exploit the possibilities

Microsoft ADFS 4.0 Windows Server 2016 Server Side Request Forgery

Microsoft ADFS 4.0 Windows Server 2016 Server Side Request Forgery
Posted Sep 14, 2018
Authored by Alphan Yavas

Microsoft ADFS 4.0 Windows Server 2016 suffers from a server-side request forgery issue.

tags | advisory
systems | windows
advisories | CVE-2018-16794
MD5 | b9b1736724cd7a4fe104163dea8f32ad

Microsoft ADFS 4.0 Windows Server 2016 Server Side Request Forgery

Change Mirror Download
I. VULNERABILITY
-------------------------
Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory
Federation Services) Server Side Request Forgery (SSRF)

II. CVE REFERENCE
-------------------------
CVE-2018-16794

III. VENDOR
-------------------------
https://www.microsoft.com
https://msdn.microsoft.com/en-us/library/bb897402.aspx

IV. TIMELINE
-------------------------
15/08/2018 Vulnerability discovered
18/08/2018 Vendor contacted
06/09/2018 Microsoft replay that will fix this in the next version of
Windows Server

V. CREDIT
-------------------------
Alphan Yavas from Biznet Bilisim A.S.

VI. DESCRIPTION
-------------------------
Microsoft ADFS 4.0 Windows Server 2016 and previous versions affected
from SSRF vulnerability. A remote attacker could force the vulnerable
server to send request to any remote server s/he wants.

VII. PROOF OF CONCEPT
-------------------------
Affected Component:
Path(inurl): /adfs/ls
Parameter: txtBoxEmail

Login page of ADFS affected from SSRF vulnerability. If username is
being sent with following format victim server will send out DNS
queries to xxx domain. (xxx is the domain which you want to send
request from server)

username: ssrf.xxx.com\pentest
password: (doesn't matter)

If you want to listen this request you must listen with tcpdump to dns
port your own server(xxx) and you can see callback request.

--









Bu mesaj ve ekleri, mesajda
gAPnderildiAi belirtilen
kiAi/kiAilere APzeldir ve gizlidir. Bu mesaj
herhangi bir amaASS iASSin
ASSoAaltA+-lamaz, daAA+-tA+-lamaz ve yayA+-nlanamaz.
MesajA+-n gAPnderildiAi kiAi
deAilseniz, mesaj iASSeriAini ya da eklerini
kopyalamayA+-nA+-z, yayA+-nlamayA+-nA+-z
ya da baAka kiAilere yAPnlendirmeyiniz ve
mesajA+- gAPnderen kiAiyi derhal
uyararak bu mesajA+- siliniz. Airketimiz,
mesajA+-n iASSeriAinin ve eklerinin
size deAiAikliAe uArayarak veya geASS
ulaAmasA+-ndan; gizliliAinin
korunmamasA+-ndan; virA1/4s iASSermesinden ve
bilgisayar sisteminize verebileceAi
herhangi bir zarardan sorumlu
deAildir


This message and its
attachments
are confidential and intended solely for the recipient(s)
stated therein.
This message cannot be copied, distributed or published
for any purpose.
If you are not the intended recipient, please do not
copy, publish or
forward the information existing in the content and
attachments of this
message. In such case please notify the sender
immediately and delete all
the copies of the message. Our company shall
have no liability for any
changes in or late receiving of the message,
loss of integrity and
confidentiality, viruses and any damages caused in
anyway to your computer
system based on this message.



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    15 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close