Cap'n Proto KJ-HTTP Library Content-Length Integer Overflow Vulnerability Allowing HTTP Smuggling

A vulnerability exists in the KJ-HTTP library, which is part of the Cap'n Proto data interchange format and RPC system, prior to version 1.4.0. The issue arises from a negative 'Content-Length' value being incorrectly converted to an unsigned integer, resulting in an excessively large length. This flaw could potentially facilitate HTTP request/response smuggling. Additionally, when 'Transfer-Encoding: chunked' is used, chunk sizes of 2^64 or larger are truncated to fit within a 64-bit integer, creating another layer of complexity that could be exploited under specific conditions.

Impact

Exploitation could lead to HTTP request/response smuggling, a technique that manipulates the way HTTP messages are interpreted by servers or proxies, potentially causing them to misroute or misprocess requests or responses.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request with a negative 'Content-Length' header. The KJ-HTTP library will accept this invalid header, treating it as a large positive value. This can be done using a tool or script that allows for custom HTTP headers, such as curl or a programming language with HTTP capabilities. Once the request is sent, the server's response can be checked for signs of smuggling, such as unexpected behavior or routing.

Remediation

Users should update to Cap'n Proto version 1.4.0 or later, where this vulnerability has been fixed. The updated version can be downloaded from the Cap'n Proto website.