Listen to this Post
The CVE-2024-43355 vulnerability stems from the Eventlet WSGI server’s flawed parsing of HTTP requests containing a `Transfer-Encoding: chunked` header. The server incorrectly processes the entire request, including the trailing headers (trailers) that follow the chunked data body. This parsing deficiency allows a maliciously crafted request, with a smuggled secondary request embedded within its trailer section, to be interpreted incorrectly. When Eventlet acts as a reverse proxy in front of another backend server, the two systems can desynchronize in their interpretation of the single TCP connection stream. The backend server may see the smuggled request as a separate, new request, leading to cache poisoning, security control bypass, and session hijacking.
Platform: Eventlet
Version: < 0.40.3
Vulnerability: Request Smuggling
Severity: Critical
date: 2024
Prediction: Patch Available
What Undercode Say:
curl -H "Transfer-Encoding: chunked" -H "Content-Length: 3" -d "1\r\nX\r\n0\r\n\r\nGET /admin HTTP/1.1\r\nHost: localhost\r\n\r\n" http://target
Example vulnerable server setup
import eventlet
def application(env, start_response):
start_response('200 OK', [('Content-Type', 'text/plain')])
return [b'Hello, world!']
eventlet.wsgi.server(eventlet.listen(('', 8000)), application)
How Exploit:
Craft an HTTP request with a `Transfer-Encoding: chunked` header and embed a complete, secondary HTTP request within the trailer section. This smuggled request is processed by the backend server, allowing an attacker to bypass security rules, poison caches, or hijack user sessions by forwarding the request to an internal endpoint.
Protection from this CVE:
Upgrade to eventlet version 0.40.3 or later. The patch mitigates the vulnerability by completely discarding all HTTP trailer data from incoming requests. If your application backend requires trailers to function, this update will break that functionality.
Impact:
Security Control Bypass
Cache Poisoning
Targeted User Attacks
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
