| 2018-04-19 13:10:50 |
b |
bug |
|
|
added bug |
| 2018-04-19 13:10:50 |
b |
attachment added |
|
simple script to exploit the SSRF (password username and url to attack must be changed manually in the script) https://bugs.launchpad.net/bugs/1765402/+attachment/5122634/+files/ssrf_scanner.py |
|
| 2018-06-25 00:46:19 |
b |
bug |
|
|
added subscriber OpenStack Vulnerability Management team |
| 2018-06-25 00:54:27 |
Jeremy Stanley |
bug |
|
|
added subscriber Heat Core security contacts |
| 2018-06-25 14:58:00 |
Jeremy Stanley |
information type |
Private Security |
Public |
|
| 2018-08-07 09:04:05 |
b |
description |
Hello,
I found a SSRF vulnerability in the "Stack Preview" functionality. This functionality can be reached like this :
- on the left hand size menu (of the horizon dashboard) click
"Orchestration"
- then from the submenu select
"Stacks"
- then on the right of the screen the button
"Preview Stack"
is present.
- then in the
"Template Source"
- it is possible to select "URL" and choose an arbitrary address including internal IP addresses. The result can be retrieved from "alert-danger" div tag class on the server response.
This makes it possible to perform GET request on arbitrary ports and IP (external or internal). The code that is being executed during the URL request is located here :
heat/common/urlfetch.py
def get(url, allowed_schemes=('http', 'https')):
"""Get the data at the specified URL.
The URL must use the http: or https: schemes.
The file: scheme is also supported if you override
the allowed_schemes argument.
Raise an IOError if getting the data fails.
"""
LOG.info('Fetching data from %s', url)
components = urllib.parse.urlparse(url)
if components.scheme not in allowed_schemes:
raise URLFetchError(_('Invalid URL scheme %s') % components.scheme)
if components.scheme == 'file':
try:
return urllib.request.urlopen(url).read()
except urllib.error.URLError as uex:
raise URLFetchError(_('Failed to retrieve template: %s') % uex)
available on the https://github.com/openstack/heat as seen in the recent commit commit "7271252add45e600e9af2e68fe4700151367fec7" (date : April 12 13:28:57 2018).
Possible results include :
http://127.0.0.1:8080 <urlopen error [Errno 113] No route to host>
http://127.0.0.1:8080 <urlopen error [Errno 111] Connection refused>
http://127.0.0.1:22 <urlopen error [Errno 111] Connection refused>
http://127.0.0.1:80 <urlopen error [SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:590)>
Which gives the attacker a good idea of which port is open and what IP addresses are reachable.
I attach in the attachement a simple exploitation script.
If this bug is confirmed by your team I would kindly ask to put my name on a security contributors list (if you have some kind of hall of fame for security researchers or something like that). It is always cool to be mentioned somewhere.
Other than that an OpenStack T-shirt would be a nice reward. :)
Best regards,
Jan |
Hello,
I found a SSRF vulnerability in the "Stack Preview" functionality. This functionality can be reached like this :
- on the left hand size menu (of the horizon dashboard) click
"Orchestration"
- then from the submenu select
"Stacks"
- then on the right of the screen the button
"Preview Stack"
is present.
- then in the
"Template Source"
- it is possible to select "URL" and choose an arbitrary address including internal IP addresses. The result can be retrieved from "alert-danger" div tag class on the server response.
This makes it possible to perform GET request on arbitrary ports and IP (external or internal). The code that is being executed during the URL request is located here :
heat/common/urlfetch.py
def get(url, allowed_schemes=('http', 'https')):
"""Get the data at the specified URL.
The URL must use the http: or https: schemes.
The file: scheme is also supported if you override
the allowed_schemes argument.
Raise an IOError if getting the data fails.
"""
LOG.info('Fetching data from %s', url)
components = urllib.parse.urlparse(url)
if components.scheme not in allowed_schemes:
raise URLFetchError(_('Invalid URL scheme %s') % components.scheme)
if components.scheme == 'file':
try:
return urllib.request.urlopen(url).read()
except urllib.error.URLError as uex:
raise URLFetchError(_('Failed to retrieve template: %s') % uex)
available on the https://github.com/openstack/heat as seen in the recent commit commit "7271252add45e600e9af2e68fe4700151367fec7" (date : April 12 13:28:57 2018).
Possible results include :
http://127.0.0.1:8080 <urlopen error [Errno 113] No route to host>
http://127.0.0.1:8080 <urlopen error [Errno 111] Connection refused>
http://127.0.0.1:22 <urlopen error [Errno 111] Connection refused>
http://127.0.0.1:80 <urlopen error [SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:590)>
Which gives the attacker a good idea of which port is open and what IP addresses are reachable.
I attach in the attachement a simple exploitation script.
Best regards, |
|
| 2018-08-07 09:06:24 |
b |
description |
Hello,
I found a SSRF vulnerability in the "Stack Preview" functionality. This functionality can be reached like this :
- on the left hand size menu (of the horizon dashboard) click
"Orchestration"
- then from the submenu select
"Stacks"
- then on the right of the screen the button
"Preview Stack"
is present.
- then in the
"Template Source"
- it is possible to select "URL" and choose an arbitrary address including internal IP addresses. The result can be retrieved from "alert-danger" div tag class on the server response.
This makes it possible to perform GET request on arbitrary ports and IP (external or internal). The code that is being executed during the URL request is located here :
heat/common/urlfetch.py
def get(url, allowed_schemes=('http', 'https')):
"""Get the data at the specified URL.
The URL must use the http: or https: schemes.
The file: scheme is also supported if you override
the allowed_schemes argument.
Raise an IOError if getting the data fails.
"""
LOG.info('Fetching data from %s', url)
components = urllib.parse.urlparse(url)
if components.scheme not in allowed_schemes:
raise URLFetchError(_('Invalid URL scheme %s') % components.scheme)
if components.scheme == 'file':
try:
return urllib.request.urlopen(url).read()
except urllib.error.URLError as uex:
raise URLFetchError(_('Failed to retrieve template: %s') % uex)
available on the https://github.com/openstack/heat as seen in the recent commit commit "7271252add45e600e9af2e68fe4700151367fec7" (date : April 12 13:28:57 2018).
Possible results include :
http://127.0.0.1:8080 <urlopen error [Errno 113] No route to host>
http://127.0.0.1:8080 <urlopen error [Errno 111] Connection refused>
http://127.0.0.1:22 <urlopen error [Errno 111] Connection refused>
http://127.0.0.1:80 <urlopen error [SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:590)>
Which gives the attacker a good idea of which port is open and what IP addresses are reachable.
I attach in the attachement a simple exploitation script.
Best regards, |
Hello,
I found a SSRF vulnerability in the "Stack Preview" functionality. This functionality can be reached like this :
- on the left hand size menu (of the horizon dashboard) click
"Orchestration"
- then from the submenu select
"Stacks"
- then on the right of the screen the button
"Preview Stack"
is present.
- then in the
"Template Source"
- it is possible to select "URL" and choose an arbitrary address including internal IP addresses. The result can be retrieved from "alert-danger" div tag class on the server response.
This makes it possible to perform GET request on arbitrary ports and IP (external or internal). The code that is being executed during the URL request is located here :
heat/common/urlfetch.py
def get(url, allowed_schemes=('http', 'https')):
"""Get the data at the specified URL.
The URL must use the http: or https: schemes.
The file: scheme is also supported if you override
the allowed_schemes argument.
Raise an IOError if getting the data fails.
"""
LOG.info('Fetching data from %s', url)
components = urllib.parse.urlparse(url)
if components.scheme not in allowed_schemes:
raise URLFetchError(_('Invalid URL scheme %s') % components.scheme)
if components.scheme == 'file':
try:
return urllib.request.urlopen(url).read()
except urllib.error.URLError as uex:
raise URLFetchError(_('Failed to retrieve template: %s') % uex)
available on the https://github.com/openstack/heat as seen in the recent commit commit "7271252add45e600e9af2e68fe4700151367fec7" (date : April 12 13:28:57 2018).
Possible results include :
http://127.0.0.1:8080 <urlopen error [Errno 113] No route to host>
http://127.0.0.1:8080 <urlopen error [Errno 111] Connection refused>
http://127.0.0.1:22 <urlopen error [Errno 111] Connection refused>
http://127.0.0.1:80 <urlopen error [SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:590)>
Which gives the attacker a good idea of which ports are open and what IP addresses are reachable.
I attach in the attachement a simple exploitation script.
Best regards, |
|
| 2018-08-07 09:06:50 |
b |
description |
Hello,
I found a SSRF vulnerability in the "Stack Preview" functionality. This functionality can be reached like this :
- on the left hand size menu (of the horizon dashboard) click
"Orchestration"
- then from the submenu select
"Stacks"
- then on the right of the screen the button
"Preview Stack"
is present.
- then in the
"Template Source"
- it is possible to select "URL" and choose an arbitrary address including internal IP addresses. The result can be retrieved from "alert-danger" div tag class on the server response.
This makes it possible to perform GET request on arbitrary ports and IP (external or internal). The code that is being executed during the URL request is located here :
heat/common/urlfetch.py
def get(url, allowed_schemes=('http', 'https')):
"""Get the data at the specified URL.
The URL must use the http: or https: schemes.
The file: scheme is also supported if you override
the allowed_schemes argument.
Raise an IOError if getting the data fails.
"""
LOG.info('Fetching data from %s', url)
components = urllib.parse.urlparse(url)
if components.scheme not in allowed_schemes:
raise URLFetchError(_('Invalid URL scheme %s') % components.scheme)
if components.scheme == 'file':
try:
return urllib.request.urlopen(url).read()
except urllib.error.URLError as uex:
raise URLFetchError(_('Failed to retrieve template: %s') % uex)
available on the https://github.com/openstack/heat as seen in the recent commit commit "7271252add45e600e9af2e68fe4700151367fec7" (date : April 12 13:28:57 2018).
Possible results include :
http://127.0.0.1:8080 <urlopen error [Errno 113] No route to host>
http://127.0.0.1:8080 <urlopen error [Errno 111] Connection refused>
http://127.0.0.1:22 <urlopen error [Errno 111] Connection refused>
http://127.0.0.1:80 <urlopen error [SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:590)>
Which gives the attacker a good idea of which ports are open and what IP addresses are reachable.
I attach in the attachement a simple exploitation script.
Best regards, |
Hello,
I found a SSRF vulnerability in the "Stack Preview" functionality. This functionality can be reached like this :
- on the left hand size menu (of the horizon dashboard) click
"Orchestration"
- then from the submenu select
"Stacks"
- then on the right of the screen the button
"Preview Stack"
is present.
- then in the
"Template Source"
- it is possible to select "URL" and choose an arbitrary address including internal IP addresses. The result can be retrieved from "alert-danger" div tag class on the server response.
This makes it possible to perform GET request on arbitrary ports and IP (external or internal). The code that is being executed during the URL request is located here :
heat/common/urlfetch.py
def get(url, allowed_schemes=('http', 'https')):
"""Get the data at the specified URL.
The URL must use the http: or https: schemes.
The file: scheme is also supported if you override
the allowed_schemes argument.
Raise an IOError if getting the data fails.
"""
LOG.info('Fetching data from %s', url)
components = urllib.parse.urlparse(url)
if components.scheme not in allowed_schemes:
raise URLFetchError(_('Invalid URL scheme %s') % components.scheme)
if components.scheme == 'file':
try:
return urllib.request.urlopen(url).read()
except urllib.error.URLError as uex:
raise URLFetchError(_('Failed to retrieve template: %s') % uex)
available on the https://github.com/openstack/heat as seen in the recent commit commit "7271252add45e600e9af2e68fe4700151367fec7" (date : April 12 13:28:57 2018).
Possible results include :
http://127.0.0.1:8080 <urlopen error [Errno 113] No route to host>
http://127.0.0.1:8080 <urlopen error [Errno 111] Connection refused>
http://127.0.0.1:22 <urlopen error [Errno 111] Connection refused>
http://127.0.0.1:80 <urlopen error [SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:590)>
Which gives the attacker a good idea of which ports are open and what IP addresses are reachable.
In the attachement you can find a simple exploitation script.
Best regards, |
|
