Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

graphite.composer.views.send_email vulnerable to SSRF #2008

Open
alex opened this issue Jul 28, 2017 · 15 comments

Comments

@alex
Copy link

@alex alex commented Jul 28, 2017

(I didn't discover this, it was publicly described here: http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)

https://github.com/graphite-project/graphite-web/blob/master/webapp/graphite/composer/views.py#L95-L102

Some sort of validation should be performed on the server component of the URL (possibly a whitelist in settings? I'm not overly familiar with the design of this module). Currently it's possible to use this view to make HTTP requests to services visible from the server.

@JLLeitschuh

This comment has been minimized.

Copy link

@JLLeitschuh JLLeitschuh commented Oct 1, 2019

Hi,

So this vulnerability is still live, and this could 100% be abused to exploit the servers publicly exposing the Graphite server here:

https://www.shodan.io/search?query=Graphite+Browser

Here are the vulnerable lines:

def send_email(request):
try:
recipients = request.GET['to'].split(',')
url = request.GET['url']
proto, server, path, query, frag = urlsplit(url)
if query: path += '?' + query
conn = HTTPConnection(server)
conn.request('GET',path)
try: # Python 2.7+, use buffering of HTTP responses
resp = conn.getresponse(buffering=True)
except TypeError: # Python 2.6 and older
resp = conn.getresponse()
assert resp.status == 200, "Failed HTTP response %s %s" % (resp.status, resp.reason)
rawData = resp.read()
conn.close()
message = MIMEMultipart()
message['Subject'] = "Graphite Image"
message['To'] = ', '.join(recipients)
message['From'] = 'composer@%s' % gethostname()
text = MIMEText( "Image generated by the following graphite URL at %s\r\n\r\n%s" % (ctime(),url) )
image = MIMEImage( rawData )
image.add_header('Content-Disposition', 'attachment', filename="composer_" + strftime("%b%d_%I%M%p.png"))
message.attach(text)
message.attach(image)
s = SMTP(settings.SMTP_SERVER)
s.sendmail('composer@%s' % gethostname(),recipients,message.as_string())
s.quit()
return HttpResponse( "OK" )
except:
return HttpResponse( format_exc() )

A simple version of this exploit would be to chain this together with an SSRF attack against AWS to steal very valuable information and rack up a very sizable AWS bill. Given the code paths that I've seen, I know that this is most likely possible.

This should 100% have a CVE number assigned to it.


@orangetw: Can you please make sure you sweep up after yourself when you disclose vulnerability at large hacker conferences like Defcon? ❤️

@deniszh

This comment has been minimized.

Copy link
Member

@deniszh deniszh commented Oct 1, 2019

@JLLeitschuh

This comment has been minimized.

Copy link

@JLLeitschuh JLLeitschuh commented Oct 2, 2019

One way to fix this issue would be to convert that endpoint from accepting HTTP GET requests to accepting only Cross Site Requset Forgery (CSRF) protected POST requests that require a user to be logged in.

Part of the problem with this though is that Graphina ships with the default credentials of root root. I'd advise also preventing the use of this endpoint (at minimum) if the user is detected to still have the default credentials.

@JLLeitschuh

This comment has been minimized.

Copy link

@JLLeitschuh JLLeitschuh commented Oct 2, 2019

Also, I'd recommend limiting the outgoing request so that it can only be made against known safe/trusted endpoints.

Also, I stand by this needing a CVE.
If you want to use the GitHub process to get this, consider moving this discussion to a security advisory (and including all of us in it).

https://github.com/graphite-project/graphite-web/security/advisories

@JLLeitschuh

This comment has been minimized.

Copy link

@JLLeitschuh JLLeitschuh commented Oct 3, 2019

@deniszh Can you also create another security advisory for something else I need to report.

@deniszh

This comment has been minimized.

Copy link
Member

@deniszh deniszh commented Oct 3, 2019

Hi @JLLeitschuh ,

Sorry, I'm not really aware of Github security advisores and how it works. Created for both issues, added you to collaborators.

@orangetw

This comment has been minimized.

Copy link

@orangetw orangetw commented Oct 4, 2019

Oops, I only reported to GitHub at that time. Sorry for that :(

@deniszh

This comment has been minimized.

Copy link
Member

@deniszh deniszh commented Oct 11, 2019

OK, I checked this send_email function and didn't find any good use for it in the code. It was imported during initial import 12 years ago and also not documented in API docs.

I think we just need to remove it.

Opinions? @DanCech @iksaif @piotr1212 @cbowman0 ?

@alex

This comment has been minimized.

Copy link
Author

@alex alex commented Oct 11, 2019

I haven't used graphite in several years, and just filed this since I care about the security and health of the internet. From my perspective, deleting code is a great solution to security issues!

@DanCech

This comment has been minimized.

Copy link
Member

@DanCech DanCech commented Oct 11, 2019

+1 for just removing it. I don't see anywhere in the code that uses it.

@deniszh

This comment has been minimized.

Copy link
Member

@deniszh deniszh commented Oct 11, 2019

Please also note that sending email from Dashboard is implemented in completely different commit e2a70d8 and not use send_email function at all.

@carnil

This comment has been minimized.

Copy link

@carnil carnil commented Oct 12, 2019

This issue was assigned CVE-2017-18638.

@JLLeitschuh

This comment has been minimized.

deniszh added a commit to deniszh/graphite-web that referenced this issue Oct 13, 2019
deniszh added a commit to deniszh/graphite-web that referenced this issue Oct 13, 2019
deniszh added a commit that referenced this issue Oct 13, 2019
Fixing CVE-2017-18638 (issue #2008)
@deniszh

This comment has been minimized.

Copy link
Member

@deniszh deniszh commented Oct 13, 2019

Fix merged into master, and 0.9.x and 1.0.x branches. I'm preparing backport to current 1.1.x branch and going to release Graphite 1.1.6 shortly

deniszh added a commit that referenced this issue Oct 13, 2019
Fixing CVE-2017-18638 (issue #2008)
@deniszh

This comment has been minimized.

Copy link
Member

@deniszh deniszh commented Oct 24, 2019

OK, advisory is published - GHSA-vfj6-275q-4pvm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.