Closed c4-bot-3 closed 3 months ago
141345 marked the issue as primary issue
141345 marked the issue as sufficient quality report
metadata endpoint SSRF (Server-side request forgery)
We had a discussion when designing this and decided to have a professional external firewall program handle the network security. That's why all outgoing requests are supported to set a SOCKS proxy server.
kvinwang (sponsor) disputed
Duplicating all SSRF issues, the fact that the destination address in the issue is 127.0.0.1 or some other internal address does not really make the difference, the underlying issue is the same.
OpenCoreCH marked the issue as duplicate of #53
OpenCoreCH changed the severity to 2 (Med Risk)
OpenCoreCH marked the issue as satisfactory
OpenCoreCH marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/main/phala-blockchain/crates/pink/chain-extension/src/lib.rs#L74-L98
Vulnerability details
Impact
This is a common issue in web2, if we running the node in cloud like aws, azure, gcp, there is a metadata endpoint in
169.254.169.254
, which will store some secret like ak/sk.So attacker can leverage this extension functon to call metadata endpoint to get the ak/sk with your cloud server, which can use to access your cloud server.
Example reference: https://hackingthe.cloud/aws/exploitation/ec2-metadata-ssrf/
Proof of Concept
As we can see, the funtion
http_request
will callasync_http_request
, it will collect everything (url, method, headers) user passed and send a request and return the response to user.There is nothing limit or blacklist, and anyone can call it to send request to anywhere they want. In web2, it will named
SSRF
(Server-side request forgery). So if user call this function to make request to metadata endpoint (with special header to meet some cloud provider requirement), the cloud provider will return the ak/sk with the server. Anyone can use it to login in your cloud serverTools Used
manual audit
Recommended Mitigation Steps
actually this function is very dangerous, we should use it carefullly, here is some mitigation
Assessed type
Other