h11 Request Smuggling Vulnerability Due to Improper Chunked-Encoding Parsing

A request smuggling vulnerability has been identified in h11, a Python implementation of HTTP/1.1, prior to version 0.16.0. The issue arises from a leniency in h11's parsing of line terminators in chunked-coding message bodies, which can lead to exploitation under certain conditions, particularly when a buggy h11 is used in conjunction with a faulty reverse proxy. The vulnerability allows an attacker to manipulate HTTP requests in a way that can bypass proxy protections and potentially steal session credentials.

Impact

Exploitation of this vulnerability can lead to request smuggling, allowing an attacker to manipulate HTTP requests and responses in a way that can bypass security controls, potentially leading to unauthorized access or actions on the server. In some scenarios, this could include stealing session cookies or credentials from other users.

Reproduction

The vulnerability can be reproduced by sending an HTTP request with chunked transfer encoding that includes malformed chunk termination characters. This can be done using a tool that allows for the manipulation of HTTP request headers and bodies, such as a custom script or a web application testing tool. The key is to use h11 version 0.15.0 or earlier, and to route the request through a reverse proxy that has a bug in how it handles chunked encoding, such as pound.

Remediation

Users can upgrade to h11 version 0.16.0 or later, where this vulnerability has been fixed. If upgrading is not possible, the vulnerability can be mitigated by ensuring that the reverse proxy used does not have the chunked encoding parsing bug.