Upload
ivan-novikov
View
3.495
Download
1
Embed Size (px)
DESCRIPTION
08/12/2012 SSRF workshop special for DefCon-UA. Neuronspace, Moscow.
Citation preview
SSRF exploitation.
WorkshopSpecial for DefCon-UA
08/12/2012 Moscow, Neuron Hackspace
SSRF - Server Side Request Forgery
● The ability to create requests from the
vulnerable server to intra/internet
● Using a protocol supported by available URI
schemas, you can communicate with
services running on other protocols
(smuggling)
SSRF - Server Side Request Forgery● What i can do with forged requests?
● Anything!
○ Get data from internal network!
○ Exploit all host-based auth!
○ Exploit local services at loopback
interface!
○ etc...
SSRF - Server Side Request Forgery
Firewall
Intranet
FrontendBackend
Access to internal network
Access to loopback interface
HTTP request
HTTP requestAPI
request
Forged request
Forged request
SSRF - reasons
● SSRF not a vulnerability
● SSRF is class of attacks
● XXE,RFI,CRLF injection and others is SSRF's
friends
● Anything that can open socket can be
SSRFed
SSRF - reasons● Direct writing to sockets in webapp
● HTTP clients (libcurl, LWP, Java:URL, etc)
● Databases functions
● Format processing
○ XML parsers (XXE, DTD, XSD, XSLT, etc)
○ OpenOffice (DDE, dynamic data, etc)
○ PDF (tcpdf library, etc)
SSRF - what stuff needed?
● Desire
● Luck
● Ability to anticipate and assume
● nc (nc -l -vv -p 12345 )
● SSRF cheatsheet doc
SSRF - cheatsheet
● We collected all related information about
SSRF and their exploitation in one
cheatsheet:
https://docs.google.
com/document/d/1v1TkWZtrhzRLy0bYXBcdL
UedXGb9njTNIJXa3u9akHM/edit
HTTP clients bugs
Bypass webapp filters i.e. preg_replace using
redirect
● any host -> localhost
● valid port -> any port
● valid schema -> any schema
● SOP for browsers, not for HTTPClients
CASE #1. Market & Payment system. OAuth token hijacking
● Application received OAuth token from
payment server
● Token added to HTTP request created by
libcurl CURLOPT_HTTPHEADER
● This header will be append to all requests
sended by libcurl. Even after redirects ;)
CASE #1. Market & Payment system. OAuth token hijacking
● Find a open redirect vuln (WASC-38) at
payment server
● Change payment url to call redirect instead
of valid payment transaction
● Jack a OAuth token from market to
payment system ;)
https://dev.onsec.ru/workshop/market/
CASE #1. Market & Payment system. OAuth token hijacking
MarketPayment system
HTTP request
HTTP requestwith OAuth token
Evil host
Open redirect vuln
SSRF attack
HTTP requestwith OAuth token
OAuth token from market
Let's go to server-side exploitations
● SSRF really cool for exploit host-based auth
● Host based auth must die ;)
● NoSQL databases, monitoring services and
much more provide privileges to loopback
connections by default
Protocol smuggling● When you say "GET / HTTP/1.1", what hears
a service?
● When you receive data by one of
prehistoric protocols what TCP packet you
send?
● When you say "bla[valid packet]bla", what
hears a service?
Protocols and URI schemas in HTTP clients● gopher:// provide you to create almost any
TCP packet (no 0x00 for cURL, no bytes
greater than 0x7f for Java)
● dict:// provide you to forge second line in
plaint/text request (cURL only)
● ldap:// provide you to forge request with
constant prefix (LWP only)
What things do smuggling possible?● HTTP clients don't check a protocol but
send data immediately after connect
(ldap for LWP)
● Services do not close socket after receive
invalid packet
● Protocol that you can forge fits within the
protocols that you want to exploit
CASE #2. Wordpress exploitation● Yes, it is latest wordpress (3.4.2) without
any plugins
● Reason - libcurl unsafe redirect
● But SSRF can be triggered only from admin
panel
● Use old our friend CSRF!
● CSRF + SSRF make you happy ;)
CASE #2. Wordpress exploitation● No gopher:// protocol in Debian squeeze
for cURL
● But dict:// available and provide us to
exploit memcached
● CSRF + SSRF = memcached exploit ;)
https://dev.onsec.ru/workshop/wordpress/
Format processors are SSRF friends● 23/03/2012 in Kyiv I told about XXE based
SSRF
● XML parsers, DTD, XSD, XSLT - all of them
provide SSRF
● OpenOffice provide SSRF
● Many processing libraries provide SSRF
● Anything that can open socket can be
SSRFed
CASE #3. TCPDF library SSRF● http://www.tcpdf.org/
● Very common library for PDF conversion
● Example application convert users HTML to
● What about external resources such as
images?
● TCPDF using cURL
https://dev.onsec.ru/workshop/pdfconv/
CASE #4. LWP avatars uploader
● LWP - libwww Perl
● Usefully and common library
● Provide unsafe redirect ;)
● Support gopher protocol by default ;)
● Lets go!!!
CASE #4. LWP avatars uploaderZabbix agentd explotation
● Zabbix is common monitoring system
● Zabbix agentd - local daemon for various
check
● Host-based auth ;)
● Support command execution ;)
https://dev.onsec.ru/workshop/avatars/
CASE #5. Have a free time?● Let's go Postgres explotation
● dblink() function provide us to do SSRF
through SQLi
http://www.postgresql.org/docs/8.
4/static/dblink.html
SELECT dblink_send_query('host=127.0.0.1
dbname=quit user=\'\nstats\n\' port=11211
sslmode=disable','select 1');
???@ONsec_Lab@d0znpp