Bypassing SSRF Protection to Exfiltrate AWS Metadata from LarkSuite

Introduction:

Part 1: Deep dive into the app!

  • Chats/ Messaging — Some modern chat features will render a preview of any links sent in chat.
  • PDF/File Conversion features — Any feature that offers converting user-controlled content to file types like PDF . Definitely check out Owning the clout through SSRF and PDF Generators if you haven’t already.
  • File Uploads — Any form of file upload. Things like crafted SVG files can result in SSRF if rendered server-side. Upload Scanner is a great Burp (Pro only) extension that can help with finding these vulnerabilities in uploads.
  • Import from file — Features that let you “import content from” files . Excel docs, Word docs, Zip files , etc. These often require some form of server-side processing. Office docs like Excel and Word are basically archives containing multiple XML files. Modifying the XML files can result in XXE/SSRF when the document gets processed server-side.
  • Hidden Stuff — SSRF can be found in hidden parameters or requests that aren’t glaringly obvious just by using the application. It’s important to go through the Burp Proxy logs and manually look for any request that may be returning data from a URL. The Param Miner Burp (free) extension is useful for finding hidden parameters/functionality.
Lark Wiki import from docs option

Part 2: Testing the Import from docs feature

Inside of a Confluence export ZIP
HTML snippet of an image in the exported Confluence page
The Generated Lark Wiki page, containing a downloadable attachment with the Collaborator response
me

Part 3: Bypassing the protections

  • Set up a redirect script that will 302 redirect traffic from my server to AWS metadata URL…
  • Modify the Confluence Page’s image URL to point at my server…
  • Save/Import the zip to Lark and hope the redirect is followed…
  • If redirect is followed and bypasses their protections, attachment gets generated with contents of their metadata URL.
the light bulb moment
nslookup example of dns rebinding
The final generated Lark Wiki page, containing AWS credentials as a downloadable attachment

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store