{"id":17916,"date":"2022-02-25T17:10:40","date_gmt":"2022-02-25T16:10:40","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=17916"},"modified":"2022-03-03T11:11:19","modified_gmt":"2022-03-03T10:11:19","slug":"usd-2021-0019","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0019\/","title":{"rendered":"usd-2021-0019"},"content":{"rendered":"\n\n\n\n\n\n[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

usd-2021-0019 | Zulip<\/h1>\n

Advisory ID<\/strong>: usd-2021-0019
Affected Product<\/strong>: Zulip
Affected Version<\/strong>:\u00a0 <= Zulip Server 4.7
Vulnerability Type<\/strong>: CWE-918: Server-Side Request Forgery (SSRF)
Security Risk<\/strong>: Medium
Vendor URL<\/strong>: https:\/\/zulip.com\/<\/a> \u00a0<\/a>
Vendor Status<\/strong>: Fixed<\/em><\/p>\n

<\/span><\/p>\n

With the release of Zulip 4.0<\/a> an optional mitigation against SSRF was introduced, which was disabled by default until the release of Zulip 4.8<\/a>. It is highly recommended to update to the latest version of Zulip, because older versions (in their default configuration) may be vulnerable to SSRF due to their configuration. Also, the configuration of Smokescreen was optional.<\/em>
<\/span><\/p>\n

<\/h3>\n

<\/h3>\n

Description<\/h3>\n

For Zulip <= 4.7 (default configuration), it is possible to use the outgoing webhook feature of bots in order to scan open ports of the Zulip server (localhost) and other systems on the internal network.<\/p>\n

The application is vulnerable to server-side request forgery (SSRF) attacks and can therefore be made to perform requests to other services. From the perspective of those other services it looks like the requests originated from the vulnerable application. It is possible to use the outgoing webhook feature of bots in order to scan open ports of the Zulip server (localhost) and other systems on the internal network. An open port can be differentiated from a closed one by observing the time delay between talking to a bot and receiving the \"Failure! Bot is unavailable\" error message.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

The SSRF to localhost can be proven as follows:<\/p>\n

1. Create two new bots at https:\/\/<your-zulip-instance>\/#settings\/your-bots. Name one of the bots \"openPortLocalhost\" and set the Endpoint URL to http:\/\/localhost:8765<\/strong>:<\/p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/11\/ssrf-localhost-1.png\" title_text=\"ssrf-localhost-1\" _builder_version=\"4.13.1\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"]

Name the other bot \"closedPortLocalhost\" and set the endpoint to http:\/\/localhost:<known closed port><\/strong>.<\/p>\n

2. Open a port on localhost:<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]

$ nc -lvp 8765<\/pre>[\/et_pb_text][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]
3. Trigger openPortLocalhost<\/strong>\u00a0for which you opened a port on localhost:<\/p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/11\/ssrf-localhost-2.png\" title_text=\"ssrf-localhost-2\" _builder_version=\"4.13.1\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]
4. Observe the incoming HTTP request:<\/p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/11\/ssrf-localhost-3.png\" title_text=\"ssrf-localhost-3\" _builder_version=\"4.13.1\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]
5. Wait for a couple of minutes before killing the Netcat process with Ctrl+C.<\/em><\/p>\n
6. Observe the time difference between `openPortLocalhost` was called and the \"Failure! Bot is unavailable\" error message was received.<\/p>\n
7. Trigger closedPortLocalhost<\/strong>:<\/p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/11\/ssrf-localhost-2-1.png\" title_text=\"ssrf-localhost-2\" _builder_version=\"4.13.1\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]
8. Observe the time difference between `closedPortLocalhost` was called and the \"Failure! Bot is unavailable\" error message was received.<\/p>\n
9. Compare the response times of calling the two different bots. The error message for openPortLocalhost<\/strong> is received shortly after killing the Netcat process (step 5), while the error message for closedPortLocalhost<\/strong> is received almost instantly.<\/p>\n

The following screenshots illustrate the blind SSRF to the internal network:<\/p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2022\/02\/POC_localhost_zulip_1-no-users.png\" title_text=\"POC_localhost_zulip_1-no-users\" _builder_version=\"4.14.7\" _module_preset=\"default\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/11\/ssrf-other-2.png\" title_text=\"ssrf-other-2\" _builder_version=\"4.13.1\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]
\n
\n
Fix<\/h3>\n
With the release of Zulip 4.0<\/a> an optional mitigation against SSRF was introduced. Zulip now allows to configure Smokescreen,<\/em> \"an open-source proxy developed by Stripe to protect a service with\u00a0<\/span>outgoing webhooks<\/a>\u00a0from being used to make\u00a0<\/span>SSRF attacks<\/a> against other services\". Since Zulip 4.8<\/a> Smokescreen<\/em> is enabled by default. Thus, it is highly recommended to update to the most-recent version of Zulip.<\/span><\/p>\n
\u00a0Generally, it is recommended to evaluate the need to make server-side requests. If server-side requests are absolutely necessary, the corresponding function should be ideally restricted by a whitelisting approach.<\/span><\/p>\n
<\/h3>\n
References<\/h3>\n