Skip to content

Latest commit

 

History

History
44 lines (36 loc) · 3.18 KB

File metadata and controls

44 lines (36 loc) · 3.18 KB

CVE-2020-24881

Requirements

  • Non-privileged access to the osTicket instance
    • You simply need to be able to create tickets and leave a response. Most instances allow anyone to create an account, as long as the email is valid and verified.

Description

The CVE was only reported as a blind SSRF vulnerability, but can also be used to exploit CSRF vulnerabilities. Both vulnerabilities rely on the fact that there is no filtering happening on the URL inserted into an <img> tag while posting comments in tickets. If an agent views the ticket with the malicious IMG src, an arbitrary GET request can be made for them. If the attacker presses "Print", it will cause the server to make the HTTP request. Both vulnerabilities have been condensed into a single PoC, osticketRF.py.

The usage for osticketRF.py is:

usage: osticketRF.py [-h] -d DOMAIN -f FILE -a ATTACK -t TICKET -s SESSION

options:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        osTicket domain, example - https://os.ticket.com
  -f FILE, --file FILE  Text file of links for the victim to contact, example link - https://malicious.com:80/path?param=value
  -a ATTACK, --attack ATTACK
                        Attack to perform (ssrf or csrf, case insensitive)
  -t TICKET, --ticket TICKET
                        Ticket ID to comment on
  -s SESSION, --session SESSION
                        Include the value for the OSTSESSID cookie

Example usage:

python3 osticketRF.py -d https://my.domain.com -f ~/links.txt -a ssrf -t 12 -s dq0pi20bhn1gkdq0pi20b

Notes

PoC

  • Since the payload for a single link is very simple (<img src="http://malicious.com/path?query=value">), the PoC was created with the ability to read in a file of multiple links to automate the process if multiple HTTP requests are desired to be made. This way, if the attacker desires to scan an entire subnet or multiple ports using blind SSRF (for example), they could simply pass in a text file of all the links and the PoC will deliver them all at once.
  • Multiple image files may be placed into the same comment without limit, and this is the default behavior for the PoC if multiple links are provided.

Blind SSRF

  • This attack does not require any other user interaction. If the attacker leaves a comment with an image and then presses the "Print" button, the server will make the request. This is automated in the PoC.

CSRF

  • When the page is first opened, the images are not shown by default. Instead, the user must click on the "Show Images" button for each comment. This means that the CSRF vulnerability does require user interaction, however this is a likely interaction by an agent if the ticket looks legitimate.
  • CSRF tokens are included in each POST request made to osTicket, meant to invalidate this exact attack. However, if osTicket endpoints are found without CSRF validation or if the CSRF applies to another vulnerable site, the attack should still work.

Credits

Based on the blog article "CVE-2020–24881: Server Side Request Forgery in OsTicket", located here, by Talatmehmood.