The Apache HTTP Server, one of the most widely-used web servers, is known for its reliability, flexibility, performance, and comprehensive defense mechanisms. However, no software is immune to security risks, even Apache. In this long-read post, we'll scrutinize the CVE-2022-22720 vulnerability found in Apache HTTP Server 2.4.52 and its predecessors. This particular weakness exposes the server to HTTP Request Smuggling attacks, which we'll delve into, along with code snippets, links to original references, and a thorough analysis of the exploit.

Background

CVE-2022-22720 is a vulnerability in Apache HTTP Server 2.4.52 and earlier. This flaw arises due to the server's failure to terminate inbound connections when encountering errors while discarding the request body. This susceptibility potentially enables HTTP Request Smuggling attacks, which can lead to unauthorized access, pilferage of sensitive information, or abuse of other web server functionalities.

HTTP Request Smuggling

To understand this vulnerability, we must first grasp what HTTP Request Smuggling is. It refers to a class of web application attacks where an attacker manipulates the HTTP headers to make multiple HTTP requests appear as one to an intermediate server, to bypass security checks or gain unauthorized access. This attack primarily exploits the discrepancies between how HTTP requests are parsed and processed by different systems involved in a web connection.

For detailed information on HTTP Request Smuggling, refer to this research paper by Amit Klein:
_https://dl.packetstormsecurity.net/papers/general/HTTP_Request_Smuggling.pdf

Vulnerability Details

When Apache HTTP Server receives a client request with a body (e.g., POST or PUT requests), it has to process the HTTP headers and, if necessary, read the message body. If an error occurs while processing the request, Apache attempts to discard the remaining request body to maintain a clean state for further client communications.

However, in versions 2.4.52 and earlier, Apache fails to terminate the connection appropriately when errors are encountered during the discarding of the request body, opening the door for HTTP Request Smuggling attacks.

Below is a snippet of code that demonstrates this flaw

/* core_filters.c */
static int core_input_filter(ap_filter_t *f, apr_bucket_brigade *bb,
                             ap_input_mode_t mode, apr_read_type_e block,
                             apr_off_t readbytes)
{
    ...
    /* Discard the request body */
    while (ctx->remaining) {
        apr_status_t rv;

        if (APR_BRIGADE_EMPTY(ctx->b)) {
            rv = ap_get_brigade(f->next, ctx->b, AP_MODE_READBYTES,
                                block, readbytes);
            ...
        }
        rv = apr_brigade_partition(ctx->b, ctx->remaining, &stop_point);
        ...
        APR_BRIGADE_CONCAT(bb, ctx->b);
        apr_brigade_cleanup(ctx->b);
        ctx->remaining -= nbytes;
    }
    ...
}

The code above is a snippet taken from Apache HTTP Server's core input filter "core_filters.c". The input filter handles reading the request body by passing the content through a chain of filters, which process the data in various ways, such as decoding, decompression, and more.

When the server attempts to discard the request body, it does so by consuming the remaining bytes of the request as indicated by "ctx->remaining" following the filter chain. However, if an error occurs while discarding the request body (e.g., a decompression error or a parsing error), the connection remains open, thereby allowing the attacker to introduce additional requests, consequently leading to HTTP Request Smuggling possibilities.

Exploit Details

Original Post: https://apache-http-server.general.narkive.com/o8dOIF74/server-vulnerability-cve-2022-22720-http-request-smuggling#post3

A skilled attacker can exploit CVE-2022-22720 by sending multiple HTTP requests with manipulated boundaries, confusing the Apache's header and request body parsing mechanism.

To patch this vulnerability, upgrade your Apache HTTP Server to the latest available version, 2.4.53, which includes the necessary fix. Upgrading can be done using the package management system for your OS (e.g., "apt-get upgrade" for Debian/Ubuntu or "yum update" for CentOS/RHEL). If you're using a third-party vendor for your Apache distribution, refer to their documentation for proper procedures.

For more information on the latest Apache update, refer to the Official Apache HTTP Server 2.4.53 Documentation:

Conclusion

HTTP Request Smuggling is a considerable threat to application security. To protect your server against CVE-2022-22720, promptly update your Apache HTTP Server to the latest version and stay well-informed about other possible vulnerabilities. By doing so, you will ensure the integrity and security of your web applications in the face of potential cyber threats.

Timeline

Published on: 03/14/2022 11:15:00 UTC
Last modified on: 08/15/2022 11:17:00 UTC