Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The ssrf vulnerability exists in the system. #402

Closed
chain312 opened this issue Jan 30, 2023 · 4 comments
Closed

The ssrf vulnerability exists in the system. #402

chain312 opened this issue Jan 30, 2023 · 4 comments

Comments

@chain312
Copy link

chain312 commented Jan 30, 2023

ISSUE TEMPLATE

使用的版本:
r2.0.14
问题详细描述:
The ssrf vulnerability exists in the system.

After the admin logged in, Create a new workflow, set the participant type to hook, and set the participant's hook_url parameter to the Intranet address. Example: {" hook_url ":" http://127.0.0.1:8000/ ", "hook_token" : "111", "wait" : false, "extra_info" : "111"}
image

Select the workflow we created in the new build order
image
Viewing the operation history about the work order, the system is Expecting "line 1 column 1 (char 0)".
image
When the accessed port is closed, Connection refused is refused, for example, HTTPConnectionPool(host='127.0.0.1', port=8808): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f1ad48cc048>: Failed to establish a new connection: [Errno 111] Connection refused',))"
In this way, we can judge whether the port on the Intranet is open according to different errors.
For example, if I write "hook_url" to http://127.0.0.1:6379, there will be an error: "('Connection aborted.', RemoteDisconnected('Remote end closed connection without response',))", so that you can determine that redis services exist on the Intranet.
In addition, packets can be sent to Intranet services through this function, causing dos attacks.
image

The cause of the leak:
There are no restrictions on the request address
image

@blackholll
Copy link
Owner

The hacker who can config the workflow, I think he can just use telnet command to find the open ports

@chain312
Copy link
Author

The hacker who can config the workflow, I think he can just use telnet command to find the open ports

@blackholll The Intranet port cannot be obtained through telnet, for example, 192.168.x. x, which is in the same network segment as the system. External telnet cannot reach this port, but the system host can send payload to the Intranet machine through system vulnerabilities.

@blackholll
Copy link
Owner

That make sense for SaaS situation.
will you transform loonflow to a SaaS system?
In no-SaaS situation, the workflow manager should be a colleague with the loonflow administrator, they are in the same network

@blackholll
Copy link
Owner

A new configure item "HOOK_HOST_ALLOWED" added in r2.0.16.
Since r2.0.16 is a bugfix version, should not have DDL, so just add the configure in config file.
r3.. may support store the configure to db

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants