SSRF exploitation.

WorkshopSpecial for DefCon-UA

08/12/2012 Moscow, Neuron Hackspace

SSRF - Server Side Request Forgery

● The ability to create requests from the

vulnerable server to intra/internet

● Using a protocol supported by available URI

schemas, you can communicate with

services running on other protocols

(smuggling)

SSRF - Server Side Request Forgery● What i can do with forged requests?

● Anything!

○ Get data from internal network!

○ Exploit all host-based auth!

○ Exploit local services at loopback

interface!

○ etc...

SSRF - Server Side Request Forgery

Firewall

Intranet

FrontendBackend

Access to internal network

Access to loopback interface

HTTP request

HTTP requestAPI

request

Forged request

Forged request

SSRF - reasons

● SSRF not a vulnerability

● SSRF is class of attacks

● XXE,RFI,CRLF injection and others is SSRF's

friends

● Anything that can open socket can be

SSRFed

SSRF - reasons● Direct writing to sockets in webapp

● HTTP clients (libcurl, LWP, Java:URL, etc)

● Databases functions

● Format processing

○ XML parsers (XXE, DTD, XSD, XSLT, etc)

○ OpenOffice (DDE, dynamic data, etc)

○ PDF (tcpdf library, etc)

SSRF - what stuff needed?

● Desire

● Luck

● Ability to anticipate and assume

● nc (nc -l -vv -p 12345 )

● SSRF cheatsheet doc

SSRF - cheatsheet

● We collected all related information about

SSRF and their exploitation in one

cheatsheet:

https://docs.google.

com/document/d/1v1TkWZtrhzRLy0bYXBcdL

UedXGb9njTNIJXa3u9akHM/edit

HTTP clients bugs

Bypass webapp filters i.e. preg_replace using

redirect

● any host -> localhost

● valid port -> any port

● valid schema -> any schema

● SOP for browsers, not for HTTPClients

CASE #1. Market & Payment system. OAuth token hijacking

● Application received OAuth token from

payment server

● Token added to HTTP request created by

libcurl CURLOPT_HTTPHEADER

● This header will be append to all requests

sended by libcurl. Even after redirects ;)

CASE #1. Market & Payment system. OAuth token hijacking

● Find a open redirect vuln (WASC-38) at

payment server

● Change payment url to call redirect instead

of valid payment transaction

● Jack a OAuth token from market to

payment system ;)

https://dev.onsec.ru/workshop/market/

CASE #1. Market & Payment system. OAuth token hijacking

MarketPayment system

HTTP request

HTTP requestwith OAuth token

Evil host

Open redirect vuln

SSRF attack

HTTP requestwith OAuth token

OAuth token from market

Let's go to server-side exploitations

● SSRF really cool for exploit host-based auth

● Host based auth must die ;)

● NoSQL databases, monitoring services and

much more provide privileges to loopback

connections by default

Protocol smuggling● When you say "GET / HTTP/1.1", what hears

a service?

● When you receive data by one of

prehistoric protocols what TCP packet you

send?

● When you say "bla[valid packet]bla", what

hears a service?

Protocols and URI schemas in HTTP clients● gopher:// provide you to create almost any

TCP packet (no 0x00 for cURL, no bytes

greater than 0x7f for Java)

● dict:// provide you to forge second line in

plaint/text request (cURL only)

● ldap:// provide you to forge request with

constant prefix (LWP only)

What things do smuggling possible?● HTTP clients don't check a protocol but

send data immediately after connect

(ldap for LWP)

● Services do not close socket after receive

invalid packet

● Protocol that you can forge fits within the

protocols that you want to exploit

CASE #2. Wordpress exploitation● Yes, it is latest wordpress (3.4.2) without

any plugins

● Reason - libcurl unsafe redirect

● But SSRF can be triggered only from admin

panel

● Use old our friend CSRF!

● CSRF + SSRF make you happy ;)

CASE #2. Wordpress exploitation● No gopher:// protocol in Debian squeeze

for cURL

● But dict:// available and provide us to

exploit memcached

● CSRF + SSRF = memcached exploit ;)

https://dev.onsec.ru/workshop/wordpress/

Format processors are SSRF friends● 23/03/2012 in Kyiv I told about XXE based

SSRF

● XML parsers, DTD, XSD, XSLT - all of them

provide SSRF

● OpenOffice provide SSRF

● Many processing libraries provide SSRF

● Anything that can open socket can be

SSRFed

CASE #3. TCPDF library SSRF● http://www.tcpdf.org/

● Very common library for PDF conversion

● Example application convert users HTML to

PDF

● What about external resources such as

images?

● TCPDF using cURL

https://dev.onsec.ru/workshop/pdfconv/

CASE #4. LWP avatars uploader

● LWP - libwww Perl

● Usefully and common library

● Provide unsafe redirect ;)

● Support gopher protocol by default ;)

● Lets go!!!

CASE #4. LWP avatars uploaderZabbix agentd explotation

● Zabbix is common monitoring system

● Zabbix agentd - local daemon for various

check

● Host-based auth ;)

● Support command execution ;)

https://dev.onsec.ru/workshop/avatars/

CASE #5. Have a free time?● Let's go Postgres explotation

● dblink() function provide us to do SSRF

through SQLi

http://www.postgresql.org/docs/8.

4/static/dblink.html

SELECT dblink_send_query('host=127.0.0.1

dbname=quit user=\'\nstats\n\' port=11211

sslmode=disable','select 1');

???@ONsec_Lab@d0znpp

d0znpp@onsec.ru