Lucene search

K
hackeroneVepeH1:1040166
HistoryNov 21, 2020 - 1:57 p.m.

curl: CVE-2020-8284: trusting FTP PASV responses

2020-11-2113:57:43
vepe
hackerone.com
50

EPSS

0.001

Percentile

45.3%

Summary:

The issue here arises from the fact that curl by default has the option CURLOPT_FTP_SKIP_PASV_IP disabled by default.
As a result, an attacker controlling the URL used by curl, can perform port scanning on behalf of the server where curl is running.
This can be achieved by setting up a custom FTP server that would setup the data channel through the PASV command using the port scanning target IP and port in the PASV connection info.
One good target for this issue are web applications vulnerable to SSRF.

Steps To Reproduce:

So we can differentiate between open, closed and filtered ports with the following:

  1. Open ports
    curl will reply with TYPE after the PASV command
    example:
    Received: USER anonymous in 5
    Received: PASS [email protected] in 5
    Received: PWD in 5ms
    Received: EPSV in 6ms
    Received: PASV in 6ms
    Received: TYPE I in 6ms
    Received: SIZE whatever in 5ms
    Received: RETR whatever in 5ms

  2. Filtered
    curl will timeout after the PASV command
    example:
    Received: USER anonymous in 6
    Received: PASS [email protected] in 5
    Received: PWD in 5ms
    Received: EPSV in 6ms
    Received: PASV in 5ms
    Received: in 1011ms

  3. Closed
    curl will close the control channel connection immediately after PASV
    example:
    Received: USER anonymous in 6ms
    Received: PASS [email protected] in 6ms
    Received: PWD in 5ms
    Received: EPSV in 5ms
    Received: PASV in 5ms
    Received: in 5ms

In the attachments, I have included an ftp server (F1088885) that automates these steps.
Usage:
./ssrf_pasvaggresvftp.sh -t 127.0.0.1/31 -p 80,8000-8100 -x ./ftp_curl.sh -vv

the file included in the -x option is supposed to trigger the ssrf on the target server that would lead to the call of curl with the attacker’s URL. In this case we simulate the issue by calling curl locally. The attachment F1088859 is the script used in the example.

Impact

Through the port scanning, an attacker could uncover services running in the internal network.
It could also be possible to perform version enumeration or other information disclosure if the attacker can get back the results of curl.
For example, an attacker points curl at host:22 for the data channel . If an ssh server is running on that host, then it will reply with its version which is then disclosed to the attacker.

Ultimately, this issue can be used as a stepping stone to launch further attacks on the vulnerable server.