Shulou(Shulou.com)05/31 Report--

How to bypass the SSRF protection mechanism of Slack backend? in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

A flaw in Slack API api.slack.com is shared below. By using the built-in slash command (Slash Commands) feature of Slack, you can bypass the SSRF protection measures of the Slack backend and create two server request forgery vulnerabilities (SSRF) on the Slack interface.

Slack is a collaborative office application platform and chat group that aggregates partners, communication information, and tools to get work done efficiently. From the world's top 100 companies to small businesses, millions of people around the world are using Slack for internal team communication and coordination, and work together to promote business.

Analysis of vulnerabilities in SSRF Protection Mechanism of bypassing Slack by using slash Command (Slash Commands)

The slash command / commands is a shortcut to some specific commands in Slack. Enter a slash plus a command in the message field and click send to complete a command operation. For example, / who is to list the members of the current group, / archive is to archive the current group, and / collapse is to fold and display video images for the current group. By default, all members of the workgroup can use the slash command, and the group administrator can also set the permissions of the slash command for the members of the group. Click here for specific usage.

Earlier, I saw a vulnerability "bypassing the Slack SSRF protection mechanism" submitted by Nicolas Gr é goire on Hackerone. In the report, Nicolas Gr é goire has the following analysis:

In special cases, some combinations of Slack functions, such as "Integrations / Phabricator" and "Integration / Slash Commands", allow users to submit URL links that can be handled by the back-end server. In this functional scenario, Slack itself has a blacklist to restrict access to special internal resources, such as loopback, 10.0.0.0 loopback 8, 192.168.0.0 Universe 24, etc. However, "[:]" can be used as an internal host of Slack to initiate requests to Slack backend servers. This request method is only valid for some Slack servers that support IPv6 and bind service ports.

In the bug fix, Nicolas Gr é goire recommends disabling IPv6 in requests for external proxies (Outgoing Proxy) and slash commands. Slack also fixed it accordingly.

However, this repaired SSRF protection mechanism can still be bypassed. The specific test steps are as follows:

1. Log in to api.slack.com and enter your preset slash command (Slash Commands) configuration in your slack service, where the request website http://206.189.204.187/ entered by Request URL is the website controlled by myself:

2. In the 206.189.204.187 web server that I control, set an index.php access page with a rewrite direction containing a 'Location' header, and jump to a new address http://[::]:22/. According to the vulnerability of Nicolas Gr é goire, this address http://[::]:22/ is the internal host of Slack that supports IPv6. Index.php:

3. Access your slack service xxxx.slack.com through api.slack.com, and add the corresponding slash command. In this process, the request for port 22 of the Slack internal server-http://[::]:22/ is executed indirectly by requesting the operation of http://206.189.204.187/. The result is as follows:

4. After adding http://[::]:25/ to the index.php access page of http://206.189.204.187/, port 25 of the Slack internal server is closed, so the result is as follows:

That is, if port 22 of the Slack internal server is open, there will be the following response:

Protocol mismatch.

SMTP on TCP/25

If port 22 of the Slack internal server is turned off, the following response occurs:

220 squid3.tinyspeck.com ESMTP Postfix

221 2.7.0 Error: I can break rules, too. Goodbye.

Vulnerability impact

Taking advantage of this SSRF vulnerability, attackers can take advantage of the functional features of the server to read the internal resource information of the server and detect the internal service port and version.

Vulnerability reporting process

Preliminary report of vulnerabilities on July 13, 2018

Vulnerability classification on July 13, 2018

2019.1.23 Slack $500

2019.2.22 vulnerability disclosure

Bypass the SSRF protection mechanism at the Event Subscriptions interface parameters of Slack

Loophole analysis

Slack's event interface (Event API) https://api.slack.com/events-api can trigger calls when various times occur, such as when a message is sent, when the channels is changed, and so on. When we create some private customized Slack applications, we often use Slack event interface (Event API).

When configuring the Slack event interface, we need to set up a Request URL as the event subscription address at the event subscription (Event Subscriptions). Once the address is set, when an event occurs, Slack sends an HTTP POST request to the address, which contains the "type", "challenge", and "token" parameters for event validation.

Here, the SSRF anti-bypass vulnerability exists in this-https://api.slack.com/apps/YOUAPPCODE/event-subscriptions?. When the subscription address URL we set does not meet the Slack API standard, the following response message will be returned:

Your request URL gave us a 500 error. Update your URL to receive a new request and challenge value.

After testing, I found that the same IPv6 address format [:] can also be used here. For example, in my management website, set up a x.php with the following content:

We construct a URL address: http://hacker.site/x.php/?u=http://[::]:22/ http://hacker.site/x.php/?u=http://[::]:22/ URL and encode it to: http://hacker.site/x.php/?u=http://%5B::%5D:22/. Enter it in the Request URL of the subscription address, and you will get the following response:

In other words, the response to this request for Slack internal server port 22 and the port open is as follows:

"body": {SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4Protocol mismatch.}

If the Slack internal server port is not open (25), the response is as follows:

"body": {220 squid-iad-ypfw.tinyspeck.com ESMTP Postfix221 2.7.0 Error: I can break rules, too. Goodbye.}

If the Slack internal server port does not exist, there will be no response:

Vulnerability impact

Taking advantage of this SSRF vulnerability, attackers can take advantage of the functional features of the server to read the internal resource information of the server and detect the internal service port and version. After the vulnerability was reported, the Slack security team thought my vulnerability was repeated, but I think they made a mistake, and in the end, Slack thought my vulnerability was valid.

This is the answer to the question on how to bypass the SSRF protection mechanism of the Slack backend. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.