SSRF via DNS Rebinding (CVE-2022–4096)
Let’s get started
SSRF using DNS rebinding found in Appsmith .
FYI : Appsmith is used to Build, ship, and maintain internal tools.
Initially I discovered the 2 SSRF’s in appsmith by using server side redirection method, But I don’t know how my exploit is got leaked(I reported to some of the companies and they might be client for cloudsek) and cloudsek got assigned with CVE for those.
And this is Bypass for those 2 Initial SSRF’s.
DNS Rebinding Overview:
DNS rebinding is a method of manipulating resolution of domain names that is commonly used as a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network. In theory, the same-origin policy prevents this from happening: client-side scripts are only allowed to access content on the same host that served the script. Comparing domain names is an essential part of enforcing this policy, so DNS rebinding circumvents this protection by abusing the Domain Name System (DNS).
Let’s generate the an hostname via DNS rebinding to bypass SSRF restrictions! https://lock.cmpxchg8b.com/rebinder.html
We can see that our generated hostname got assigned with two different IP’s
Now the vulnerable function is Create new API and Elasticsearch
Now add the generated hostname in url function and click on run and I got response as host not allowed
Now after hitting run again, Successfully got some response with AWS cloud metadata path
Now appended the “latest” path to the url and again clicked on run and I got 404 (Because this time the server hitted my IP which I used in DNS rebinding).
Now after continuous Hit and trial(Clicking “Run” again until I get some response) methods and appending the paths(Which I got in response) to url I successfully retrieved AWS Keys
Vulnerable Versions : Appsmith < v1.8.1
Now reported this to Appsmith and got acknowledgement and Reported the same to huntr.dev to get CVE for this issue and got assigned with this CVE-2022–4096
Please ignore grammatical and verbal mitsakes :)
Follow me on:
Instagram : https://instagram.com/basu_banakar