A typical job in advanced internet functions is routing requests to completely different backend servers to carry out load balancing. Most frequently, a reverse proxy is used for this. Such reverse proxies work on the utility degree (over HTTP), and requests are routed primarily based on the worth of the Host header (:authority for HTTP/2) or components of the trail.
One typical misconfiguration is when the reverse proxy immediately makes use of this info because the backend deal with. This could result in server-side request forgery (SSRF) vulnerabilities that permit attackers to entry servers behind the reverse proxy and, for instance, steal info from AWS metadata. I made a decision to research related assaults on proxy setups working at different ranges/protocols – particularly, SNI proxies.
What’s TLS SNI?
Server Title Indication (SNI) is an extension of the TLS protocol that gives the inspiration of HTTPS. When a browser desires to ascertain a safe connection to a server, it initiates a TLS handshake by sending a ClientHello message. This message could comprise an SNI extension subject that features the server area identify. In its ServerHello message, the server can then return a certificates acceptable for the desired server identify. The standard use case for that is when there are a number of digital hosts behind one IP deal with.
What’s an SNI proxy?
When a reverse proxy (extra accurately, a load balancer) makes use of a worth from the SNI subject to pick out a selected backend server, we now have an SNI proxy. With the widespread use of TLS and HTTPS particularly, this method is gaining popularity. (Notice that one other which means of SNI proxy refers to the usage of such proxies to bypass censorship in some international locations.)
There are two primary choices for working an SNI proxy: with or with out SSL termination. In each instances, the SNI proxy makes use of the SNI subject worth to pick out an acceptable backend. When working with SSL termination, the TLS connection is established with the SNI proxy, after which the proxy forwards the decrypted site visitors to the backend. Within the second case, the SNI proxy forwards the complete knowledge stream, actually working extra like a TCP proxy.
A typical SNI proxy configuration
Many reverse proxies/load balancers help SNI proxy configurations, together with Nginx, Haproxy, Envoy, ATS, and others. It appears you’ll be able to even use an SNI proxy in Kubernetes.
To present an instance for Nginx, the only configuration would look as follows (notice that this requires the Nginx modules ngx_stream_core_module and ngx_stream_ssl_preread_module to work):
stream {
map $ssl_preread_server_name $targetBackend {
test1.instance.com backend1:443;
test2.instance.com backend2:9999;
}
server {
pay attention 443;
resolver 127.0.0.11;
proxy_pass $targetBackend:443;
ssl_preread on;
}
}Right here, we configure a server (TCP proxy) known as stream and allow SNI entry utilizing ssl_preread on. Relying on the SNI subject worth (in $ssl_preread_server_name), Nginx will route the entire TLS connection both to backend1 or backend2.
SNI proxy misconfigurations resulting in SSRF
The best misconfiguration that may assist you to hook up with an arbitrary backend would look one thing like this:
stream {
server {
pay attention 443;
resolver 127.0.0.11;
proxy_pass $ssl_preread_server_name:443;
ssl_preread on;
}
}Right here, the SNI subject worth is used immediately because the deal with of the backend.
With this insecure configuration, we will exploit the SSRF vulnerability just by specifying the specified IP or area identify within the SNI subject. For instance, the next command would pressure Nginx to connect with inner.host.com:
openssl s_client -connect goal.com:443 -servername "inner.host.com" -crlfUsually, in keeping with RFC 6066, IP addresses ought to not be utilized in SNI values, however in apply, we will nonetheless use them. What’s extra, we will even ship arbitrary symbols on this subject, together with null bytes, which will be helpful for exploitation. As you’ll be able to see beneath, the server identify will be modified to an arbitrary string. Although for this particular Nginx configuration, sadly, I didn’t discover a option to change the backend port:
One other class of weak configurations is much like typical HTTP reverse proxy misconfigurations and includes errors within the common expression (regex). On this instance, site visitors is forwarded to the backend if the identify supplied by way of SNI matches the regex:
stream {
map $ssl_preread_server_name $targetBackend {
~^www.instance.com $ssl_preread_server_name;
}
server {
pay attention 443;
resolver 127.0.0.11;
proxy_pass $targetBackend:443;
ssl_preread on;
}
}This regex is wrong as a result of the primary interval character in www.instance.com shouldn’t be escaped, and the expression is lacking the $ terminator on the finish. The ensuing regex matches not solely www.instance.com but in addition URLs like www.instance.com.attacker.com or wwwAexample.com. Because of this, we will carry out SSRF and hook up with an arbitrary backend. Whereas we will’t use the IP deal with immediately right here, we will bypass this restriction just by telling our DNS server that www.instance.com.attacker.com ought to resolve to 127.0.0.1.
Potential instructions for SNI proxy analysis and abuse
In a 2016 article about scanning IPv4 for open SNI proxies, researchers managed to seek out about 2500 servers with a reasonably fundamental testing method. Whereas this quantity could appear low, SNI proxy configurations have develop into extra fashionable since 2016 and are broadly supported, as evidenced even by a fast search of GitHub.
As a course for additional analysis, I can counsel a few issues to consider for configurations with out TLS termination. An SNI proxy checks solely the primary ClientHello message after which proxies all the following site visitors, even when it’s not right TLS messages. Additionally, whereas the RFC specifies which you can solely have one SNI subject, in apply, we will ship a number of completely different names (TLS-Attacker is a useful device right here). As a result of Nginx solely checks the primary worth, there might (theoretically) be an avenue to realize some extra entry if a backend accepts such a ClientHello message however then makes use of the second SNI worth.
Avoiding SNI proxy vulnerabilities
Everytime you configure a reverse proxy, try to be conscious that any misconfigurations could probably result in SSRF vulnerabilities that expose backend methods to assault. The identical applies to SNI proxies, particularly as they’re gaining recognition in large-scale manufacturing methods. Usually, to keep away from vulnerabilities when configuring a reverse proxy, you need to perceive what knowledge could possibly be managed by an attacker and keep away from utilizing it immediately in an insecure means.
