Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix query param in reconfig_redirect_opts! #19700

Merged
merged 2 commits into from
Dec 11, 2024
Merged

Fix query param in reconfig_redirect_opts! #19700

merged 2 commits into from
Dec 11, 2024
+5 −1

Conversation

jheysel-r7
Copy link
Contributor

@jheysel-r7 jheysel-r7 commented Dec 6, 2024
edited
Loading

The reconfig_redirect_opts! method in http_client.rb seems to be incorrectly setting the opts['query'] parameter when using send_request_cgi! to follow redirects.

If your original request is:

GET /oauth2/authorize?sessionDataKey=4458b43e-2893-4040-97c5-86ea755d3e02

and the response to that request has a location header of:

Location: https://localhost:9443/publisher/services/auth/callback/login?code=e99ba285-3080-3e04-bf65-361f65ed19ae&session_state=014cce7455854c32ab50bc4c570e6f00f99c1bf267c930f0529fc646e5c69e22.l6peBE-xSHT2Un6O6fgi5Q

The URI of the next request should be the location header mentioned above however because opts['query'] (the GET request parameter(s) from the original request) is already set, it doesn't get reset, so the next request ends up being:

GET /publisher/services/auth/callback/login?sessionDataKey=4458b43e-2893-4040-97c5-86ea755d3e02

Which seems to be an incorrect combination of the original requests's parameters with the location header's path.

I noticed this when I was attempting to rewrite the manual handling of redirection here:
https://github.com/rapid7/metasploit-framework/pull/19647/files#diff-0c05ed862598aef0fcdd978f22c5676c187ea3d7d41da4de51627170fed6f455R195-R211

Below are some HTTP trace logs from the failed attempt of trying to replace the manual redirection with send_request_cgi!.

HTTP trace of current incorrect behaviour 

####################
# Request:
####################
POST /commonauth HTTP/1.1
Host: 127.0.0.1:9443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Safari/605.1.15
Cookie: CLIENT_ID=Cs3HoNXfgrrQxQFz1zCh48GplTwa; sessionNonceCookie-e6b37efb-7fe2-45f6-9490-d1adbff1dfc8=e719c76d-b805-464f-bb27-e1fb02c57f34
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 105

usernameUserInput=admin&username=admin&password=admin&sessionDataKey=e6b37efb-7fe2-45f6-9490-d1adbff1dfc8
####################
# Response:
####################
HTTP/1.1 302
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: pastr-e6b37efb-7fe2-45f6-9490-d1adbff1dfc8=5aa579e8-37e3-480f-b790-2535d1441270; Path=/; Secure; HttpOnly, pastr-e6b37efb-7fe2-45f6-9490-d1adbff1dfc8=5aa579e8-37e3-480f-b790-2535d1441270; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly, sessionNonceCookie-e6b37efb-7fe2-45f6-9490-d1adbff1dfc8=e719c76d-b805-464f-bb27-e1fb02c57f34; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly, commonAuthId=be1036f1-4a32-4820-b85d-8b2de905c20b; Path=/; Secure; HttpOnly
Location: https://127.0.0.1:9443/oauth2/authorize?sessionDataKey=4458b43e-2893-4040-97c5-86ea755d3e02
Content-Length: 0
Date: Fri, 06 Dec 2024 01:29:52 GMT
Keep-Alive: timeout=60
Connection: keep-alive
Server: WSO2 Carbon Server


####################
# Request:
####################
GET /oauth2/authorize?sessionDataKey=4458b43e-2893-4040-97c5-86ea755d3e02 HTTP/1.1
Host: 127.0.0.1:9443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Safari/605.1.15
Cookie: CLIENT_ID=Cs3HoNXfgrrQxQFz1zCh48GplTwa; commonAuthId=be1036f1-4a32-4820-b85d-8b2de905c20b
Connection: keep-alive


####################
# Response:
####################
HTTP/1.1 302
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: opbs=d07376fb-babd-4020-bc8e-771c0ec31ae7; Path=/; Secure
Location: https://localhost:9443/publisher/services/auth/callback/login?code=e99ba285-3080-3e04-bf65-361f65ed19ae&session_state=014cce7455854c32ab50bc4c570e6f00f99c1bf267c930f0529fc646e5c69e22.l6peBE-xSHT2Un6O6fgi5Q
Date: Fri, 06 Dec 2024 01:29:52 GMT
Content-Length: 0
Keep-Alive: timeout=60
Connection: keep-alive
Server: WSO2 Carbon Server


####################
# Request:
####################
GET /publisher/services/auth/callback/login?sessionDataKey=4458b43e-2893-4040-97c5-86ea755d3e02 HTTP/1.1
Host: localhost:9443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Safari/605.1.15
Cookie: CLIENT_ID=Cs3HoNXfgrrQxQFz1zCh48GplTwa; commonAuthId=be1036f1-4a32-4820-b85d-8b2de905c20b; opbs=d07376fb-babd-4020-bc8e-771c0ec31ae7
Connection: keep-alive


####################
# Response:
####################
HTTP/1.1 200
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-store, no-cache, must-revalidate, private
Content-Type: text/html
Content-Length: 0
Date: Fri, 06 Dec 2024 01:29:52 GMT
Keep-Alive: timeout=60
Connection: keep-alive
Server: WSO2 Carbon Server

After implementing this change the module works correctly when using send_request_cgi! instead of manually handing the redirection.

@jheysel-r7 jheysel-r7 added the bug label Dec 6, 2024
@jheysel-r7 jheysel-r7 mentioned this pull request Dec 6, 2024
Open
heyder
heyder approved these changes Dec 9, 2024
View reviewed changes
Copy link
Contributor

@heyder heyder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested it with the module multi/http/wso2_api_manager_file_upload_rce and it is working just fine.

adfoster-r7
adfoster-r7 reviewed Dec 11, 2024
View reviewed changes
lib/msf/core/exploit/remote/http_client.rb
Comment on lines +502 to +506
if location.query
opts['query'] = location.query
else
opts['query'] = ''
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if location.query
opts['query'] = location.query
else
opts['query'] = ''
end
opts['query'] = location.query

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like we default to '' in the bowels of rex, not a blocker

metasploit-framework/lib/rex/proto/http/client_request.rb

Line 31 in c3cf56f

'query' => '',

@adfoster-r7
Copy link
Contributor

Before

Previous params incorrectly used in redirect

msf6 auxiliary(scanner/http/title) > run -r https://httpbin.org/absolute-redirect/1?a=b httptrace=true followredirect=true
[*] Reloading /Users/user/metasploit-framework/lib/msf/core/exploit/remote/http_client.rb

####################
# Request:
####################
GET /absolute-redirect/1?a=b HTTP/1.1
Host: httpbin.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Safari/605.1.15


####################
# Response:
####################
HTTP/1.1 302 FOUND
Date: Wed, 11 Dec 2024 23:27:37 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 251
Connection: keep-alive
Server: gunicorn/19.9.0
Location: http://httpbin.org/get
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="http://httpbin.org/get">http://httpbin.org/get</a>.  If not click the link.
####################
# Request:
####################
GET /get?a=b HTTP/1.1
Host: httpbin.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Safari/605.1.15


####################
# Response:
####################
HTTP/1.1 200 OK
Date: Wed, 11 Dec 2024 23:27:39 GMT
Content-Type: application/json
Content-Length: 354
Connection: keep-alive
Server: gunicorn/19.9.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

{
  "args": {
    "a": "b"
  }, 
  "headers": {
    "Host": "httpbin.org", 
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Safari/605.1.15", 
    "X-Amzn-Trace-Id": "Root=1-675a1feb-26047e6172b926417f00eb06"
  }, 
  "origin": "64.125.235.5", 
  "url": "http://httpbin.org/get?a=b"
}

After

No query params added

msf6 auxiliary(scanner/http/title) > run -r https://httpbin.org/absolute-redirect/1?a=b httptrace=true followredirect=true
[*] Reloading /Users/user/metasploit-framework/lib/msf/core/exploit/remote/http_client.rb

####################
# Request:
####################
GET /absolute-redirect/1?a=b HTTP/1.1
Host: httpbin.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Safari/605.1.15


####################
# Response:
####################
HTTP/1.1 302 FOUND
Date: Wed, 11 Dec 2024 23:24:09 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 251
Connection: keep-alive
Server: gunicorn/19.9.0
Location: http://httpbin.org/get
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="http://httpbin.org/get">http://httpbin.org/get</a>.  If not click the link.
####################
# Request:
####################
GET /get HTTP/1.1
Host: httpbin.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Safari/605.1.15


####################
# Response:
####################
HTTP/1.1 200 OK
Date: Wed, 11 Dec 2024 23:24:10 GMT
Content-Type: application/json
Content-Length: 334
Connection: keep-alive
Server: gunicorn/19.9.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

{
  "args": {}, 
  "headers": {
    "Host": "httpbin.org", 
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Safari/605.1.15", 
    "X-Amzn-Trace-Id": "Root=1-675a1f1a-110c122b04354d9668a29e8e"
  }, 
  "origin": "64.125.235.5", 
  "url": "http://httpbin.org/get"
}

[-] [44.196.3.45:443] No webpage title

@adfoster-r7 adfoster-r7 self-assigned this Dec 11, 2024
@adfoster-r7 adfoster-r7 merged commit 31930f4 into rapid7:master Dec 11, 2024
70 checks passed
@adfoster-r7
Copy link
Contributor

Release Notes

Fixes a bug where HTTP redirects were not handling HTTP query parameters correctly

@cgranleese-r7 cgranleese-r7 added the rn-fix release notes fix label Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adfoster-r7 adfoster-r7 adfoster-r7 approved these changes

@heyder heyder heyder approved these changes

Assignees

@adfoster-r7 adfoster-r7

Labels
bug rn-fix release notes fix
Projects
Metasploit Kanban
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jheysel-r7 @adfoster-r7 @heyder @cgranleese-r7