates/hyper/{RUSTSEC-2020-0000.toml => RUSTSEC-0000-0000.toml} (59%) diff --git a/crates/hyper/RUSTSEC-2020-0000.toml b/crates/hyper/RUSTSEC-0000-0000.toml similarity index 59% rename from crates/hyper/RUSTSEC-2020-0000.toml rename to crates/hyper/RUSTSEC-0000-0000.toml index 5eaefdd8a..ff01c8812 100644 --- a/crates/hyper/RUSTSEC-2020-0000.toml +++ b/crates/hyper/RUSTSEC-0000-0000.toml @@ -1,6 +1,3 @@ -# Before you submit a PR using this template, **please delete the comments** -# explaining each field, as well as any unused fields. - [advisory] id = "RUSTSEC-0000-0000" package = "hyper" @@ -10,11 +7,6 @@ url = "https://github.com/hyperium/hyper/issues/1925" categories = ["format-injection"] keywords = ["http", "request-smuggling"] -# Vulnerability aliases, e.g. CVE IDs (optional but recommended) -# Request a CVE for your RustSec vulns: https://iwantacve.org/ -#aliases = ["CVE-2018-XXXX"] - -# Enter a short-form description of the vulnerability here (mandatory) description = """ Vulnerable versions of hyper allow GET requests to have bodies, even if there is no Transfer-Encoding or Content-Length header. As per the HTTP 1.1 @@ -24,13 +16,12 @@ as a separate HTTP request. This allows an attacker who can control the body and method of an HTTP request made by hyper to inject a request with headers that would not otherwise be allowed, as demonstrated by sending a malformed HTTP request from a Substrate -runtime. This allows bypassing CORS restrictions and may allow remote code -execution in certain scenarios, such as if there is an exploitable web server -listening on loopback. +runtime. This allows bypassing CORS restrictions. In combination with other +vulnerabilities, such as an exploitable web server listening on loopback, it may +allow remote code execution. The flaw was corrected in hyper version 0.12.35. """ -# Versions which include fixes for this vulnerability (mandatory) [versions] patched = [">= 0.12.35"]