Server-side request forgery via insufficient address validation
Description
The function initializeSession of an externally opened gRPC server allows the user to establish a socket with any desired server. In particular, localhost can be accessed due to an insufficient address check, leading to a server-side request forgery vulnerability.
const initialiseSession: RPCPromiseHandler<'initialiseSession'> = async(
{
receiptGenerationRequest,
// ...
}
) => {
// ...
if(receiptGenerationRequest?.host) {
host = receiptGenerationRequest.host
port = receiptGenerationRequest.port
// ...
}
// ...
const { id } = await newSession({
host,
port,
// ...
})
// ...
}
export default async function newSession({
host,
port,
// ...
}: NewSessionOpts) {
// ...
const socket = await getSocket({ host, port, geoLocation }, logger)
// ...
}
async function getSocket(
{
host,
port,
}
// ...
) {
const socket = new Socket()
// ...
if(!geoLocation) {
socket.connect({ host, port, })
return socket
}
// ...
}Impact
Arbitrary socket sends are available, allowing attackers to communicate with internal servers. This allows the following:
The function
initializeSessionmay be called multiple times, allowing an attacker to search for open ports onlocalhost(or an internal network).The Reclaim node can initiate a connection to each port and write packets with
PushToSession.
Recommendations
Access to localhost and nonglobal IP addresses should be restricted. Care should be taken to ensure that this validation is also safe against DNS rebinding attacks.
Remediation
CreatorOS Inc provided the following response:
Reclaim Protocol does not consider this as an issue at the moment since there are no protected internal services.