SSRF AWS Bypasses to access endpoint metadata

[joelboucher]

I found an "feature" that allows me to pass URLs via the API. Take a platform that is using ServiceStack like this "ion" marketing platform -- https://dhl.postclickmarketing.com/Admin/Login?ReturnUrl=%2fadmin%2fdashboard

After trying a few things, I found that “http://2852039166/” works as a parameter in the URL ("http://2852039166/" is a bypass using a decimal IP location) And it gives me some access to the AWS instance where it is installed. So something like this.. https://dhl.postclickmarketing.com/Admin/api/outside/proxy/?url=http://2852039166/latest/dynamic/instance-identity/document or https://principalfunds.postclickmarketing.com/Admin/api/outside/proxy/?url=http://2852039166/2021-07-15/dynamic/instance-identity/signature

Using this URL, I can easily view server directories, read files, download AWS tokens, and other confidential information.

[mythz]

Hi Joel,

It looks like the issue is their proxy that allows proxying any URLs. Can you explain more about what the actual "feature" is that you've found? There's no feature built into ServiceStack that allows you return the contents of a user-defined URL like their /outside/proxy API does.

We do have a Proxy Feature Plugin but that only reverse proxies contents from static server-defined downstream sources. This must be a Custom proxy implementation they've specifically built themselves that returns the contents of user-defined URLs, any URL validation would need to be added in their custom implementation.

We would like to notify them of this issue, unfortunately we have no record postclickmarketing.com or rockcontent as customers. How were you made aware they used ServiceStack, do you know how to reach their developers?

[mythz]

After further investigation I've been able to determine from their error page:

https://principalfunds.postclickmarketing.com/Admin/api/outside/proxy/

Which links to the old URL changed in v4 that they're still using the unsupported ServiceStack v3 BSD from >8 years ago.

Going to close this issue as it's an issue with their custom proxy implementation which can't be fixed from our code base.

Of course please continue to report issues you've found with any supported version of ServiceStack that we can provide support and updates for.

[joelboucher]

Thanks for the clear response. I should have been more clear when I said "feature" in quotes, I meant a bug. I found the same URL that you are referring to, I just didn't take it a step further to determine the version like you did. I had a feeling they may have been using old code, but I had a hard time confirming this. >8 year old code is older than I thought it was! I tried to reach out to them for the last week+, but they have been unresponsive so far. Not sure if you were able to send them a message, or if they finally took action on my tip to them, but it seems that the dozen or so sites I alerted them to last week were all taken down. Thanks for your positive interaction and feedback! Have a good day, Joel

…

On Fri, Nov 12, 2021 at 11:13 PM Demis Bellot ***@***.***> wrote: After further investigation I've been able to determine from their error page: https://principalfunds.postclickmarketing.com/Admin/api/outside/proxy/ Which links to the old URL changed in v4 <ServiceStack/ServiceStack@6746608#diff-99af6bb3622bd60b6d7633b1286d4cc9d5b82679e56103dc38ebdcec25875be1> that they're still using the unsupported ServiceStack v3 BSD <https://github.com/ServiceStackV3/ServiceStackV3> from >8 years ago. Going to close this issue as it's an issue with their custom proxy implementation which can't be fixed from our code base. Of course please continue to report issues you've found with any supported version of ServiceStack that we can provide support and updates for. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#768 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADBGJKFCNTIG7KHQSPJUFJDULXQW7ANCNFSM5H5SBZOA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.