I. VULNERABILITY ------------------------- Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) Server Side Request Forgery (SSRF) II. CVE REFERENCE ------------------------- CVE-2018-16794 III. VENDOR ------------------------- https://www.microsoft.com https://msdn.microsoft.com/en-us/library/bb897402.aspx IV. TIMELINE ------------------------- 15/08/2018 Vulnerability discovered 18/08/2018 Vendor contacted 06/09/2018 Microsoft replay that will fix this in the next version of Windows Server V. CREDIT ------------------------- Alphan Yavas from Biznet Bilisim A.S. VI. DESCRIPTION ------------------------- Microsoft ADFS 4.0 Windows Server 2016 and previous versions affected from SSRF vulnerability. A remote attacker could force the vulnerable server to send request to any remote server s/he wants. VII. PROOF OF CONCEPT ------------------------- Affected Component: Path(inurl): /adfs/ls Parameter: txtBoxEmail Login page of ADFS affected from SSRF vulnerability. If username is being sent with following format victim server will send out DNS queries to xxx domain. (xxx is the domain which you want to send request from server) username: ssrf.xxx.com\pentest password: (doesn't matter) If you want to listen this request you must listen with tcpdump to dns port your own server(xxx) and you can see callback request. -- Bu mesaj ve ekleri, mesajda gAPnderildiAi belirtilen kiAi/kiAilere APzeldir ve gizlidir. Bu mesaj herhangi bir amaASS iASSin ASSoAaltA+-lamaz, daAA+-tA+-lamaz ve yayA+-nlanamaz. MesajA+-n gAPnderildiAi kiAi deAilseniz, mesaj iASSeriAini ya da eklerini kopyalamayA+-nA+-z, yayA+-nlamayA+-nA+-z ya da baAka kiAilere yAPnlendirmeyiniz ve mesajA+- gAPnderen kiAiyi derhal uyararak bu mesajA+- siliniz. Airketimiz, mesajA+-n iASSeriAinin ve eklerinin size deAiAikliAe uArayarak veya geASS ulaAmasA+-ndan; gizliliAinin korunmamasA+-ndan; virA1/4s iASSermesinden ve bilgisayar sisteminize verebileceAi herhangi bir zarardan sorumlu deAildir This message and its attachments are confidential and intended solely for the recipient(s) stated therein. This message cannot be copied, distributed or published for any purpose. If you are not the intended recipient, please do not copy, publish or forward the information existing in the content and attachments of this message. In such case please notify the sender immediately and delete all the copies of the message. Our company shall have no liability for any changes in or late receiving of the message, loss of integrity and confidentiality, viruses and any damages caused in anyway to your computer system based on this message.