Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: AHC can be tricked into connecting to a different host #1455

Closed
slandelle opened this issue Aug 28, 2017 · 5 comments
Closed

Security: AHC can be tricked into connecting to a different host #1455

slandelle opened this issue Aug 28, 2017 · 5 comments
Assignees
@slandelle
Labels
Defect
Milestone
2.0.35

Comments

@slandelle
Copy link
Contributor

slandelle commented Aug 28, 2017
edited
Loading

Issue is very similar to CVE-2016-8624 that affected cURL last year.

AHC url parser, org.asynchttpclient.uri.Uri can be tricked with a anchor containing a question mark into connecting to a different host. This issue also affects java.net.URL (as of 8u112) but not java.net.URI:

org.asynchttpclient.uri.Uri.create("http://1.2.3.4:81#@5.6.7.8:82/aaa/b?q").getHost()
// 5.6.7.8

new java.net.URL("http://1.2.3.4:81#@5.6.7.8:82/aaa/b?q").getHost()
// 5.6.7.8

java.net.URI.create("http://1.2.3.4:81#@5.6.7.8:82/aaa/b?q").getHost()
// 1.2.3.4

Credit goes to Nicolas Grégoire from Agarri.

I'm not aware of any exploit at the moment.

Possible usages:

  • circumventing white/back lists
  • web crawler that would use AHC for fetching pages but would use java.net.URI to compute the index key.
@slandelle slandelle added this to the 2.0.34 milestone Aug 28, 2017
@slandelle slandelle self-assigned this Aug 28, 2017
slandelle added a commit that referenced this issue Aug 28, 2017
@slandelle
Don't be tricked by anchors containing a question mark, close #1455
e9f12b2 
Motivation:

AHC can be tricked into connecting to a different host.

Modification:

* Make sure we don’t interpret `?` in the anchor as the beginning of
the query and the end of the path.
* Update tests to check org.asynchttpclient.uri.Uri returns the same
results as java.net.URI.

Result:

AHC no longer tricked by anchors containing question mark.
@wsargent
Copy link
Contributor

I think this falls into the category of SSRF checks. There's some research here find-sec-bugs/find-sec-bugs#307 and I've got a (not working) SSRF filter in progress in Play WS playframework/play-ws#118

@slandelle
Copy link
Contributor Author

@wsargent Thanks for the info. I guess one could implement such filter directly in AHC too.

@slandelle slandelle modified the milestones: 2.0.35, 2.0.34 Aug 30, 2017
@ngregoire
Copy link

I tested v2.0.35, which looks OK (it now behaves like Java.net.URI).

Regarding exploitability of versions < 2.0.35: it appears that controlling the "path" or "query" parts of the request isn't possible. So, the worst impacts I can think of are:

  • in a black/white lists bypass scenario: access to (only) the root page of a forbidden resource => limited information leak (for example, it can't be used to steal private information from AWS metadata servers)
  • in an index key collision scenario: malicious update of cache entries => publishing incorrect or NSFW content, attacking users (water-hole or phishing attacks), ...

The second scenario looks worse.

@ngregoire
Copy link

CVE-2017-14063 was assigned.

dskrvk added a commit to dskrvk/reboot that referenced this issue Sep 17, 2017
@dskrvk
Bump async-http-client to 2.0.35
bac8b1e 
That version fixes a security issue:
AsyncHttpClient/async-http-client#1455

https://nvd.nist.gov/vuln/detail/CVE-2017-14063
@dskrvk dskrvk mentioned this issue Sep 17, 2017
Merged
farmdawgnation pushed a commit to dispatch/reboot that referenced this issue Sep 18, 2017
@dskrvk @farmdawgnation
Bump async-http-client to 2.0.35
0b53b1f 
That version fixes a security issue:
AsyncHttpClient/async-http-client#1455

https://nvd.nist.gov/vuln/detail/CVE-2017-14063
masahitojp added a commit to masahitojp/solr-scala-client that referenced this issue Oct 16, 2017
@masahitojp
async-http-client 2.0.24 -> 2.0.37
c9a2d5a 
fix a security vulnerability of async-http-client.
See below link

AsyncHttpClient/async-http-client#1455
@masahitojp masahitojp mentioned this issue Oct 16, 2017
Merged
@JLLeitschuh
Copy link

Out of curiosity, did the Java inconsistency ever have a CVE assigned to it? Is it still present or did it get fixed?

new java.net.URL("http://1.2.3.4:81#@5.6.7.8:82/aaa/b?q").getHost()
// 5.6.7.8

java.net.URI.create("http://1.2.3.4:81#@5.6.7.8:82/aaa/b?q").getHost()
// 1.2.3.4

@vincentdu101 vincentdu101 mentioned this issue Sep 17, 2021
Closed
@GDownes GDownes mentioned this issue Nov 29, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@slandelle slandelle

Labels
Defect
Projects
None yet
Milestone
2.0.35
Development

No branches or pull requests
4 participants
@wsargent @slandelle @JLLeitschuh @ngregoire