#Sharkey #Support
-
@monkee@other.li @monkee@forum.other.li no worries! Please feel free to reach out if you have more questions. I (fortunately / unfortunately) have a lot of experience with Sharkey's security model and requirements
@hazelnoot@enby.life @monkee@forum.other.li Subprocesses in my brain are still working on yur attack scenario from above.
How?
Need to refresh my networking knowledge, it has been a while... -
@hazelnoot@enby.life @monkee@forum.other.li Subprocesses in my brain are still working on yur attack scenario from above.
How?
Need to refresh my networking knowledge, it has been a while...@monkee@other.li @monkee@forum.other.li Sorry, I'm not great at explaining things. Let me lay it out like this, maybe it will make more sense:
- Alice (victim) has an instancealice.com. Located on the same machine is her personal file store, which has a web interface. The web interface is unauthenticated, so it listens onhttp://localhost:8080and a reverse-proxy handles authentication.
- Mal (attacker) wants access to Alice's files. She already has an instancemal.com, so she adds a DNS A record forevil.mal.comwhich resolves to127.0.0.1.
- Mal sends an ActivityPubCreate(Note)activity tohttps://alice.com/inbox, making sure to include a media attachment with URLhttp://evil.mal.com:8080/api/list-files.
- Alice's instance processes the activity and finds the attachment URL. The media proxy component takes the media URL and resolves the domain, checking the returned127.0.0.1against the value ofallowedPrivateAddresses. This check passes because127.0.0.1/32is included in the list, so media proxy makes aGETrequest tohttp://127.0.0.1:8080/api/list-files. This of course hits the API endpoint, returning some JSON with the file index. No authentication is required because this bypasses the reverse-proxy.
- The media server reads theContent-Typeheader and determines thatapplication/jsonshould be attached as a binary file, thus preserving it unmodified. The JSON is copied to Sharkey's local file store and given a UUID. The saved API response is then publicly accessible under the URLhttps://alice.com/files/{uuid}.
- Mal still doesn't know the file UUID, but that's easy to discover. She accesseshttps://alice.com/@mal@mal.comand scrolls to her latest post, which will includehttps://alice.com/files/{uuid}as the attachment URL. She downloads it and receives the file index.
- Now having a list of all files and exact URLs, she repeats the attack N times but with/api/list-filesreplaced with/media/{id}. Each activity she sends will then leak up to 16 media files, which allows her to quickly scrape Alice's entire file collection.
Note: this is described in terms of Sharkey instances, but works against any ActivityPub server where the private IP check is either missing or disabled by the admin. -
@monkee@other.li @monkee@forum.other.li Sorry, I'm not great at explaining things. Let me lay it out like this, maybe it will make more sense:
- Alice (victim) has an instancealice.com. Located on the same machine is her personal file store, which has a web interface. The web interface is unauthenticated, so it listens onhttp://localhost:8080and a reverse-proxy handles authentication.
- Mal (attacker) wants access to Alice's files. She already has an instancemal.com, so she adds a DNS A record forevil.mal.comwhich resolves to127.0.0.1.
- Mal sends an ActivityPubCreate(Note)activity tohttps://alice.com/inbox, making sure to include a media attachment with URLhttp://evil.mal.com:8080/api/list-files.
- Alice's instance processes the activity and finds the attachment URL. The media proxy component takes the media URL and resolves the domain, checking the returned127.0.0.1against the value ofallowedPrivateAddresses. This check passes because127.0.0.1/32is included in the list, so media proxy makes aGETrequest tohttp://127.0.0.1:8080/api/list-files. This of course hits the API endpoint, returning some JSON with the file index. No authentication is required because this bypasses the reverse-proxy.
- The media server reads theContent-Typeheader and determines thatapplication/jsonshould be attached as a binary file, thus preserving it unmodified. The JSON is copied to Sharkey's local file store and given a UUID. The saved API response is then publicly accessible under the URLhttps://alice.com/files/{uuid}.
- Mal still doesn't know the file UUID, but that's easy to discover. She accesseshttps://alice.com/@mal@mal.comand scrolls to her latest post, which will includehttps://alice.com/files/{uuid}as the attachment URL. She downloads it and receives the file index.
- Now having a list of all files and exact URLs, she repeats the attack N times but with/api/list-filesreplaced with/media/{id}. Each activity she sends will then leak up to 16 media files, which allows her to quickly scrape Alice's entire file collection.
Note: this is described in terms of Sharkey instances, but works against any ActivityPub server where the private IP check is either missing or disabled by the admin.@monkee@other.li @monkee@forum.other.li there's also a related attack that allows an attacker to make
POSTrequests to a private IP range, but it's substantially harder to pull off and is unlikely to work except in contrived cases. I'm not even sure how to write an example for it. -
@monkee@other.li @monkee@forum.other.li Sorry, I'm not great at explaining things. Let me lay it out like this, maybe it will make more sense:
- Alice (victim) has an instancealice.com. Located on the same machine is her personal file store, which has a web interface. The web interface is unauthenticated, so it listens onhttp://localhost:8080and a reverse-proxy handles authentication.
- Mal (attacker) wants access to Alice's files. She already has an instancemal.com, so she adds a DNS A record forevil.mal.comwhich resolves to127.0.0.1.
- Mal sends an ActivityPubCreate(Note)activity tohttps://alice.com/inbox, making sure to include a media attachment with URLhttp://evil.mal.com:8080/api/list-files.
- Alice's instance processes the activity and finds the attachment URL. The media proxy component takes the media URL and resolves the domain, checking the returned127.0.0.1against the value ofallowedPrivateAddresses. This check passes because127.0.0.1/32is included in the list, so media proxy makes aGETrequest tohttp://127.0.0.1:8080/api/list-files. This of course hits the API endpoint, returning some JSON with the file index. No authentication is required because this bypasses the reverse-proxy.
- The media server reads theContent-Typeheader and determines thatapplication/jsonshould be attached as a binary file, thus preserving it unmodified. The JSON is copied to Sharkey's local file store and given a UUID. The saved API response is then publicly accessible under the URLhttps://alice.com/files/{uuid}.
- Mal still doesn't know the file UUID, but that's easy to discover. She accesseshttps://alice.com/@mal@mal.comand scrolls to her latest post, which will includehttps://alice.com/files/{uuid}as the attachment URL. She downloads it and receives the file index.
- Now having a list of all files and exact URLs, she repeats the attack N times but with/api/list-filesreplaced with/media/{id}. Each activity she sends will then leak up to 16 media files, which allows her to quickly scrape Alice's entire file collection.
Note: this is described in terms of Sharkey instances, but works against any ActivityPub server where the private IP check is either missing or disabled by the admin.@hazelnoot@enby.life @monkee@other.li @monkee@forum.other.li you mean a SSRF?
-
@hazelnoot@enby.life @monkee@other.li @monkee@forum.other.li you mean a SSRF?
@natty@astolfo.social @monkee@other.li @monkee@forum.other.li yes, it's a type of SSRF
-
@natty@astolfo.social @monkee@other.li @monkee@forum.other.li yes, it's a type of SSRF
@natty@astolfo.social @monkee@other.li @monkee@forum.other.li sorry I forgot the word lol
-
@natty@astolfo.social @monkee@other.li @monkee@forum.other.li yes, it's a type of SSRF
@natty@astolfo.social @monkee@other.li @monkee@forum.other.li This is actually a well-known problem with ActivityPub, which is why all decent implementations have a filter for private IP ranges.
-
@monkee@other.li @monkee@forum.other.li Sorry, I'm not great at explaining things. Let me lay it out like this, maybe it will make more sense:
- Alice (victim) has an instancealice.com. Located on the same machine is her personal file store, which has a web interface. The web interface is unauthenticated, so it listens onhttp://localhost:8080and a reverse-proxy handles authentication.
- Mal (attacker) wants access to Alice's files. She already has an instancemal.com, so she adds a DNS A record forevil.mal.comwhich resolves to127.0.0.1.
- Mal sends an ActivityPubCreate(Note)activity tohttps://alice.com/inbox, making sure to include a media attachment with URLhttp://evil.mal.com:8080/api/list-files.
- Alice's instance processes the activity and finds the attachment URL. The media proxy component takes the media URL and resolves the domain, checking the returned127.0.0.1against the value ofallowedPrivateAddresses. This check passes because127.0.0.1/32is included in the list, so media proxy makes aGETrequest tohttp://127.0.0.1:8080/api/list-files. This of course hits the API endpoint, returning some JSON with the file index. No authentication is required because this bypasses the reverse-proxy.
- The media server reads theContent-Typeheader and determines thatapplication/jsonshould be attached as a binary file, thus preserving it unmodified. The JSON is copied to Sharkey's local file store and given a UUID. The saved API response is then publicly accessible under the URLhttps://alice.com/files/{uuid}.
- Mal still doesn't know the file UUID, but that's easy to discover. She accesseshttps://alice.com/@mal@mal.comand scrolls to her latest post, which will includehttps://alice.com/files/{uuid}as the attachment URL. She downloads it and receives the file index.
- Now having a list of all files and exact URLs, she repeats the attack N times but with/api/list-filesreplaced with/media/{id}. Each activity she sends will then leak up to 16 media files, which allows her to quickly scrape Alice's entire file collection.
Note: this is described in terms of Sharkey instances, but works against any ActivityPub server where the private IP check is either missing or disabled by the admin.@hazelnoot@enby.life You are excellent at explaining! I think i get it!
-
@natty@astolfo.social @monkee@other.li @monkee@forum.other.li This is actually a well-known problem with ActivityPub, which is why all decent implementations have a filter for private IP ranges.
@hazelnoot@enby.life @monkee@other.li @monkee@forum.other.li made us immediately check if it covers IPv6
-
@hazelnoot@enby.life @monkee@other.li @monkee@forum.other.li made us immediately check if it covers IPv6
@hazelnoot@enby.life @monkee@other.li @monkee@forum.other.li The fuck you mean the IP sanitization library is written by whitequark, how small is this world
