Blind SSRF to internal services in matrix preview_link API
High
R
Reddit
Submitted None
Team Summary
Official summary from Reddit
Matrix Chat endpoint at https://matrix.redditspace.com/_matrix/media/r0/preview_url/?url=* allowed partially blind SSRF to internal services. The data that could be exfiltrated was limited only to the service names and their IPs before a fix was implemented. This endpoint should not be able to query internal services, but external IPs, domains and services are fine for this to query.
Actions:
Reported by
la_revoltage
Vulnerability Details
Technical details and impact analysis
## Summary:
Reddit' new chat is based on Matrix software which has preview_link functionality which doesn't filter the URL before sending the request
## Impact:
Attacker can enumerate services by grabbing og:title and port scanning, also possible RCE escalation (Asking for permission on this one)
## Steps To Reproduce:
1. Visit the https://matrix.redditspace.com/_matrix/media/r0/preview_url/?url=*
2. Replace * with http://██████ to get og:title ███████
3. Replace * with http://█████████ to get og:title ███████
4. Replace * with http://██████████to get og:title ██████
5. Replace * with ████████ to get og:title █████████
Note: If the request is stuck and not responding in 2 seconds reload the page until it does
## Permit for escalation attempt?
Since the ███ URL is accessible it may be possible to run ███:
GET █████████
There are also possibilities to test ██████, but I thought that it would be incorrect to do such activity without permission and as such report vulnerability in this state. I also therefore request a permission to try to escalate this to Critical
## Impact
Attacker can enumerate services and launch attacks against them
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$6000.00
Submitted
Weakness
Server-Side Request Forgery (SSRF)