Closed Bug 1391928 Opened 7 years ago Closed 7 years ago

Server Side Request Forgery on detectportal.firefox.com

Categories

(Websites :: Other, enhancement)

Product:
Websites
Component:
Other
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: me, Unassigned)

References

(
URL
)

Details

(Whiteboard: [reporter-external] [web-bounty-form] [verif?]) 

Hi,

I get in touch to report that detectportal.firefox.com is vulnerable to server side request forgery (SSRF)

SSRF is a vulnerability that appears when an attacker has the ability to create requests from the vulnerable server.

Usually, Server Side Request Forgery (SSRF) attacks target internal systems behind the firewall that are normally inaccessible from the outside world (but using SSRF it’s possible to access these systems). With SSRF it’s also possible to access services from the same server that is listening on the loopback interface.

Using Server Side Request Forgery attacks it’s possible to:

Scan and attack systems from the internal network that are not normally accessible
Enumerate and attack services that are running on these hosts
Exploit host-based authentication services


Issuing the following request:


GET http://detectportal.firefox.com@127.0.0.1:22 HTTP/1.1
Host: detectportal.firefox.com
Pragma: no-cache
Cache-Control: no-cache, no-transform
Connection: close

Will cause a connection to your SSH service on directtv.com. See the SSH banner below:


HTTP/1.0 200 OK
Server: squid
Mime-Version: 1.0
Date: Sat, 19 Aug 2017 07:38:02 GMT
X-Transformed-From: HTTP/0.9
X-Cache: MISS from localhost
X-Cache-Lookup: MISS from localhost:80
Connection: close

SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u6
Protocol mismatch.


With this vulnerability, I am able to gain information about the local system, and potentially machines in neighbor networks to that machine. I can also send GET requests to a service running on any port on a system accessible to this machine. This could potentially cause damage to those internal applications. For examples of applications that may be vulnerable, please check out this reference which is now a bit outdated, but shows that there is a non zero amount of applications that may be vulnerable.

Note that I could spend more time trying to figure out what applications there may be that are vulnerable on your internal network, but I feel this would go outside the intended scope of the bounty brief.

Let me know if you need any more clarification or if you have questions. I'm happy to provide a screencast and/or screenshots of the vulnerability if needed.

Cheers
Flags: sec-bounty?
Are you sure that you're not just connecting to ssh on your own personal machine? A URL like this:

http://detectportal.firefox.com@127.0.0.1:22

Is telling your browser to connect to SSH on your personal machine with a login of "detectportal.firefox.com".
Hi,

I further investigated the issue and it turns out it is a vulnerability in my VPN provider. I was using an upstream proxy and they were trying to connect to their loopback interface.

You can close the ticket sorry about this.

Cheers
Group: websites-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.