08/12/2012 SSRF workshop special for DefCon-UA. Neuronspace, Moscow.

1. SSRF exploitation.
Workshop
Special for DefCon-UA
08/12/2012 Moscow, Neuron Hackspace

2. SSRF - Server Side Request Forgery
● The ability to create requests from the
vulnerable server to intra/internet
● Using a protocol supported by available URI
schemas, you can communicate with
services running on other protocols
(smuggling)

3. SSRF - Server Side Request Forgery
● What i can do with forged requests?
● Anything!
○ Get data from internal network!
○ Exploit all host-based auth!
○ Exploit local services at loopback
interface!
○ etc...

4. SSRF - Server Side Request Forgery
Forged
Access to
request
loopback
interface
Access to
internal
network HTTP HTTP
API
request request request
Frontend Firewall
Backend
Forged
request
Intranet

5. SSRF - reasons
● SSRF not a vulnerability
● SSRF is class of attacks
● XXE,RFI,CRLF injection and others is SSRF's
friends
● Anything that can open socket can be
SSRFed

6. SSRF - reasons
● Direct writing to sockets in webapp
● HTTP clients (libcurl, LWP, Java:URL, etc)
● Databases functions
● Format processing
○ XML parsers (XXE, DTD, XSD, XSLT, etc)
○ OpenOffice (DDE, dynamic data, etc)
○ PDF (tcpdf library, etc)

7. SSRF - what stuff needed?
● Desire
● Luck
● Ability to anticipate and assume
● nc (nc -l -vv -p 12345 )
● SSRF cheatsheet doc

8. SSRF - cheatsheet
● We collected all related information about
SSRF and their exploitation in one
cheatsheet:
https://docs.google.
com/document/d/1v1TkWZtrhzRLy0bYXBcdL
UedXGb9njTNIJXa3u9akHM/edit

9. HTTP clients bugs
Bypass webapp filters i.e. preg_replace using
redirect
● any host -> localhost
● valid port -> any port
● valid schema -> any schema
● SOP for browsers, not for HTTPClients

10. CASE #1. Market & Payment system.
OAuth token hijacking
● Application received OAuth token from
payment server
● Token added to HTTP request created by
libcurl CURLOPT_HTTPHEADER
● This header will be append to all requests
sended by libcurl. Even after redirects ;)

11. CASE #1. Market & Payment system.
OAuth token hijacking
● Find a open redirect vuln (WASC-38) at
payment server
● Change payment url to call redirect instead
of valid payment transaction
● Jack a OAuth token from market to
payment system ;)
https://dev.onsec.ru/workshop/market/

12. CASE #1. Market & Payment system.
OAuth token hijacking
Open SSRF
redirect attack
vuln
HTTP
request HTTP
with request
Payment
OAuth Market
system
token
OAuth
token
from
market
HTTP
request
with
OAuth
token Evil host

13. Let's go to server-side exploitations
● SSRF really cool for exploit host-based auth
● Host based auth must die ;)
● NoSQL databases, monitoring services and
much more provide privileges to loopback
connections by default

14. Protocol smuggling
● When you say "GET / HTTP/1.1", what hears
a service?
● When you receive data by one of
prehistoric protocols what TCP packet you
send?
● When you say "bla[valid packet]bla", what
hears a service?

15. Protocols and URI schemas in HTTP
clients
● gopher:// provide you to create almost any
TCP packet (no 0x00 for cURL, no bytes
greater than 0x7f for Java)
● dict:// provide you to forge second line in
plaint/text request (cURL only)
● ldap:// provide you to forge request with
constant prefix (LWP only)

16. What things do smuggling possible?
● HTTP clients don't check a protocol but
send data immediately after connect
(ldap for LWP)
● Services do not close socket after receive
invalid packet
● Protocol that you can forge fits within the
protocols that you want to exploit

17. CASE #2. Wordpress exploitation
● Yes, it is latest wordpress (3.4.2) without
any plugins
● Reason - libcurl unsafe redirect
● But SSRF can be triggered only from admin
panel
● Use old our friend CSRF!
● CSRF + SSRF make you happy ;)

18. CASE #2. Wordpress exploitation
● No gopher:// protocol in Debian squeeze
for cURL
● But dict:// available and provide us to
exploit memcached
● CSRF + SSRF = memcached exploit ;)
https://dev.onsec.ru/workshop/wordpress/

19. Format processors are SSRF friends
● 23/03/2012 in Kyiv I told about XXE based
SSRF
● XML parsers, DTD, XSD, XSLT - all of them
provide SSRF
● OpenOffice provide SSRF
● Many processing libraries provide SSRF
● Anything that can open socket can be
SSRFed

20. CASE #3. TCPDF library SSRF
● http://www.tcpdf.org/
● Very common library for PDF conversion
● Example application convert users HTML to
PDF
● What about external resources such as
images?
● TCPDF using cURL
https://dev.onsec.ru/workshop/pdfconv/

21. CASE #4. LWP avatars uploader
● LWP - libwww Perl
● Usefully and common library
● Provide unsafe redirect ;)
● Support gopher protocol by default ;)
● Lets go!!!

22. CASE #4. LWP avatars uploader
Zabbix agentd explotation
● Zabbix is common monitoring system
● Zabbix agentd - local daemon for various
check
● Host-based auth ;)
● Support command execution ;)
https://dev.onsec.ru/workshop/avatars/

23. CASE #5. Have a free time?
● Let's go Postgres explotation
● dblink() function provide us to do SSRF
through SQLi
http://www.postgresql.org/docs/8.
4/static/dblink.html
SELECT dblink_send_query('host=127.0.0.1
dbname=quit user='nstatsn' port=11211
sslmode=disable','select 1');

24. ???
@ONsec_Lab
@d0znpp
d0znpp@onsec.ru