What is SSRF (CVE-2022-4096) DNS Connection ?
Overview of DNS Rebinding:
DNS rebinding is a method of manipulating the resolution of domain names, commonly used as a form of computer attack. In this attack, a malicious web page induces visitors to run a client-side script that targets other machines on the network. In theory, the same-origin policy prevents this from happening: client-side scripts are only allowed access to content on the same host that served the script. However, the domain name comparison, which is a fundamental part of implementing this policy, bypasses this protection by exploiting DNS.
Using DNS Rebinding Found within Appsmith SSRF:
Note: Appsmith is used to create, deploy, and maintain internal tools.
GitHub - appsmithorg/appsmith: Platform to build admin panels, internal tools, and dashboards. Integrates with 25+ databases and any API.
Platform to build admin panels, internal tools, and dashboards. Integrates with 25+ databases and any API. - appsmithorg/appsmith
github.com
Let's create a host name through DNS rebinding to bypass SSRF restrictions!
DNS Rebinding
We can see that our created hostname is associated with two different IP addresses.
Dig command
Now, create the vulnerable function for the new API and Elasticsearch.
We can see that our created hostname is associated with two different IP addresses.
Dig command
Now, create the vulnerable function for the new API and Elasticsearch.
Vulnerable Functions
Now, append the created hostname to the URL function and click to execute. I received a response saying 'host not allowed.
Now, append the created hostname to the URL function and click to execute. I received a response saying 'host not allowed.
"Response of 'host not allowed'
After running it again, I received a successful response containing the AWS cloud metadata path.
After running it again, I received a successful response containing the AWS cloud metadata path.
AWS metadata path
Now, I added the 'latest' path to the URL and ran it again, and this time I got a 404 (The server hit the IP I used in DNS rebinding).
Now, I added the 'latest' path to the URL and ran it again, and this time I got a 404 (The server hit the IP I used in DNS rebinding).
404 Response
Now, through continuous trial and error (repeatedly clicking 'Run' until receiving a response) and adding methods and paths to the URL (based on the responses I received), I successfully obtained AWS keys.
Now, through continuous trial and error (repeatedly clicking 'Run' until receiving a response) and adding methods and paths to the URL (based on the responses I received), I successfully obtained AWS keys.
Successfully Obtained AWS Keys
Vulnerable Versions: Appsmith v1.8.1
Now, I reported this to Appsmith, received confirmation, and reported the same issue to huntr.dev to get a CVE assigned. I have been assigned CVE-2022-4096 for this.
Source : https://www.turkhackteam.org/konular/ssrf-cve-2022-4096-dns-baglanmasi-nedir.2049076/
Vulnerable Versions: Appsmith v1.8.1
Now, I reported this to Appsmith, received confirmation, and reported the same issue to huntr.dev to get a CVE assigned. I have been assigned CVE-2022-4096 for this.
Source : https://www.turkhackteam.org/konular/ssrf-cve-2022-4096-dns-baglanmasi-nedir.2049076/
