This vulnerability allows attacker to send arbitrary requests to local network which hosts GitLab and read the response. This is possible due to flawed DNS rebinding protection.
The attack is possible due to flaw here: https://gitlab.com/gitlab-org/gitlab-ce/blob/108c3cf16bed5733ffae086fb62c226961356560/lib/gitlab/url_blocker.rb#L59
The validate
function performs DNS lookup to check whether the IP address of a domain belongs to the local network. If the IP address belongs to the local network, the validate
function raises an error and no HTTP request is sent. Furthermore, validate
returns URI as well as the IP address of the domain to protect against DNS rebinding attacks.
However, if validate
encounters an error while resolving the domain (for example, the domain does not resolve), the DNS rebinding protection is not applied.
http://990.hacker1.xyz
. It may return error but let’s ignore it now.http://169.254.169.254
returned.Wait about 15 seconds between testing attempts, otherwise it may not work due to DNS caching.
The code for proof-of-concept DNS server which hosts hacker1.xyz
is attached. The PoC uses a chain of CNAME records to prevent caching.
The outgoing HTTP requests from webhooks can be sent to the internal network.
It is expected that HTTP requests cannot be sent to the internal network.
F519096
Content of http://169.254.169.254
F519095
Content of http://127.0.0.1
This bug happens on GitLab.com
Attacker can use SSRF to access sensitive information on the internal network. Furthermore, SSRF in Google Cloud can be leveraged to Remote Code Execution depending on the setup. Publicly disclosed $25,000 #341876 describes a way to gain root access to Google Cloud server via a SSRF vulnerability.