From Zero To SSRF To RCE And Back Again by Tom Cope

uh hello everyone just a very small uh prefix for the pre-recording because this contained a live demo of course the software to record the live demo didn't work um so you guys are all going to enjoy it but unfortunately um whoever's watching this and I'm sorry I won't um hello my name is uh Tom that's my terrible profile picture uh I'm the chief security officer of course security and I've been working in cyber security now for a while about nine years and as you can see my various qualifications and my bits and mobs on there uh who is Chris security we we make a Enterprise grade AI powered human-centered DLP solution which is the last collection of buzzwords you've

ever seen um but but uh in general um feel free to come chat me off at all it's a very very good piece of software it has a lot of EDR capabilities as well and we have an extensive um policy engine where you can write weird stuff like if a user in my Dev team tries to upload Source control source code from a personal G drive on their work laptop then block the upload display them a notification require them to enter a business reason and click a link to read your accessible use policy because that's not allowed and it supports Linux

um so what's up with the title it's an absolute mouthful it's terrible uh but I hear as you haven't talked you have to have a really good title so this is my attempt it's based on some um security research I did a few years ago you can see the CV there um we're talking about from zero so we're talking about um basically the entire security research process end-to-end is what I'm going to be covered here somehow in 30 minutes um sfrf which is server-side request forgery and rce which stands for and back again because we're going to touch on some real world impact at the end of this as again this is a live demo

so hopefully it works um we're gonna go through this is a photo I took with my phone very long time ago uh we're gonna go through end-to-ended yeah hacking methodology as a first off information Discovery you want to hack a thing what you want to hack I'd recommend you pick something fun if any of you do this as a day job you probably don't have that option um I recommend uh picking something that has easy access to support and documentation just because this is the first time you're going at it try and go easy on yourself real world impact is really good and please check beforehand you have a way to report the bug otherwise you'll go through all this

problem and you won't be able to report it and then why are you doing it are you looking for a monetary are you looking for a cve do you want to get in like Google's Hall of Fame do you want to do it for fun or do you want to sell it to government um there's a line at the end there um I picked uh IBM data power um this is because I was an ex-ibm employee and I really like this piece of software and it kind of ticks all of the boxes it was fun easy access to support uh real world impact and really I wanted a CV under my name is the video gonna

work yes um so what is uh data power it's basically a API Gateway so you can feed it in Json or XML or stuff like that and it'll validate it and then you can send for example a gif they won't like that and it rejects it um it has it's a surprisingly interesting piece of software I recommend you give it a Google because it just does literally everything security related ever and um it's extremely hackable and um extensible and it comes in lots of different form factors a physical box if you're a bank and you want to process 50 billion transactions a second KVM and the most important thing is there's a docker a video stopped there's a document

there's a Docker version of this which is hey the Wi-Fi is great there's a Docker version of it it's free on Docker Hub you can go and give it a go etc etc um next slide please uh why specifically did I pick this product it's because it's hardened by Design it's not designed for you to get into it because it's the sort of thing that's used by Banks to try and do transactions at really high speeds it has lots of crypto in it it's where you're going to be installing a lot of your crypto Keys um if you forget the password you have to physically shift the box back to IBM and they do some magic and then

everything's good again and it's very very locked down and because it was a truck toughened up to crack I really wanted to attempt to crack it and so that's kind of the information Discovery process so let's let's use it this is the this is the bit where it goes horribly wrong um so what we're going to do is this is the docker run command I've pre-downloaded this image because it's fat um has some various Wildlife options there it's not really important apart from Docker run data power please um and it will hopefully start so there it is [Music] um and it's it's coming online and it says unauthorized access prohibited um and then when it starts you get a

login from who wants to guess the username oh yeah and what's the password oh amazing we're in that's the end of the demo so we're gonna interestingly about thanks Powers you can mistype pretty much everything and it still kind of says I know what you mean um so we're gonna we're gonna do that we're going to go into the web management and then we're going to do admin State enabled kind of conveniently we're going to exit that we're gonna say save it hopefully you can see this um it's saved and then we're going to show um what are we going to show I think I just typed uh the web management interface and you can see it's up kind of

interestingly you have to do this it is like a secure by Design Appliance so if you don't want a web GUI it won't give you a web GUI we do want a web GUI so here's a web good um of course we haven't configured any certificates yet continue that log into it and you will see a UI that looks like it was designed in the 80s yes I am shocking and it's still loading give it a moment it's low there it goes um so that's basically it but like you know set it out it works cool um some interesting things that just happened there we we logged in with admin admin so you can easily break into

any unsecured Docker containers that are running in the development environment just off off the bat and interestingly you'd probably go on shoden and just type in data power and you may find some of these just kind of interesting because it's the web give me for a Gateway Appliance it really shouldn't be there um so Target scanning so this is a Docker container the reason why I kind of picked the docker container is we can break it apart and find a really good Target to play with so let's break it apart and find a good Target to play with um who knows how to get inside a Docker container yes uh so we're going to Docker and exec

inside my spacebot is broken by the way so that's the reason why I keep on the stock here and here is the process listing of data power interestingly there's not a lot in there there is a single binary that runs this entire application which is amazing um and it's huge there's this thing called quota enforcement there's DP mon which if you're if I if I put an end there into the DP what's that and Mom the performance Analytics tool so they just can't make the wrong one which is kind of cool and then they have two things here which is redis which is kind of interesting um something you could do like straight off the bat is you could just take that

um binary you can then go and throw it into some piece of software you can you know just assemble it and you could spend the rest of your life in here um looking for all of this assembly and strings you know this is this is a possibility of something that you could do um so there you go what's running what's on the file system we've kind of broken into the Container we have a look around um we could reverse engineer you can do some string search you can do some web scanning of the web GUI as another option there's also a telnet and an SSH interface which will have an enabled for this demo but that's another place that

you could look um but redis looks like a good Target just because it's the only open source piece of software that's kind of there and it's open source so it's easy for us to go and Google things about it um so make progress now so we can Target scanning now we're going to move into the vulnerability assessment is redis vulnerable let's find out ignore so the reason why this is here is because last time I forgot this but I remember to put in the slides [Music] so we're just going to netcat so we're going to connect to this locally running redis instance and does anyone here know the command to get the version of redis

nope it's status no it's not it's it's info holes we need a password where can I find the password who said that that's a bad thing that you shouldn't do let's go and find the half coated fast for us um so we're just going to look for the redis configuration file there's the redis configuration file and there's a hardware password now to be fair this is a Docker container so this password could be dynamically generated each time the the application starts or it could have some sort of cryptographic thing where it's like tied to the MAC address or something like that so we need to confirm that is this actually hard-coded um because um basically it's holding all of this

inside of a ram disk so it's it's a little bit it's a little bit here and there so conveniently I have the string search table already loaded and I'm going to put that in there and we're going to search through the data power binary for a hard-coded string it's just like it's in there so yes it's a hard-coded password

uh so we did the info command last question [Music]

there we go we're in uh and then if we scroll all the way to the top we have the version of redis here so we've got we got some information there did a bit of information gathering we don't know what we're doing so we we NE we have rediffs so basically the next step I just Googled Reddit exports because it's got to be some redis exploits out there for this version of redis um this chap however you pronounced that did a really really really really good paper and presentation on all different ways you could break into the redness I highly recommend you reading this good security research has always put off the shoulders of giants

and um this is basically the Rogue Regis attack where what you do you have a Reddit server um that you have some sort of control over and then you run your own Rogue Reddit server and the idea is you basically set the config or the the the save file for redis as a shared Library and then you tell that that data that redis server to be a um kind of a replica of your master which is this person here and then you say to him I want to do a full thing forget everything you know I'm going to give you your new Reddit database and you don't send a register database you send a reverse shell instead

and then you say save that and it saves it to the file system and then you say load it so then you can load your own malicious code into redis which is amazing um so it's like cool so we have a potential here for um for remote code execution I don't know why because I did the slides um so this is a crazy powerful exploit any ready server that is on the Internet is vulnerable to this so you can just connect and then you can execute remote code on that host redis introduced protective mode to prevent kind of a lot of attacks surrounding this thing so by default it only listens to localhost and if you actually read the Reddit security

guide it recommends disabling a lot of commands in redis but by default all of them are kind of available do you think people follow any of this advice good um so if you go on show them right now you might be able to find some vulnerable radish things um so it looks like a really good Target however there's a problem it's listening on localhost and we don't have access because we're not inside dog container we want this we're remote for somewhere else on the internet and interestingly enough this is not the protective mode this is the data Power Team hardening their Appliance because they they knew that they should be should remain an internal process

uh so there we go so we're now done a vulnerability assessment and now we kind of want to exploit the weakness so it's listing on localhost we need a server-side request forgery for this um there's a really good link there if you want to read more about this and reports we go guys do some excellent write-up on the web right on all web attacks what is an ssrf it is a server-side request forwarding and it's basically where you can trick a web server making a server-side request to a local resource it's a very strange kind of type of exploit and it's basically connecting to itself um it's quite scary as well so here's a quick example you've got an attacker you

find your website and this and then they the website offers a web hook and Web book is supposed to talk to your own service that's somewhere else on the internet but instead you put in localhost so now this internal server is talking to internal resources um whoops you shouldn't be allowed to talk to that um so it's kind of funny because you spend all your time final locking things putting things in vpcs trying to defend stuff but then it's your own server that's attacking yourself so it's that's kind of the way to think about it in the wild you can do some really weird things especially on the crowd you can grab I am rolls

um through the metadata address you can leak I Am keys from the cloud using this attack and then you can have those keys on your computer connect to the cloud resource and just start doing stuff in someone else's Cloud instance authenticated as that server in their cloud um I believe um Prezi the presentation software had this class of exports so you can also like list Locker containers and if you're inside kubernetes you can grab things like API Keys country files like whatever you want so exploiting this weakness so we need a function in data power that gives us an ssrf attack there's no way that would be built in out of the box here is built-in out of box it's called

the test message function um so you could enter a URL it gives you this very basic form and you can send a web request um and here is an I mean it's full screen is the Wi-Fi good enough yes um so this is me making a request to my own website just kind of proving how the tool works and data apple pie data power is quite designed for XML so it kind of requires you to do XML messages but you can see there in my nginx log so I'm getting a request to datapower apple pie and you can see all the headers returned and all that jazz so it definitely works so now I'm inside the docker container

and I'm Lo and I'm opening a netcat instance to basically listen so I'm pretending to be a web server in data power debugging purposes and then I'm changing it to localhost from exactly the same I'm mistyping that there um it's an exactly the same thing I'm going to make a call and we can see the request is going in so it's vulnerable to a server side request forgery attacking if you look at redis um redis's commands are plain text they're very boring um but interesting enough they're quite similar to http because in the headers here you have blah blah colon and then something else whereas in redis the commands are kind of the same thing it's

like thing space action to set apple pie get apple pie you can see this so this leads to a different class of exploit called HTTP request smuggling so where you can basically through HTTP make the protocol look like another protocol so the idea is we're going to send a web request in HTTP but we're going to embed inside of it reddish commands um come on the other Tom talk faster okay so here I'm adding in the request headers Regis commands of sending them over HTTP so here you can see the commands have been injected into the payload um what redis is going to do is it's going to go I have no idea what a post

is I have no idea what a connection is oh I do know that oh I do know that don't know that don't know that so it will execute these months and then an interesting kind of thing you do here is the way that this test form is working it's sending an Ajax request in the background so you can open up the developer tools I can develop tools and then particularly in Firefox I have no idea why Chrome hasn't implemented this in Firefox you can just right click on any web request you can right click on any wave request

and you can click edit and resend which is really handy so then here you can just really quickly like if you want to like quickly play around with a website you can and basically what I'm doing here is data power only lets you provide one-line responses so here I'm using this ability to basically enter more data and it just gives me a more flexible interface to data power's own API um it's just it's more of just kind of a cool trick but it makes this exploit a lot easier because data power is automatically turning things into headers by adding the colon so with this I I just have a lot more flexibility so that's kind of a crash course into

um server-side request wardrobe um

slide um so there we are so we've exploited weakness we've kind of got a general idea of this so privilege escalation there's no way redis is running as root it's running as root so no privilege escalation is necessary for this uh retaining access it's a remote code execution so there's nothing stopping us from adding a persistent back door of any kind and um we could possibly spend some more time trying to make this like really really sneaky um but that's yeah that's tiny face is this right the exploit it took about two hours um rotating go laying it just uses the standard Library and then we're gonna run it that's gonna work first time so here is the code it's up it's

available on um on GitHub if you're interested um there's not that much to it it's just um we have the fake redis server kind of implemented here um and then we have this library that I wrote to basically play with the datapower test connection feature um which just kind of does that and then here we have a little bit of C which is implementing the redis standard library to basically introduce a new command called Data power shell which then executes a shell on data power um so then I'm going to go to this one

so this is this is the four commands it's today's power of redis exploit we're going to give the IP of data power which in this case is localhost we're going to give it that magic password we're going to say that I'm going to be running the fake um redis and then this is the module that we'd like to load into it and hit enter it just kind of does some things and that's it dot reverse shelf like that's it and now I can just like type ID and I'm running inside data power and if I do a PS you'll see it's basically the exact same thing there and yeah um something that I like to note that I

kind of skipped over um this is still authenticated attack you still need to be able to log into the data power GUI and you still need to be able to run that test credential or test um connection button but it means you just need any login credential at all so and you're then Insider your appliance which you really shouldn't have this level of access to um because natively um it gives you a restricted shell yes that's that's kind of the explain

uh so it works so so that's it so we've gone from zero to srf and now we've got a remote code execution a is a to power anywhere on the internet um you need some form of login as I said but then you get full root access to this appliance that you really shouldn't have access to and you can extract encryption keys or whatever you wanted from from the suppliers or whatever you like so generate CV cve esport for this uh put it as an 8.8 which was my kind of it's over the network it's local complexity because it works every time you need low privilege no user interaction and you can't get everything because it's a remote code execution so

I reported it to IBM through their um hacker one uh profile um this is kind of the timeline of events and I've gotta write up this on my website which goes through basically the initial report asking them for an update they come back to me how you'd like to be acknowledged they're working on the fix and stuff like that but you can see you know this took four months to fully get through so you can kind of understand that when you find something it's going to take a while for a fix to be rolled out but yeah it's officially fixed there's a security and bulletin about it's got CV assigned to it which is really cool and it is really really

nice to like go through all this process and just get that one line up there saying that you found something it's really really nice to like be um acknowledged for for the work that you did um uh so this is fixed in data power you might want to look at it uh I'm just going to leave at that [Music] so how does this impact the real world um so we are in the process of doing a pen test with our own software and you know how I mentioned about that Web book exploit a while ago uh well this sensor was not created by a web hook so it can't um the interesting thing for this

particularly for me is we disinfect modeling internally you know full secure development life cycle for this we fret more internally we knew this was an issue we created a library to explicitly handle this issue we did tests on that we've built the library we implemented it however um it kind of failed in the integration test um so we were we were temporarily vulnerable to the sex flow but it's now been patched and this is why you always follow with defense and death you know the the right thing here to do is waitlisting domains but also Implement a series of protections like Network protections proactive networking isolation Services Etc which you can all find on a wasp and the point here is my

personal security research that I did for this helped me understand and better mistigate this attack in the company so that's kind of the moral of the story here before I close out we are hiring um there's our careers website that's just been launched uh feel free to come along we use a lot of very interesting Technologies right modern and hiring for both developers and joining the security team um yeah thank you very much any questions yes so your exports their shell you said there's no privilege yeah three processes yeah but it looks like because it's running in Docker because so Docker natively um the the way they built the container restricts it to that user however if

you're running this on the physical Appliance then you get ripped yeah yeah anyone else