Mahara

Still SSRF vulnerability in external feed

Bug #1592276 reported by Aaron Wells on 2016-06-14

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	Medium	Aaron Wells	Mahara 16.10.0
15.04	Fix Released	Medium	Aaron Wells	Mahara 15.04.8
15.10	Fix Released	Medium	Aaron Wells	Mahara 15.10.4
16.04	Fix Released	Medium	Aaron Wells	Mahara 16.04.2

Bug Description

While taking another look at Bug 1397736 (SafeCURL) and Bug 1394820 (SSRF in external feed) I realized there are some problems with the patch https://reviews.mahara.org/4029 that I filed for the SSRF bug.

As a refresher here, the idea is that an attacker can do this:

1. Log in to Mahara
2. Create a page
3. Put an "External Feed" block on the page
4. Set the "Feed location" to "localhost:389"

Expected result: This meaningless URL does nothing, and the block config harmlessly errors out and asks them for a valid URL.

Actual result: They see an error message that tells them whether the web server has port 389 (unencrypted LDAP) open or not. If the error they see ends with "Recv failure: Connection reset by peer", they know the web server has a process listening on 389. If they see "Failed to connect to... Connection refused" they know it is not.

It's called an SSRF (Server Side Request Forgery) attack ( http://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ ). As Hugh pointed out on that bug, the biggest problem with this vulnerability is that a user can use it to scan the network the web server is on, checking for machine names, IP addresses, and port numbers.

My patch 4029 was to add the "CURLOPT_PROTOCOLS" option to our Curl requests. This has the main effect of preventing an attacker from using an HTTP redirect to make Curl send a request to a non-HTTP protocol. But it doesn't at all mitigate all the information-gathering attacks, because it only limits the protocol section of the URL (i.e. "https://") and the structure of the request Curl makes. Crucially, it does not limit the port of the URL, you can still enter "http://localhost:389".

As such, it didn't mitigate any of those information-gathering attacks.

Tags:

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2016-06-14:

Fortunately, I've also realized it should be fairly easy to prevent those information gathering attacks through two steps:

1. Stop printing the underlying Curl error message in the form. The different Curl error responses are the main way the attacker can gather information from this attack. We should instead print something generic like "That feed URL appears to be invalid."

2. Add a random sleep interval to this process, to hinder detection based on timing.

If we do that, then the external feed block will become mostly useless for network exploration. (It'll still have some potential for abuse, but only the much less useful capability of sending HTTP "GET" requests without being able to see the response.)

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-06-14: A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/6599

Aaron Wells (u-aaronw) on 2016-06-14

information type:

Private Security → Public Security

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2016-06-14:

After doing a bit of researching into timing side channel attacks, I've learned that adding a random sleep() doesn't actually add much security. An attacker can just run multiple requests and average them out, and see which ones take longer on average.

More secure is to make your app delay its response for a pre-set amount of time, by making the request and then waiting out the rest of the pre-set delay. This can either be done with what's called a "WCET" (worst case execution time), i.e. pick a value that will be longer than a successful request; or it can be an unpredictable deterministic value, i.e. hash the input to an integer, and use that integer as your delay.

In testing, I found there was a dead giveaway when I found a valid DNS entry with a bad port number -- the block would take the full CURL timeout delay of 15 seconds to come back. So unfortunately, the only way to prevent information from leaking via timing, is to make sure that every unsuccessful request delays for 15 seconds before coming back. The good news is that at least this won't negatively impact people who enter a *correct* RSS URL. But it'll be annoying if you enter a URL with a typo.

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-06-30: A change has been merged

Reviewed: https://reviews.mahara.org/6599
Committed: https://git.mahara.org/mahara/mahara/commit/a6722cd94f01e55ed16efe724c56033fbb4173b0
Submitter: Son Nguyen (<email address hidden>)
Branch: master

commit a6722cd94f01e55ed16efe724c56033fbb4173b0
Author: Aaron Wells <email address hidden>
Date: Tue Jun 14 19:18:40 2016 +1200

Bug 1592276: External RSS feed can be used to probe network

behatnotneeded
Change-Id: I635bf6d685c79b26c24805efa0a63c79df6f6201

Aaron Wells (u-aaronw) on 2016-07-04

Changed in mahara:
status:	Confirmed → Fix Committed

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-07-04: A patch has been submitted for review

Patch for "16.04_STABLE" branch: https://reviews.mahara.org/6644

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-07-04:

Patch for "15.10_STABLE" branch: https://reviews.mahara.org/6645

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-07-04:

Patch for "15.04_STABLE" branch: https://reviews.mahara.org/6646

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-07-05: A change has been merged

Reviewed: https://reviews.mahara.org/6646
Committed: https://git.mahara.org/mahara/mahara/commit/8825bed555a01013d66c3e5b16564f7ea05d7518
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 8825bed555a01013d66c3e5b16564f7ea05d7518
Author: Aaron Wells <email address hidden>
Date: Tue Jun 14 19:18:40 2016 +1200

Bug 1592276: External RSS feed can be used to probe network

behatnotneeded
Change-Id: I635bf6d685c79b26c24805efa0a63c79df6f6201
(cherry picked from commit a6722cd94f01e55ed16efe724c56033fbb4173b0)

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-07-05:

Reviewed: https://reviews.mahara.org/6644
Committed: https://git.mahara.org/mahara/mahara/commit/13a1712f4fd1a4eccfd54454e3449ca249d8dd89
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 13a1712f4fd1a4eccfd54454e3449ca249d8dd89
Author: Aaron Wells <email address hidden>
Date: Tue Jun 14 19:18:40 2016 +1200

Bug 1592276: External RSS feed can be used to probe network

behatnotneeded
Change-Id: I635bf6d685c79b26c24805efa0a63c79df6f6201
(cherry picked from commit a6722cd94f01e55ed16efe724c56033fbb4173b0)

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-07-05:

#10

Reviewed: https://reviews.mahara.org/6645
Committed: https://git.mahara.org/mahara/mahara/commit/3aa643be9b95a6b4443db7b6cd3c51a471c6b7d1
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.10_STABLE

commit 3aa643be9b95a6b4443db7b6cd3c51a471c6b7d1
Author: Aaron Wells <email address hidden>
Date: Tue Jun 14 19:18:40 2016 +1200

Bug 1592276: External RSS feed can be used to probe network

behatnotneeded
Change-Id: I635bf6d685c79b26c24805efa0a63c79df6f6201
(cherry picked from commit a6722cd94f01e55ed16efe724c56033fbb4173b0)

Robert Lyon (robertl-9) on 2016-10-21

Changed in mahara:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.