SSRF exploitation.WorkshopSpecial for DefCon-UA08/12/2012 Moscow, Neuron Hackspace
SSRF - Server Side Request Forgery● The ability to create requests from the vulnerable server to intra/internet● Using a protocol supported by available URI schemas, you can communicate with services running on other protocols (smuggling)
SSRF - Server Side Request Forgery● What i can do with forged requests?● Anything! ○ Get data from internal network! ○ Exploit all host-based auth! ○ Exploit local services at loopback interface! ○ etc...
SSRF - Server Side Request Forgery Forged Access to request loopback interface Access to internal network HTTP HTTP API request request request Frontend Firewall Backend Forged request Intranet
SSRF - reasons● SSRF not a vulnerability● SSRF is class of attacks● XXE,RFI,CRLF injection and others is SSRFs friends● Anything that can open socket can be SSRFed
SSRF - reasons● Direct writing to sockets in webapp● HTTP clients (libcurl, LWP, Java:URL, etc)● Databases functions● Format processing ○ XML parsers (XXE, DTD, XSD, XSLT, etc) ○ OpenOffice (DDE, dynamic data, etc) ○ PDF (tcpdf library, etc)
SSRF - what stuff needed?● Desire● Luck● Ability to anticipate and assume● nc (nc -l -vv -p 12345 )● SSRF cheatsheet doc
SSRF - cheatsheet● We collected all related information about SSRF and their exploitation in one cheatsheet:https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit
HTTP clients bugsBypass webapp filters i.e. preg_replace usingredirect● any host -> localhost● valid port -> any port● valid schema -> any schema● SOP for browsers, not for HTTPClients
CASE #1. Market & Payment system.OAuth token hijacking● Application received OAuth token from payment server● Token added to HTTP request created by libcurl CURLOPT_HTTPHEADER● This header will be append to all requests sended by libcurl. Even after redirects ;)
CASE #1. Market & Payment system.OAuth token hijacking● Find a open redirect vuln (WASC-38) at payment server● Change payment url to call redirect instead of valid payment transaction● Jack a OAuth token from market to payment system ;)https://dev.onsec.ru/workshop/market/
CASE #1. Market & Payment system.OAuth token hijacking Open SSRF redirect attack vuln HTTP request HTTP with request Payment OAuth Market system token OAuth token from market HTTP request with OAuth token Evil host
Lets go to server-side exploitations● SSRF really cool for exploit host-based auth● Host based auth must die ;)● NoSQL databases, monitoring services and much more provide privileges to loopback connections by default
Protocol smuggling● When you say "GET / HTTP/1.1", what hears a service?● When you receive data by one of prehistoric protocols what TCP packet you send?● When you say "bla[valid packet]bla", what hears a service?
Protocols and URI schemas in HTTPclients● gopher:// provide you to create almost any TCP packet (no 0x00 for cURL, no bytes greater than 0x7f for Java)● dict:// provide you to forge second line in plaint/text request (cURL only)● ldap:// provide you to forge request with constant prefix (LWP only)
What things do smuggling possible?● HTTP clients dont check a protocol but send data immediately after connect (ldap for LWP)● Services do not close socket after receive invalid packet● Protocol that you can forge fits within the protocols that you want to exploit
CASE #2. Wordpress exploitation● Yes, it is latest wordpress (3.4.2) without any plugins● Reason - libcurl unsafe redirect● But SSRF can be triggered only from admin panel● Use old our friend CSRF!● CSRF + SSRF make you happy ;)
CASE #2. Wordpress exploitation● No gopher:// protocol in Debian squeeze for cURL● But dict:// available and provide us to exploit memcached● CSRF + SSRF = memcached exploit ;)https://dev.onsec.ru/workshop/wordpress/
Format processors are SSRF friends● 23/03/2012 in Kyiv I told about XXE based SSRF● XML parsers, DTD, XSD, XSLT - all of them provide SSRF● OpenOffice provide SSRF● Many processing libraries provide SSRF● Anything that can open socket can be SSRFed
CASE #3. TCPDF library SSRF● http://www.tcpdf.org/● Very common library for PDF conversion● Example application convert users HTML to PDF● What about external resources such as images?● TCPDF using cURLhttps://dev.onsec.ru/workshop/pdfconv/
CASE #4. LWP avatars uploader● LWP - libwww Perl● Usefully and common library● Provide unsafe redirect ;)● Support gopher protocol by default ;)● Lets go!!!
CASE #4. LWP avatars uploaderZabbix agentd explotation● Zabbix is common monitoring system● Zabbix agentd - local daemon for various check● Host-based auth ;)● Support command execution ;)https://dev.onsec.ru/workshop/avatars/
CASE #5. Have a free time?● Lets go Postgres explotation● dblink() function provide us to do SSRF through SQLihttp://www.postgresql.org/docs/8.4/static/dblink.htmlSELECT dblink_send_query(host=127.0.0.1dbname=quit user=nstatsn port=11211sslmode=disable,select 1);