Skip to content
  • Kategorien
  • Aktuell
  • Tags
  • Beliebt
  • World
  • Benutzer
  • Gruppen
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Standard: (Kein Skin)
  • Kein Skin
Einklappen

other.li Forum

  1. Übersicht
  2. other.li Server
  3. Fediverse with #Sharkey
  4. #Sharkey #Support

#Sharkey #Support

Geplant Angeheftet Gesperrt Verschoben Fediverse with #Sharkey
sharkeysupport
23 Beiträge 4 Kommentatoren 174 Aufrufe
  • Älteste zuerst
  • Neuste zuerst
  • Meiste Stimmen
Antworten
  • In einem neuen Thema antworten
Anmelden zum Antworten
Dieses Thema wurde gelöscht. Nur Nutzer mit entsprechenden Rechten können es sehen.
  • hazelnoot@enby.lifeH hazelnoot@enby.life

    @monkee@other.li @monkee@forum.other.li Sorry, I'm not great at explaining things. Let me lay it out like this, maybe it will make more sense:

    - Alice (victim) has an instance
    alice.com. Located on the same machine is her personal file store, which has a web interface. The web interface is unauthenticated, so it listens on http://localhost:8080 and a reverse-proxy handles authentication.
    - Mal (attacker) wants access to Alice's files. She already has an instance
    mal.com, so she adds a DNS A record for evil.mal.com which resolves to 127.0.0.1.
    - Mal sends an ActivityPub
    Create(Note) activity to https://alice.com/inbox, making sure to include a media attachment with URL http://evil.mal.com:8080/api/list-files.
    - Alice's instance processes the activity and finds the attachment URL. The media proxy component takes the media URL and resolves the domain, checking the returned
    127.0.0.1 against the value of allowedPrivateAddresses. This check passes because 127.0.0.1/32 is included in the list, so media proxy makes a GET request to http://127.0.0.1:8080/api/list-files. This of course hits the API endpoint, returning some JSON with the file index. No authentication is required because this bypasses the reverse-proxy.
    - The media server reads the
    Content-Type header and determines that application/json should be attached as a binary file, thus preserving it unmodified. The JSON is copied to Sharkey's local file store and given a UUID. The saved API response is then publicly accessible under the URL https://alice.com/files/{uuid}.
    - Mal still doesn't know the file UUID, but that's easy to discover. She accesses
    https://alice.com/@mal@mal.com and scrolls to her latest post, which will include https://alice.com/files/{uuid} as the attachment URL. She downloads it and receives the file index.
    - Now having a list of all files and exact URLs, she repeats the attack N times but with
    /api/list-files replaced with /media/{id}. Each activity she sends will then leak up to 16 media files, which allows her to quickly scrape Alice's entire file collection.

    Note: this is described in terms of Sharkey instances, but works against any ActivityPub server where the private IP check is either missing or disabled by the admin.

    monkee@other.liM This user is from outside of this forum
    monkee@other.liM This user is from outside of this forum
    monkee@other.li
    schrieb am zuletzt editiert von
    #21

    @hazelnoot@enby.life You are excellent at explaining! I think i get it!

    1 Antwort Letzte Antwort
    0
    • hazelnoot@enby.lifeH hazelnoot@enby.life

      @natty@astolfo.social @monkee@other.li @monkee@forum.other.li This is actually a well-known problem with ActivityPub, which is why all decent implementations have a filter for private IP ranges.

      natty@astolfo.socialN This user is from outside of this forum
      natty@astolfo.socialN This user is from outside of this forum
      natty@astolfo.social
      schrieb am zuletzt editiert von
      #22

      @hazelnoot@enby.life @monkee@other.li @monkee@forum.other.li made us immediately check if it covers IPv6 ​​

      natty@astolfo.socialN 1 Antwort Letzte Antwort
      0
      • natty@astolfo.socialN natty@astolfo.social

        @hazelnoot@enby.life @monkee@other.li @monkee@forum.other.li made us immediately check if it covers IPv6 ​​

        natty@astolfo.socialN This user is from outside of this forum
        natty@astolfo.socialN This user is from outside of this forum
        natty@astolfo.social
        schrieb am zuletzt editiert von
        #23

        @hazelnoot@enby.life @monkee@other.li @monkee@forum.other.li The fuck you mean the IP sanitization library is written by whitequark, how small is this world

        1 Antwort Letzte Antwort
        0
        Antworten
        • In einem neuen Thema antworten
        Anmelden zum Antworten
        • Älteste zuerst
        • Neuste zuerst
        • Meiste Stimmen


        • Anmelden

        • Anmelden oder registrieren, um zu suchen
        • Erster Beitrag
          Letzter Beitrag
        0
        • Kategorien
        • Aktuell
        • Tags
        • Beliebt
        • World
        • Benutzer
        • Gruppen