About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Discovering Full Read SSRF in Jamf - 687

Shubham Shah - AssetNotePosted 4 Years Ago
  • Jamf is an application used by system administrators to configure and automate IT tasks. There are cloud (SaaS) and on-premise variations of the product. It is a popular MDM (mobile device management) solution for Apple products.
  • The authors were curious if they could find any server side request forgery (SSRF). To do this, they looked for HTTP clients used within Jamf. When building software, it is not uncommon to find a HTTP client wrapper that is used by the rest of the code base, which was the case here. When searching for this in the rest of the code base a bunch of other occurrences came up.
  • By going source to sync, they found all locations where URLs that were controllable by the user were making HTTP calls; this led them to 6 usages in the code. One of them was functionality to test view an image from a distribution point, which takes a user controlled URL then displays the content back to the user.
  • The result of this request is an XML page that has the image base64 encoded. However, the data does not have to be an image; it will base64 encode anything that you request! This gives the attackers the ability to make a request on the internal network and view the result of it.
  • The cloud version of this software is hosted on AWS. SSRF in an application hosted on AWS can lead to the compromise of the instance by making an HTTP call to the metadata service. A simple GET request to an internal IP will return the temporary security credentials of the environment, assuming that a role has been attached to the instance. Using this, it may have been possible to escalate deeper into the account, but the team stopped investigating and reported the bug.
  • The Jamf team monitoring noticed this strange behavior, causing alarms to sound. They banned the IP address making the request and disabled the instance where the exploit had been performed. As a temporary fix they added a WAF rule to all instances that blocked this type of request from being made.
  • Overall, good article on an impactful SSRF vulnerability and exploitation.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed