Listen to this Post
The vulnerabilities exist due to insufficient URL validation and insecure HTTP client configurations. In the Manager’s API, the `CreatePreheat` function accepts a user-supplied URL (json.URL) during job creation. The `parseAccessURL` function performs weak validation, allowing attackers to provide URLs pointing to internal, non-public services. A second vector in the P2P protocol allows a peer to trigger the `pieceManager.DownloadSource` method, which internally calls `httpSourceClient.GetMetadata` to fetch from an arbitrary, attacker-controlled URL. Furthermore, the HTTP clients do not disable redirects, enabling a malicious server to redirect a request to an internal service, bypassing initial validation checks.
Platform: DragonFly2
Version: <2.1.0
Vulnerability: SSRF
Severity: Critical
date: 2023-07-11
Prediction: 2023-07-25
What Undercode Say:
curl -X POST -H "Content-Type: application/json" -d '{"type":"preheat","url":"http://169.254.169.254/latest/meta-data/"}' http://target-manager:8080/api/v1/jobs
func (p preheat) CreatePreheat(ctx context.Context, schedulers []models.Scheduler, json types.PreheatArgs) (internaljob.GroupJobState, error) {
url := json.URL // User-controlled input
// ... weak validation via parseAccessURL
}
How Exploit:
Exploit the Manager API by submitting a job with a URL targeting internal metadata services or internal network endpoints. Abuse peer-to-peer communication to force other peers to make requests to internal systems. Use a malicious HTTP server that responds with a 3xx redirect to an internal IP address.
Protection from this CVE:
Upgrade to v2.1.0.
Impact:
Internal Network Access, Information Disclosure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

