KePass Server Side Request Forgery (SSRF) Vulnerability
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
1 Attachments
#1703 KePass Server Side Request Forgery (SSRF) Vulnerability
KePass Server Side Request Forgery (SSRF) Vulnerability
Affected Version:
KePass 2.38
Description:
Server Side Request Forgery (SSRF) refers to an attack where in an attacker is able to send a crafted request from a vulnerable web application. SSRF is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network. Additionally, it’s also possible for an attacker to leverage SSRF to access services from the same server that is listening on the loopback interface (127.0.0.1).
Typically Server Side Request Forgery (SSRF) occurs when a web application is making a request, where an attacker has full or partial control of the request that is being sent. A common example is when an attacker can control all or part of the URL to which the web application makes a request to some third-party service.
Relying on the scheme http://domain:port I was able to port scan Internet facing servers (eg. scanme.nmap.org) for open/closed ports.
So here's the responses I got:
Open Port (running non-HTTP aware service)
Response: The server committed protocol violation.
For more details please find attached report.
Thanks
Sachin Wagh
How does that affect KeePass running on your PC? (I've not read the PDF)
cheers, Paul
Hello Paul,
Thanks for replying. An attacker can control the URL to which the web application makes a request to some third-party service. Relying on the scheme http://domain:port I was able to port scan Internet facing servers (eg. scanme.nmap.org) for open/closed ports. For more details please go through the report.
Thanks.
Why can't you write it in plain text?
cheers, Paul
Affected Version:
KePass 2.38
Description:
Server Side Request Forgery (SSRF) refers to an attack where in an attacker is able to send a crafted request from a vulnerable web application. SSRF is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network.
Typically Server Side Request Forgery (SSRF) occurs when a web application is making a request, where an attacker has full or partial control of the request that is being sent. A common example is when an attacker can control all or part of the URL to which the web application makes a request to some third-party service.
Relying on the scheme http://domain:port I was able to port scan Internet facing servers (eg. scanme.nmap.org) for open/closed ports.
So here's the responses I got:
Open Port (running non-HTTP aware service)
Response: The server committed protocol violation.
-> Please find attached snapshot
Open Port (running HTTP aware service)
Response: No response/error
-> Please find attached snapshot
Closed Port
Response: The underlying connection was closed. An unexpected error occurred on receive.
-> Please find attached snapshot
So observing the above request/response pairs we can conduct port scans .
Reference:
https://www.owasp.org/index.php/Server_Side_Request_Forgery
Credit:
Sachin Wagh (@tiger_tigerboy)
KeePass is a local application, not a web application. In the 'Open From URL' dialog, the user enters the URL, not an attacker. Thus, we don't have a SSRF here.
Best regards,
Dominik