New Relic: NR-wide cross account access through misconfigured CORS-policy of multiple endpoints

2019-12-05T01:11:31
ID H1:751699
Type hackerone
Reporter skavans
Modified 2020-08-13T13:30:10

Description

Hey guys,

While working at #746786, I've discovered a NewRelic-wide huge CORS-policy misconfiguration leading to cross-account data stealing and modification at a huge amount of endpoints. The vulnerability itself is that origin nr3.nr-assets.net is trusted NR-widely at many different endpoints, but this domain is used for serving a user-supplied content, namely all nerdlets artifacts are stored at this domain. Thus, an attacker can place a malicious HTML-page at this domain and execute many different requests on behalf of the victim after he/she visits this page.

I've crafted and uploaded at nr3.nr-assets.net a malicious HTML-page which performs the following actions: - reading current user info through graphQL (actually, any graphQL execution could be performed instead); - reading all account's users data including emails, roles, names etc.; - creating a new insights/nr1 dashboard.

The user creation, for instance, also works well, but I didn't include this payload into a PoC. If you need it to get an extra severity proof, I can craft such a page.

Steps to reproduce

Navigate to https://nr3.nr-assets.net/artifact-index-production/0c5931dd-3151-442c-b4d7-d850299529d4/0.1.0/cors9.html and make sure I can perform multiple actions on behalf of you: {F650704}

Remediation

Now the nr3.nr-assets.net domain is used for user-supplied artifacts (where every filetype, including HTML, is rendered inline) and at the same time this domain is NR-widely trusted as CORS origin. You should either move all user-supplied content into another sandbox domain (which isn't trusted anywhere) or correct all CORS policies at every server to restrict CORS-requests from this domain.

Impact

NR-widely cross-account access for multiple actions.