MitMProxy, a popular intercepting proxy tool, was found to be vulnerable to HTTP request smuggling attacks in versions 7..4 and below. The issue has been fixed in version 8.., and users of MitMProxy are advised to update to the latest version. This vulnerability allows a malicious client or server to perform an HTTP request smuggling attack through MitMProxy, potentially bypassing user-implemented access control checks or input sanitization.

Details of the Vulnerability

HTTP request smuggling occurs when a malicious client or server constructs a specially crafted request or response to trick the target server into processing multiple requests within a single HTTP message. This can result in unauthorized access or unintended actions on the target server.

MitMProxy, an SSL/TLS-capable intercepting proxy tool, was found to be vulnerable to such attacks in versions 7..4 and below. A malicious client/server could smuggle a request/response through MitMProxy as part of another request/response's HTTP message body. While MitMProxy would only see one request, the target server would see multiple requests.

A smuggled request is still captured as part of another request's body, but it does not appear in the request list and does not go through the usual MitMProxy event hooks. These event hooks are often used by users to implement custom access control checks or input sanitization. This means that the vulnerability could potentially allow an attacker to bypass these security checks.

The following code snippet demonstrates how an attacker could exploit this vulnerability

POST / HTTP/1.1
Host: target-server.com
Content-Length: 105
Transfer-Encoding: chunked

68
GET /hidden-resource HTTP/1.1
Host: target-server.com

In this example, an attacker sends a request with conflicting content length properties (Content-Length and Transfer-Encoding: chunked) which can cause the target server to treat the payload as two separate HTTP requests.

- CVE-2022-24766 Repository - Provides details, references, and updates on the vulnerability.
- MitMProxy 8.. Release Notes - Details the updates and improvements in mitmproxy's new release, including the fix for this vulnerability.

Conclusion

Users of MitMProxy should immediately update to version 8.. or later in order to prevent potential HTTP request smuggling attacks. This vulnerability could allow an attacker to bypass custom access control checks or input sanitization that may be in place, so it's critical to update to the latest version as soon as possible.

Timeline

Published on: 03/21/2022 19:15:00 UTC
Last modified on: 03/29/2022 16:49:00 UTC