Directus vulnerable to Server-Side Request Forgery On File Import

Main / Directus vulnerable to Server-Side Request Forgery On File Import

Discription

### Summary
Directus versions (encodeURL(importURL), {
responseType: ‘stream’,
});
} catch (err: any) {
logger.warn(err, `Couldn’t fetch file from url “${importURL}”`);
throw new ServiceUnavailableException(`Couldn’t fetch file from url “${importURL}”`, {
service: ‘external-file’,
});
}
“`

However, this validation check and fetching the web resource causes to DNS queries that enable a DNS rebinding attack. On the first DNS query, an attacker controlled name server can be configured to resolve to an external IP address that is not in the deny list to bypass the validation. Then when `axios` is called, the name server resolves the domain name to a local IP address.

### PoC
To demonstrate we will be using an online tool named [rebinder](https://lock.cmpxchg8b.com/rebinder.html). Rebinder randomly changes the IP address it resolves to depending on the subdomain. For an example, `7f000001.8efa468e.rbndr.us` can resolve to either `142.250.70.142` (google.com) or **`127.0.0.1`**. Sending multiple `POST` requests to `/files/import` using this domain will eventually cause a resolution to `142.250.70.142` first to bypass the validation then fetch the sensitive from an internal server when `axios` is called.

The following screenshots show what it looks like when a successful attack occurs.

*Downloading a file named `secret.txt` from a webserver running from `https://127.0.0.1/secret.txt`*
![image](https://user-images.githubusercontent.com/6276577/218124035-26f7f0c3-47b3-424d-b4d4-bd3b47161983.png)

*Receiving the request from the internal server. Note that the incoming connection is from **127.0.0.1**.*
![image](https://user-images.githubusercontent.com/6276577/218124119-87b8d5d6-934d-4e07-be4d-066616a9a435.png)

*After downloading the file it leaks the content of the secret file.*
![image](https://user-images.githubusercontent.com/6276577/218122210-87b2e478-1081-4830-a9ea-e5d9f39bb129.png)

### Impact
An attacker can exploit this vulnerability to access highly sensitive internal server and steal sensitive information. An example is on Cloud Environments that utilise internal APIs for managing machine and privileges. For an example, if `directus` is hosted on AWS EC2 instance and has an IAM role assigned to the EC2 instance then an attacker can exploit this vulnerability to steal the AWS access keys to impersonate the EC2 instance using the AWS API.Read More

References

Back to Main

Subscribe for the latest news: