Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Private IP protection Bypass in private-ip package #14

Open
x3rz opened this issue Jun 25, 2021 · 10 comments
Open

Private IP protection Bypass in private-ip package #14

x3rz opened this issue Jun 25, 2021 · 10 comments

Comments

@x3rz
Copy link

x3rz commented Jun 25, 2021
edited

Hello @frenchbread i am x3rz a researcher on huntr.dev as you wanted to discuss about this issue here

Yes it gives 'false' because they are resolved to private IP as the main objective of the package is telling that the IP is private or not. As you said about 127.000.000.1 so basically this resolves to localhost which is private IP and also for the other payloads especially like decimal encoded of localhost value i.e 2130706433 gives false but if you visit this from your browser you will see that this also resolves to localhost but for the hex-encoded payload for localhost package works just fine 0x7f000001 gives "true" for this one. And Yes you can resolve it to undefined and stop the further execution as similar to 'false' but as these all payloads resolve to localhost which could cause ssrf For more refrences you can check
This one which contains all the payloads that resolves to private IP addresses
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery#file
This one is just for reference that a blocklist could be implemented which could handel this issue pretty easily https://github.com/y-mehta/ssrf-req-filter/blob/master/test/blockUrls.txt
This one shows the possible bypasses and the logic behind them
https://vickieli.medium.com/bypassing-ssrf-protection-e111ae70727b
@x3rz
Copy link
Author

x3rz commented Jun 25, 2021

I have added one more case in the cases of runkit for the hex encoded payload so that it can be easily identified which implies that 127.0.0.1 = Dec(2130706433) = Hex(0x7f000001)

@frenchbread
Copy link
Owner

Hi, @x3rz. Thanks for opening an issue here.

@frenchbread frenchbread mentioned this issue Jul 8, 2021
Merged
@frenchbread
Copy link
Owner

Hey, @x3rz, I've created a PR that handles payload patterns you've provided.

Would you be able to test it & confirm or suggest further improvements needed?

Thanks!

@x3rz
Copy link
Author

x3rz commented Jul 9, 2021

Hey, @frenchbread, Sorry for the late response,
Sure I will but for ease can you please specify steps I need to follow to set up the module on my local system as I am facing some issues with lib.

@frenchbread
Copy link
Owner

frenchbread commented Jul 12, 2021
edited

Hi @x3rz, what are the exact issues are you facing? Maybe I could help.

steps to test PR #15

  1. Clone repo: git clone https://github.com/frenchbread/private-ip.git && cd private-ip
  2. Switch to commit with changes: git checkout 055759755a10a9eb039110c8467df808a600409e
  3. Install dependencies: npm i
  4. Checkout test.js file for new payloads that you've provided & run tests with npm run test
  5. If you don't want to go through test.js file, you can create test file yourself e.g. touch _test.js and put following code in there:
// _test.js
const is_ip_private = require('./')

const payloads = [
  'ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff',
  '2130706433',
  '0x7f000001',
  '100::ffff::',
  '::ffff:0.0.255.255.255',
  '::ffff:0.255.255.255.255',
]

payloads.forEach(payload => {
  console.log(payload, is_ip_private(payload))
})

// output should look like this:
// ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff true
// 2130706433 true
// 0x7f000001 true
// 100::ffff:: undefined
// ::ffff:0.0.255.255.255 undefined
// ::ffff:0.255.255.255.255 undefined
  1. Add other test values to the payloads array if you want.
  2. Don't forget to build module using npm run build
  3. And run: node _test.js

@x3rz
Copy link
Author

x3rz commented Jul 19, 2021

Sorry for the late reply, I have tested all the issues and all tests are passed, as this only tells IP is private or not.
If you gonna extended this package please do consider all the IPs listed in
https://gist.github.com/x3rz/8f56d8832dd6965b02867900f2ade9ca
Thank you @frenchbread

@frenchbread
Copy link
Owner

frenchbread commented Jul 26, 2021
edited

@x3rz thanks for reply,

I addition to is_private => true or false, module also returns undefined for ips that neither is ip nor follow ipv4/ipv6 schema.

I've checked out the link and I assume this is not really in scope of this module (at least for now). This PR already adds support for handling dec and hex payloads for ipv4. For other use-cases, you could use some other tool to resolve those addresses, before actually using this module.

I'll leave this PR open.

@x3rz
Copy link
Author

x3rz commented Aug 8, 2021

yes exactly what i said and the issue I reported should get patched as per my pov and you can keep this opened

Regards x3rz

@x3rz
Copy link
Author

x3rz commented Dec 6, 2021

Hello @frenchbread
I recently applied for CVE for previous package in which i found those bypasses and need your acknowledgement.

Regards,
x3rz

@frenchbread
Copy link
Owner

Hi @x3rz,

Thanks for letting me know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@frenchbread @x3rz