Bypass domain check using ToCToU for SSRF/XXE/OOB, Etc

Bypass domain check using ToCToU for SSRF/XXE/OOB, Etc


๐Ÿค” What is ToCToU?

In software development, time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by a race condition involving the checking of the state of a part of a system (such as a security credential) and the use of the results of that check.

To explain a little bit, A service checks the data received from the user for check problems using the function B, and registers data as a function called C. In this process, there may be a small/or large time difference between B and C, but if you can change the data received from the user within that time difference, that the input value of B check logic and the input value of C registration function can be different. Then, the B function applied for security is bypassed, which can lead to other vulnerabilities.

In normal cases, inspection functions such as B and processing logic/business logic such as C are in close proximity, with little time difference, but specifications such as logic, policy, or code often widen the gap between B and C. If the attacker recognized this gap, it would be a way to disable the inspection function, as I said above.

ToCToU๋Š” Time Of Check to Time Of Use์˜ ์‹œ๊ฐ„์ฐจ๋ฅผ ์ด์šฉํ•œ ๊ณต๊ฒฉ์ด๋ฉฐ ๋ณดํ†ต Race condition attack์—์„œ ๋งŽ์ด ๋‚˜์˜ค๋˜ ๊ฐœ๋…์ž…๋‹ˆ๋‹ค. (์˜ˆ์ „์— toctou ๊ด€๋ จ ๊ธ€์„ ์“ฐ๊ธด ํ—€์—ˆ๋„ค์š”. ๋‹ค๋งŒ ๋ณ„ ๋‚ด์šฉ์€ ์—†๋Š”..ใ…‹ใ…‹)

์•ฝ๊ฐ„ ์„ค๋ช…ํ•˜์ž๋ฉด, A์„œ๋น„์Šค๋Š” ์‚ฌ์šฉ์ž๋กœ๋ถ€ํ„ฐ ๋ฐ›์€ ๋ฐ์ดํ„ฐ๋ฅผ B๋ผ๋Š” ํ•จ์ˆ˜๋กœ ๋ฌธ์ œ๊ฐ€ ์žˆ๋Š”์ง€ ๊ฒ€์‚ฌํ•˜๊ณ , C๋ผ๋Š” ํ•จ์ˆ˜๋กœ ๋“ฑ๋กํ•œ๋‹ค๊ณ  ์นฉ์‹œ๋‹ค. ์ด ๊ณผ์ •์—์„œ B์™€ C์‚ฌ์ด์—๋Š” ์‹œ๊ฐ„์ฐจ๊ฐ€ ์ ์„์ˆ˜๋„ ๋งŽ์„์ˆ˜๋„ ์žˆ๋Š”๋ฐ์š”, ๊ทธ ์‹œ๊ฐ„์ฐจ์ด ๋‚ด์— ์‚ฌ์šฉ์ž๋กœ ๋ถ€ํ„ฐ ๋ฐ›์€ ๋ฐ์ดํ„ฐ๋ฅผ ๋ณ€๊ฒฝํ•  ์ˆ˜ ์žˆ๋‹ค๋ฉด B ๊ฒ€์‚ฌ ๋กœ์ง์˜ input๊ณผ C ๋“ฑ๋ก ํ•จ์ˆ˜์˜ input์„ ๋‹ค๋ฅด๊ฒŒ ์ค„ ์ˆ˜ ์žˆ๋‹ค๋Š” ์ด์•ผ๊ธฐ๊ฐ€ ๋ฉ๋‹ˆ๋‹ค. ๊ทธ๋Ÿฌ๋ฉด ๋ณด์•ˆ์„ฑ์„ ์œ„ํ•ด ์ ์šฉํ•œ B ํ•จ์ˆ˜๊ฐ€ ๋ฌด๋ ฅํ™” ๋˜๊ธฐ ๋•Œ๋ฌธ์— ๋‹ค๋ฅธ ์ทจ์•ฝ์ ์œผ๋กœ ์—ฐ๊ฒฐ๋  ์ˆ˜ ์žˆ๋Š” ํฌ์ธํŠธ๊ฐ€ ๋˜์ง€์š”.

๋ณดํ†ต์˜ ๊ฒฝ์šฐ B์™€ ๊ฐ™์€ ๊ฒ€์‚ฌ ํ•จ์ˆ˜์™€ C์™€ ๊ฐ™์€ ์ฒ˜๋ฆฌ๋กœ์ง/๋น„์ฆˆ๋‹ˆ์Šค ๋กœ์ง์€ ๊ฐ€๊นŒ์šด ์œ„์น˜์— ์žˆ์–ด ์‹œ๊ฐ„ ์ฐจ์ด๊ฐ€ ๊ฑฐ์˜ ๋‚˜์ง€ ์•Š์ง€๋งŒ ๋กœ์ง,์ •์ฑ…,์ฝ”๋“œ ๋“ฑ์˜ ํŠน์ด์‚ฌํ•ญ์œผ๋กœ B์™€ C์‚ฌ์ด์˜ ๊ฐ„๊ฒฉ์ด ๋ฒŒ์–ด์ง€๋Š” ๊ฒฝ์šฐ๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด ํ‹ˆ์ƒˆ๋ฅผ ๊ณต๊ฒฉ์ž๊ฐ€ ์ธ์ง€ํ–ˆ๋‹ค๋ฉด ์œ„์—์„œ ์ด์•ผ๊ธฐ๋“œ๋ฆฐ๋Œ€๋กœ ๊ฒ€์‚ฌ ํ•จ์ˆ˜๋ฅผ ๋ฌด๋ ฅํ™”ํ•  ์ˆ˜ ์žˆ๋Š” ๋ฐฉ๋ฒ•์ด ๋ฉ๋‹ˆ๋‹ค.

์ข‹์•„, ๋ฌ์–ด! ํŠธ๋ฆฌ๊ฑฐ์•ผ ๐Ÿ˜๐Ÿ˜๐Ÿ˜๐Ÿ˜๐Ÿ˜

โšก๏ธ Bypassing protection for SSRF/OOB/XXE, etc..

ToCToU is commonly known as a system hacking technique, but the principle itself is sufficiently used for web hacking. Iโ€™ll explain it briefly with a few examples.

๋ณดํ†ต ToCToU๋Š” ์‹œ์Šคํ…œ ํ•ดํ‚น ๊ธฐ๋ฒ•์œผ๋กœ ๋งŽ์ด ์•Œ๋ ค์ ธ ์žˆ์ง€๋งŒ, ์›๋ฆฌ ์ž์ฒด๋Š” ์ถฉ๋ถ„ํžˆ ์›น ํ•ดํ‚น์—๋„ ์ด์šฉ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋ช‡๊ฐ€์ง€ ์˜ˆ์‹œ๋ฅผ ํ†ตํ•ด ๊ฐ€๋ณ๊ฒŒ ์„ค๋ช…ํ•ด๋ณผ๊ฒŒ์š”.

The condition I talked about above is whether it is possible to change user input when there is a time difference. One of the things that can satisfy this condition is the DNS Record. DNS records can be changed at any time by the domain owner, and although it depends on the circumstances, they can usually be changed for DNS information such as A Record and CNAME within 30 minutes. Which means that if there is some difference between verification of URLs/Domain and running intervals, modifying DNS records will allow malicious behavior.

์ œ๊ฐ€ ์œ„์—์„œ ์ด์•ผ๊ธฐ๋“œ๋ฆฐ ์กฐ๊ฑด์€ ์‹œ๊ฐ„ ์ฐจ์ด๊ฐ€ ์žˆ์„ ๋•Œ ์‚ฌ์šฉ์ž ์ž…๋ ฅ์„ ๋ณ€๊ฒฝ์ด ๊ฐ€๋Šฅํ•œ์ง€ ์—ฌ๋ถ€์ž…๋‹ˆ๋‹ค. ์ด ์กฐ๊ฑด์„ ์ถฉ์กฑํ•  ์ˆ˜ ์žˆ๋Š” ๊ฒƒ ์ค‘ ํ•˜๋‚˜๊ฐ€ DNS Record์ž…๋‹ˆ๋‹ค. DNS Record๋Š” ๋„๋ฉ”์ธ ์†Œ์œ ์ž๊ฐ€ ์–ธ์ œ๋“ ์ง€ ๋ณ€๊ฒฝํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์ƒํ™ฉ์— ๋”ฐ๋ผ ๋‹ค๋ฅด๊ฒ ์ง€๋งŒ ๋ณดํ†ต 30๋ถ„ ์ด๋‚ด๋กœ A Record, CNAME ๋“ฑ DNS ์ •๋ณด์— ๋Œ€ํ•ด ๋ณ€๊ฒฝ์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. ๊ทธ ๋ง์€ ๊ณง URL/Domain์— ๋Œ€ํ•œ ๊ฒ€์ฆ๊ณผ ์‹คํ–‰ํ•˜๋Š” ๊ตฌ๊ฐ„์˜ ์ฐจ์ด๊ฐ€ ์–ด๋Š์ •๋„ ๋ฒŒ์–ด์ง€๋Š” ๊ฒฝ์šฐ DNS Record ์ˆ˜์ •์„ ํ†ตํ•ด ์•…์˜์ ์ธ ํ–‰์œ„๊ฐ€ ๊ฐ€๋Šฅํ•˜๋‹ค๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค.

For one example, A service has the ability to directly access the URL received from the user and show the results. Security protection logic is all followed redirects and then blocks access if they are private IP bands of final domain of IP.

If the time difference that reflects the DNS Record correction is shorter than the time difference between the logic being inspected and the functionality being accessed, you can bypass the final destination IP of the examination logic and web request processing logic.

ํ•œ๊ฐ€์ง€ ์˜ˆ๋ฅผ๋“ค์–ด๋ณด๋ฉด, A์„œ๋น„์Šค๋Š” ์‚ฌ์šฉ์ž๋กœ ๋ถ€ํ„ฐ ๋ฐ›์€ URL์„ ์ง์ ‘ ์ ‘๊ทผํ•ด์„œ ๊ฒฐ๊ณผ๋ฅผ ๋ณด์—ฌ์ฃผ๋Š” ๊ธฐ๋Šฅ์„ ๊ฐ€์กŒ๋‹ค๊ณ  ์นฉ์‹œ๋‹ค. ์ด ๋•Œ URL์— ๋Œ€ํ•œ ๊ฒ€์ฆ์€ ๋‚ด๋ถ€ ์„œ๋น„์Šค๋ฅผ ์ฐธ์กฐํ•  ์ˆ˜ ์—†๋„๋ก ์ตœ์ข… ๋ชฉ์ ์ง€์˜ IP๊ฐ€ ์‚ฌ์„ค๋Œ€์—ญ ์ธ์ง€ ์ฒดํฌํ•œ๋‹ค๊ณ  ํ•˜๋ฉด, ๋ณดํ†ต ์ž˜ ์•Œ๋ ค์ง„ ๊ฒ€์ฆ ๋ฐฉ๋ฒ•์œผ๋กœ ๋ด…๋‹ˆ๋‹ค. (๋„คํŠธ์›Œํฌ ๊ตฌ์„ฑ๋‹จ ์ฐจ๋‹จ์ด ์•„๋‹ˆ๋ผ๋ฉด ๋ชจ๋“  redirect ๋“ฑ์˜ ์ฒ˜๋ฆฌ ํ›„ ์ตœ์ข… ๋ชฉ์ ์ง€์˜ IP ๊ฒ€์ฆ์ด ๊ฐ€์žฅ ๋ช…ํ™•ํ•œ ๊ฒ€์ฆ ๋ฐฉ๋ฒ•์ด์ฃ )

์ด ๋•Œ ๊ฒ€์‚ฌํ•˜๋Š” ๋กœ์ง๊ณผ ์›น ์ ‘๊ทผํ•˜๋Š” ๊ธฐ๋Šฅ์˜ ์‹œ๊ฐ„์ฐจ๋ณด๋‹ค DNS Record ์ˆ˜์ •์ด ๋ฐ˜์˜๋˜๋Š” ์‹œ๊ฐ„ ์ฐจ์ด๊ฐ€ ์งง์•„์ง€๋Š” ๊ฒฝ์šฐ ๊ฒ€์‚ฌ ๋กœ์ง๊ณผ ์›น ์š”์ฒญ ์ฒ˜๋ฆฌ ๋กœ์ง์˜ ์ตœ์ข… ๋ชฉ์ ์ง€ IP๋ฅผ ์šฐํšŒํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

1414-2

## for https://sequencediagram.org
participant hahwul
participant Service
participant DNS
participant Internal Service(192.168.0.5)
hahwul->Service:domain: abcd.hahwul.com
note over Service,DNS:Check Logic(deny internal ip range)
Service->DNS:who is "abcd.hahwul.com" ?
Service<-DNS:185.199.108.153
note over Service,DNS:HTTP Request
Service->DNS:who is "abcd.hahwul.com" ?
Service<-DNS:192.168.0.5
Service->Internal Service(192.168.0.5):GET / HTTP/1.1
Service<-Internal Service(192.168.0.5):Private data
hahwul<-Service:Private data

๐Ÿ”– Hackerone reports

๐Ÿ“Œ References