SSRF in imgur's video to gif tool

From Hackipedia
Jump to: navigation, search
Hackerone #115748
Target: Imgur
Target Module:
Type: SSRF
Payload:
Original: Link
CVE:
Archive Screenshot

Imgur offered a service on their site to import videos and turn them into GIFs. This would accept both video uploads and links to video files. When the service would reach out to other sites to import the video it would obviously use a link, like so http://www.tubeyou.com/guypunchesrock.mp4

Thus the ability to force Imgur servers to reach out to 3rd parties is inherent.

The vulnerability comes into play when you use the same service to make requests that are not intended. Such as FTP requests, requests to internal IP addresses, and even local file requests.

Some of these requests would look like
ftp://admin:password@127.0.0.1
scp://192.168.0.1
file:///etc/passwd

Depending on the service a malicious user is attacking, how each of those URLs will be treated can very widely.

Aaesteral did a cool POC on this ticket.

On his own server he created a php file as so

<?php
        $commands = array(
                'HELO test.org',
                'MAIL FROM: <imgur@imgur.com>',
                'RCPT TO: <bit-bucket@test.smtp.org>',
                'DATA',
                'Test mail',
                '.'
        );

        $payload = implode('%0A', $commands);

        header('Location: gopher://test.smtp.org:25/_'.$payload);
?>

The header() function will force Imgur's service to make a gopher request to test.smtp.org.

The success of the test would be seen in the logs at: http://test.smtp.org/log

How To Perform

  1. Keep an eye for any URLs being passed as parameters
  2. Try repoiting the URLs to a server you own and check how the request is sent.
  3. Then try different options to see how they are handled.
    1. Different request schemas (http, file, scp, etc)
    2. Different ports
    3. IP addresses