Private-IP users should update to prevent their apps from spilling internal data
A vulnerability in Private-IP, a popular open source NPM package for Node.js applications, opened the door attackers to perform multiple server-side request forgery (SSRF) exploits, researchers have warned.
The package, which has an average of 14,000 weekly downloads, is used to check if an IP address is private and to restrict any private IP addresses from interacting with an application’s internal resources.
Private-IP was found to contain a vulnerability that could allow an attacker to continually circumvent the package’s IP-blocking mechanism and execute SSRF techniques.
SSRF allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.
This can result in unauthorized actions or access to data within the organization – either in the vulnerable application itself or on other backend systems that the application can communicate with.
The vulnerability in Private-IP (CVE-2020-28360) could also allow remote attackers to request server-side resources, potentially executing arbitrary code.
Using a payload containing multiple zeroes is a classic way to bypass localhost blocking when abusing SSRF vulnerabilities, a blog post explains.
The issue came down to the fact that the package’s IP-blocking mechanisms weren’t accounting for variations in payloads.
“The code logic was utilizing simple Regular Expression, therefore not accounting for variations of localhost, and other private-ip ranges, as predicted,” the researchers explained.
“This means that an attacker can obfuscate payloads or utilize ranges outside of the block list to successfully execute SSRF [protection] bypass.”
Security researcher John Jackson, who was part of the team that discovered the bug, told The Daily Swig that the vulnerability was due to inherent flaws in the package.
“The exploitation is as simple as using variants of localhost such as http://0000.0000.0000.0000 with the desired path on the server that has issues with SSRF vulnerabilities,” he said.
“That’s just one of many payloads. The part that’s concerning is that organizations that rely on this package can fix one payload at a time, and so many other payloads will still exist to trigger the SSRF.”
If left unpatched, Jackson warns, enterprises using vulnerable versions of Private-IP as a means of preventing SSRF attacks leave themselves open to exploitation.
Following coordinated disclosure between the researchers and the maintainers of Private-IP, the issue has now been fixed.
Users are urged to update to the latest version straight away.
“Hackers attempting to [exploit] SSRF vulnerabilities will now have an exceedingly difficult time because even payloads encoded into hexadecimal, etc, will be recognized as the IP address as if it were not encoded, triggering a conditional block,” the researchers explained.