DragonFly2, Server-Side Request Forgery (SSRF), CVE-2023-37598 (Critical)

Listen to this Post

The vulnerabilities exist due to insufficient URL validation and insecure HTTP client configurations. In the Manager’s API, the `CreatePreheat` function accepts a user-supplied URL (json.URL) during job creation. The `parseAccessURL` function performs weak validation, allowing attackers to provide URLs pointing to internal, non-public services. A second vector in the P2P protocol allows a peer to trigger the `pieceManager.DownloadSource` method, which internally calls `httpSourceClient.GetMetadata` to fetch from an arbitrary, attacker-controlled URL. Furthermore, the HTTP clients do not disable redirects, enabling a malicious server to redirect a request to an internal service, bypassing initial validation checks.
Platform: DragonFly2
Version: <2.1.0
Vulnerability: SSRF
Severity: Critical

date: 2023-07-11

Prediction: 2023-07-25

What Undercode Say:

curl -X POST -H "Content-Type: application/json" -d '{"type":"preheat","url":"http://169.254.169.254/latest/meta-data/"}' http://target-manager:8080/api/v1/jobs
func (p preheat) CreatePreheat(ctx context.Context, schedulers []models.Scheduler, json types.PreheatArgs) (internaljob.GroupJobState, error) {
url := json.URL // User-controlled input
// ... weak validation via parseAccessURL
}

How Exploit:

Exploit the Manager API by submitting a job with a URL targeting internal metadata services or internal network endpoints. Abuse peer-to-peer communication to force other peers to make requests to internal systems. Use a malicious HTTP server that responds with a 3xx redirect to an internal IP address.

Protection from this CVE:

Upgrade to v2.1.0.

Impact:

Internal Network Access, Information Disclosure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top