Server Side Request Forgery mitigation bypass
HackerOne report #632101 by
mclaren650sspider on 2019-06-29, assigned to
This vulnerability allows attacker to send arbitrary requests to local network which hosts GitLab and read the response. This is possible due to flawed DNS rebinding protection.
The attack is possible due to flaw here: https://gitlab.com/gitlab-org/gitlab-ce/blob/108c3cf16bed5733ffae086fb62c226961356560/lib/gitlab/url_blocker.rb#L59
validate function performs DNS lookup to check whether the IP address of a domain belongs to the local network. If the IP address belongs to the local network, the
validate function raises an error and no HTTP request is sent. Furthermore,
validate returns URI as well as the IP address of the domain to protect against DNS rebinding attacks.
validate encounters an error while resolving the domain (for example, the domain does not resolve), the DNS rebinding protection is not applied.
Steps to reproduce
- Create a webhook for a repository on GitLab.com. Use the URL
http://990.hacker1.xyz. It may return error but let's ignore it now.
- Wait about 10 seconds and test webhook by clicking on "Test" and "Push events".
- After the hook has executed, you should see content of
Wait about 15 seconds between testing attempts, otherwise it may not work due to DNS caching.
The code for proof-of-concept DNS server which hosts
hacker1.xyz is attached. The PoC uses a chain of CNAME records to prevent caching.
What is the current bug behavior?
The outgoing HTTP requests from webhooks can be sent to the internal network.
What is the expected correct behavior?
It is expected that HTTP requests cannot be sent to the internal network.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Attacker can use SSRF to access sensitive information on the internal network. Furthermore, SSRF in Google Cloud can be leveraged to Remote Code Execution depending on the setup. Publicly disclosed $25,000 #341876 describes a way to gain root access to Google Cloud server via a SSRF vulnerability.
Warning: Attachments received through HackerOne, please exercise caution!