SSRF in webhooks leads to AWS private keys disclosure
Discovered by honoki on Omise

This issue took 0 Days and 11 hours to triage and 2 Days and 0 hours to resolve once triaged.



Vulnerability Summary

Omise makes use of Amazon AWS as their application environment. Due to a vulnerability in the way webhooks are implemented, an attacker can make arbitrary HTTP/HTTPS requests from the application server and read their responses. This is known as a server-side request forgery (SSRF) vulnerability.

This vulnerability leads to access to Omise's Amazon EC2 instance with the user role aws-opsworks-ec2-role, including AWS private keys.

Description

The vulnerability exists in the way webhooks follow redirects. In general, it appears that redirects are not followed, but a HTTP 303 See Other status code allows an attacker to bypass this restriction.

By pointing my webhook URL to a server that issues a 303 redirect, I am able to redirect and read the responses of arbitrary HTTP/HTTPS requests from the application server. E.g. the following PHP script results in a successful request that is followed by the server:

<?php header('Location: http://<arbitrary-location>', TRUE, 303); ?>

As a result, it is possible to request a number of things, including AWS credentials on the metadata server located at http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-opsworks-ec2-role

Steps to reproduce

  • Host the following payload on https://<your-attacker-server>/redir.php:
<?php header('Location: http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-opsworks-ec2-role', TRUE, 303); ?>

Recommendation

I recommend to ensure all input provided to the endpoint is validated. In this case, ensure that 303 redirects are not followed either.

I also recommend resetting all AWS access tokens. In addition, I recommend reviewing the Amazon access logs to investigate if this vulnerbility has been exploited in the past.

Attachments

  • 20190312_AWS-SSRF-303-redirect-2.png - Screenshot showing the output of the AWS credentials obtained through the SSRF vulnerability.
  • 20190312_AWS-SSRF-303-redirect.png - Screenshot showing the output of the AWS index of metadata.

Impact

By exploiting this vulnerability, an unauthorized attacker could gain access to the AWS environment of Omise. Note that the SSRF vulnerability could be abused in a variety of ways, not just limited to obtaining AWS credentials. For example, to enumerate and access services and web applications running on the internal network.