Chaining the Vulns (SSRF-Deserialization to RCE)

Hi everyone, in this blog post we will cover SSRF, RCE and Deserialization vulnerabilities with a scenario. Despite of the knowing these vulnerabilities not enough for some red teaming / adversarial emulation operations. We should think how we can use these vulnerabilities for bypassing some security solutions.

Before the starting with SSRF, let’s talk about what we knew. We got 1 domain abc.com (has SSRF) and 1 subdomain discover.abc.com (has Insecure Deserialization to RCE).

Let’s try to explain vulnerabilities briefly.

SSRF

Our first vulnerability is SSRF. If the application needs external sources, it tries to send requests for getting this source. While this request sending process; if the validation and filtering wrong, we can force to send our requests to another server. For example, imagine that the application gets an input for an image and copies this image to the document. We can try to copy an external URL for the image, if you see the request of the application server, this shows to us it would be SSRF happen.

İn the Picture-1 you can see the basic process.

If you try to valid address, you can get the information about a.b.c.e server, and you may learn 80 is open.

When you try another port, you can not get response or you can get errors, this means the port is closed. This port scanning technique (most known) is one of the SSRF usages with internal servers.

More info: https://portswigger.net/web-security/ssrf

We will use this for a domain filter bypass for RCE. Let’s continue.

Insecure Deserialization

This topic is very common and large. I will try to explain this simply.

If you wrote projects with OOP (Object Oriented Programming), you know the objects. We must use a format for transporting the object information to create a new object for later usage. You may think like a json format but it has some differences.

Code Example:

<?phpClass Person{Public $name;

Public $method;}$user = new Person;

$user->name = “Berk”;

$user->exec_method=”Test”;

echo serialize($user);?>

O:4:”User”:2:{s:4:”name”;s:4:”Berk”;s:6:”method”;s:4:”Test”;}Means;O:4:”User” -> Object:Obj_name_len:Obj_Name{(type):length:”VALUE”}

More types;

  • b:THE_BOOLEAN;
  • i:THE_INTEGER;
  • d:THE_FLOAT;
  • s:LENGTH_OF_STRING:”ACTUAL_STRING”;
  • a:NUMBER_OF_ELEMENTS:{ELEMENTS}O:LENGTH_OF_NAME:”CLASS_NAME”:NUMBER_OF_PROPERTIES:{PROPERTIES}

Example for php code and User Object.

<?php class User{    public $username;    public $status;  } 

$user = new User;  $user->username = 'Berk';

$user->status = 'not admin'; 

$serialized_string = serialize($user);
$unserialized_data = unserialize($serialized_string); 

var_dump($unserialized_data); 

var_dump($unserialized_data["status"]);?>

In this example, we serialized data with our serialization format and later we unpacked the data and created a new user called “unserialized_data”. You can access the items like OBJ[“Attr_Name”].

While this serialization process we can see the usage of magic methods, _wakeup() and _destruct() functions.

class User_Mtd  {   

private $hook;   

function __construct(){

        // some PHP code...   

}   

function __wakeup(){       

if (isset($this->hook)) eval($this->hook);   

}  }
  // some PHP code...
 $user_data = unserialize($_COOKIE['data']);

In this example, we can see the “eval()” function for executing php codes. If we can set the hook variable with a php code, we may find the RCE.

class User_Mtd{   

private $hook = "phpinfo();";

}

print urlencode(serialize(new Example2));

This example for generating serialized object for php. Let’s explain the process with an image. With RCE;

This is a basic example for insecure deserialization with gaining code execution.

You can adding filter and more functionality like this;

class User_Mtd  {   

private $hook;   

function __construct(){       

// some PHP code...    }   

function __wakeup(){            

if (isset($this->hook))

{    //hook like -> www.discover.domain.com/test.php?command=”phpinfo();”    if(str_contains(strtolower($this->hook), “domain.com”))

{    //command for eval -> ?command=”phpinfo();”   

$query = var_dump(parse_url($this->hook));    //query -> command=”phpinfo();”   

cmd = explode(“=”,query); //cmd -> “command”,””phpinfo();””   

eval(cmd[1]);      }    }       }      }
  // some PHP code...
 $user_data = unserialize($_GET['src']);

In this example we will control the hook variable for valid domain.

If we can set the hook variable with valid domain and test.php?command=”phpinfo();” we will get the code execution functionality.

More information: https://portswigger.net/web-security/deserialization

https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization

We talked about SSRF before. We can use this for gaining RCE. How?

Imagine that, the internal server getting url parameter and create an object with serialization process. If we can send a request with our SSRF vulnerability we can bypass the domain filtering for internal web app, because our request will be sended from “domain.com” and this means we have a valid domain request.

Let me explain with 2 images;

Picture-1 Overall Scenario

Picture-2 Bypassing domain filter/control with SSRF

This is a imaginary scenario for chaining vulnerabilities with common techniques. While testing security posture of the company, using these like chains is so important to increase of the vulnerability severity and effects.

Thanks for your time.

Berk KIRAS