Hey guys,
Today I’m going to talk about the Server-side request forgery (SSRF) vulnerability and how I managed to exploit it in a realistic environment.
Explaining the vulnerability:
SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).
Lets go to what matters!
In the tested system it is possible to insert attachments when opening tickets and then we start our analysis:
Note that in the application, when attaching the file, it is sent to another instance where the path “/download” points to a URL with the file that was attached encoded in base64.
Analyzing the source code, we located the download path and performed the base64 decode, we can view the domain to which the file was sent.
I realized that it was possible to base64 encode another domain and force the server to make the request.
Instance metadata and user data
Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into categories, for example, host name, events, and security groups.
You can access instance metadata from a running instance using one of the following methods:
Security Concerns around (IMDSv1)
The metadata service was designed to be accessible only from within the instance. However, there is no additional access control to prevent unauthorized access from a compromised application running on the EC2 instance itself. Application vulnerabilities such as Server Side Request Forgery, XML External Entity Injection etc. may be exploited to gain access to the metadata service.
Instance Metadata Service Version 2 (IMDSv2)
The version 2 of the Instance Metadata Service uses session based authentication.
IMDSv2 uses session-oriented requests. With session-oriented requests, you create a session token that defines the session duration, which can be a minimum of one second and a maximum of six hours. During the specified duration, you can use the same session token for subsequent requests. After the specified duration expires, you must create a new session token to use for future request.
Abusing SSRF in AWS EC2 environment
Metadata of the basic virtual machines from AWS (called EC2) can be retrieved from the VM accessing the url: http://169.254.169.254
The IP address 169.254.169.254 is a magic IP in the cloud world. AWS, Azure, Google, DigitalOcean and others use this to allow cloud resources to find out metadata about themselves. Some, such as Google, have additional constraints on the requests, such as requiring it to use Metadata-Flavor: Google as an HTTP header and refusing requests with an X-Forwarded-For header. AWS has no constraints.
Sending a GET requests to the following endpoint will dump a list of roles that are attached to the current EC2 instance:
After base64 encoding http://169.254.169.254/latest/meta-data/iam/security-credentials/ I was able to obtain the target’s AWS access credentials.
PACU can be used with the discovered credentials to find out your privileges and try to escalate privileges.
What is Pacu?
Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.
Through the Pacu tool, it was possible to access the AWS console via browser:
Access to the AWS console where we access the infrastructure of our target.
Finally, we were able to exploit the “Path Traversal” vulnerability by encoding “/etc/passwd” and thus obtaining system information.
Extra: In addition to compromising the target’s AWS cloud environment, we can also locally explore the target through the pivoting technique.
Pivoting is a set of techniques used during red team/pentest engagements which make use of attacker-controlled hosts as logical network hops with the aim of amplifying network visibility.
It is possible to discover and scan new hosts on new networks that your alleged victim is connected to.
Thanks for reading. =)
