Tuesday, 14 June 2016

SSRF and User IP Address Grabbing Vulnerability in ESEA [Web]

Greetings Reader, Here I come up with another interesting article / blog post about the vulnerability that I found on ESEA (https://play.esea.net) almost a month before. Where a web app functionality causing two critical vulnerabilities SSRF (Server Site Request Forgery) and other one that can allow attacker to grab IP address of any user. However both the issues are different and reported different but causing by same functionality. This one is interested finding so I made up my mind to write up about this issue. So lets begin-

Vulnerable Domain - https://play.esea.net

Vulnerability Name - SSRF and Grabbing users IP address

About Target Domain - E-Sports Entertainment Association League (ESEA) is an esports competitive video gaming community founded by E-Sports Entertainment Association (ESEA). It is widely known for their anti-cheat software. ESEA features a system that allows players of all levels to play matches with others.

ESEA provide guestbook to every user where other users can post (comment) anything only if it is unlocked and same commenting functionality provided on forum posts, news posts and user's account (guestbook). This is where the issue occurs. If user posted any link/URL that contains an image such as http://example.com/image.jpg then moving mouse on that link shows the thumbnail of that image. For example user posted a link in comment such as http://site.com/rat.jpg then move your mouse on the link that you posted, will shows a small thumbnail on ESEA website. This is happening because the link automatically executing in case of creating a thumbnail of image.

So another question may arise, why they required such functionality? Initially ESEA allows to post video (gameplay) from YouTube for some contests. So this functionality shows the thumbnail  from YouTube video and later I noticed, it is working on image URL as well.

As I confirmed the image URL executing automatically so this is the perfect place to test SSRF. That mean If http://sitename.com:80/image.jpg shows the thumbnail in the guestbook by moving mouse on it then site as http/80 port is open. But if we found it closed ports like http://sitename.com:32564/image.jpg, as port is closed the output will not be displayed.

    http://sitename.com:80/image.jpg=> It gives an output (Port 80 is open)
    http://sitename.com:32564/image.jpg => No output (Port 32564 is closed)

As you can check in below image, FTP port 21 automatically executing. It doesn't sanitizing the input. 

So after formalities and procedure they verified and resolved this vulnerability and later stage port number filtered and doesn't executing anymore. And I got reward $500 for this bug + 500 ESEA points + Profile badge.

ESEA bug bounty

But but... One thing left

After fixing SSRF, I noticed that the URL still executing only with HTTP and HTTPS and the thumbnail still appears so I thought to use GIF image to grab user's information. So I crafted a GIF to grab user's information such as IP address, user agent then pasted the link on guestbook. Next time when I refreshed the page, I found the GIF image URL successfully executed that mean it created a log into log file. Later I tried to use http://iplogger.org/ to easy my task and it perfectly worked.

This vulnerability is pretty simple with critical severity and allowed me to grab information of user from guestbook, forums and news. Suppose in case of grabbing users information you just need to paste it where the most of users visit frequently such as latest news section, latest forum posts or if you want to target any particular user then all you have to do is to paste the link in victims guestbook so whenever the user visit his/her guestbook will be a victim.

First they rewarded me $500 for this bug + 500 ESEA points + Profile badge.

but later they increased the payout to $750 -

After submitting this issue they fixed as soon as possible. And I'm glad to work with them. They are really dedicated toward work and try to reply as fast they can. I have hunted more bugs such as CSRF that worth $1000 and other logical issues.


Post a Comment