CVE-2024-24791: net/http HTTP/1.1 Client Mismanages "Expect: 100-continue" Header, Leading to Denial of Service Vulnerability

A vulnerability has been discovered in the net/http HTTP/1.1 client library which mishandles the "Expect: 100-continue" header in certain cases. This vulnerability, labeled as CVE-2024-24791, can leave the client connection in an invalid state, where the next request sent on the connection will fail. When exploited, this vulnerability can lead to a Denial of Service (DoS) attack on systems using the affected library.

Description

The net/http HTTP/1.1 client fails to properly manage cases where a server responds to an "Expect: 100-continue" header with a non-informational (200 or higher) status. In these cases, the client library leaves the connection in an invalid state, and the next request sent on the connection will fail.

The vulnerability can be exploited by an attacker who sends a request to a net/http/httputil.ReverseProxy proxy containing the "Expect: 100-continue" header. If the backend server returns a non-informational response, the proxy's connection will be left in an invalid state, causing subsequent requests using that connection to fail.

Here's a code snippet demonstrating the issue

package main

import (
	"fmt"
	"net/http"
	"net/http/httputil"
)

func main() {
	target := "http://backend.example.com";
	proxy := httputil.NewSingleHostReverseProxy(target)

	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		proxy.ServeHTTP(w, r)
	})

	fmt.Println("Starting proxy server on :808")
	log.Fatal(http.ListenAndServe(":808", nil))
}

For original references and more information, you can refer to the official repository and documentation.

- Go net/http package documentation
- Go httputil.ReverseProxy documentation
- CVE-2024-24791 on the CVE database

Exploit Details

An attacker can send a series of requests with the "Expect: 100-continue" header to systems using the affected library. If the backend server returns a non-informational response, the attacker will leave the server in an invalid state, causing subsequent legitimate requests to fail.

Example of a malicious request

POST /some/path HTTP/1.1
Host: target.example.com
Content-Type: application/json
Content-Length: 123
Expect: 100-continue

{ "malicious": "content" }

This exploit can quickly cause a denial of service on systems using the affected net/http HTTP client library, so it is crucial to patch the vulnerability as soon as possible.

Mitigation

System administrators and developers should update their net/http HTTP/1.1 client library to the latest version that contains a fix for the CVE-2024-24791 vulnerability. Additionally, monitoring web server logs and implementing rate limiting or IP filtering can help detect and prevent potential exploitation attempts.

Conclusion

CVE-2024-24791 is a vulnerability in the net/http HTTP/1.1 client library that can result in denial of service attacks. Ensuring that your systems are running the latest patched versions of the library is crucial to minimizing the risk of exploitation. Regularly reviewing logs and taking preventive measures can help detect and mitigate potential attacks.

Timeline

Published on: 07/02/2024 22:15:04 UTC
Last modified on: 07/08/2024 14:17:39 UTC