利用DNS缓存和TLS协议将受限SSRF变为通用SSRF技术分析<\/h1>

前言<\/h2>
本文基于BlackHat 2020议题《When TLS Hacks You》的技术内容，详细分析如何结合DNS缓存和TLS会话恢复机制，将受限的SSRF漏洞转变为通用SSRF攻击的技术原理、实现方法和防御措施。<\/p>

背景知识<\/h2>

SSRF概述<\/h3>

原理<\/strong>：服务端提供了从其他服务器获取数据的功能，但未对目标地址做严格过滤与限制，导致攻击者可传入任意地址让后端服务器发起请求。<\/p>

危害<\/strong>：<\/p>

内网\/本地端口扫描，获取开放端口信息<\/li>
主机信息收集，Web应用指纹识别<\/li>
针对特定应用发送payload攻击(如Struts2)<\/li>
攻击内网和本地应用程序及服务<\/li>
穿越防火墙<\/li>
利用file协议读取本地文件<\/li> <\/ul>
常用协议<\/strong>：<\/p>

协议名称<\/th> 简介<\/th> <\/tr> <\/thead>

Gopher<\/td> 攻击内部应用的主力军<\/td> <\/tr>
Dict<\/td> 端口探测，版本信息收集<\/td> <\/tr>
ftp<\/td> 探测是否存在ftp服务<\/td> <\/tr>
http<\/td> 探测是否存在SSRF<\/td> <\/tr>
file<\/td> 读取本地文件<\/td> <\/tr> <\/tbody> <\/table>
注：JDK 1.7后不再支持Gopher协议<\/em><\/p>
防御手段<\/strong>：<\/p>

禁止跳转<\/li>
过滤返回信息<\/li>
禁用不需要的协议<\/li>
设置URL白名单或限制内网IP<\/li>
限制请求端口为HTTP常用端口<\/li>
统一错误信息<\/li>
请求资源前先访问DNS服务器判断是否为内网IP<\/li> <\/ul>
DNS重绑定技术<\/h3>
针对"请求资源前先访问DNS服务器判断是否为内网IP"这一防御手段的绕过技术。<\/p>
TTL(Time-To-Live)<\/strong>：<\/p>

DNS记录在DNS服务器上的缓存时间<\/li>
数值越小，修改记录各地生效时间越快<\/li>
设置为0表示不缓存<\/li> <\/ul>
DNS解析流程<\/strong>：<\/p>

检查浏览器缓存<\/li>
检查本机系统缓存(如HOSTS文件)<\/li>
向本地域名解析服务系统发起请求<\/li>
递归查询运营商DNS → 根域名服务器 → 顶级域名服务器 → NS域名服务器<\/li>
NS返回IP地址给本地服务器，本地服务器缓存解析结果(TTL)<\/li>
解析结果返回用户，建立TCP通信<\/li> <\/ol>
DNS重绑定<\/strong>：<\/p>

第一次DNS查询返回IP地址A<\/li>
第二次DNS查询返回不同于A的IP地址B<\/li>
利用检查逻辑与请求间隔的差异实现绕过<\/li> <\/ul>
技术实现<\/h2>
实验设置<\/h3>

DNS服务器配置<\/strong>：<\/p>

设置域名的A记录及NS记录<\/li>
指定DNS服务器为攻击者搭建的服务器<\/li> <\/ul> <\/li>

DNS服务代码<\/strong>：<\/p> <\/li> <\/ol>
from<\/span> twisted.internet import<\/span> reactor, defer <\/span><\/span>from<\/span> twisted.names import<\/span> client, dns, error, server <\/span><\/span> <\/span><\/span>record=<\/span>{} <\/span><\/span> <\/span><\/span>class<\/span> DynamicResolver<\/span>(object): <\/span><\/span> def<\/span> _doDynamicResponse<\/span>(self, query): <\/span><\/span> name =<\/span> query.<\/span>name.<\/span>name <\/span><\/span> if<\/span> name not<\/span> in<\/span> record or<\/span> record[name]<<\/span>1<\/span>: <\/span><\/span> ip=<\/span>"106.56.229.29"<\/span> # 外网IP<\/span> <\/span><\/span> else<\/span>: <\/span><\/span> ip=<\/span>"127.0.0.1"<\/span> <\/span><\/span> if<\/span> name not<\/span> in<\/span> record: <\/span><\/span> record[name]=<\/span>0<\/span> <\/span><\/span> record[name]+=<\/span>1<\/span> <\/span><\/span> print name+<\/span>" ===> "<\/span>+<\/span>ip <\/span><\/span> answer =<\/span> dns.<\/span>RRHeader( <\/span><\/span> name=<\/span>name, <\/span><\/span> type=<\/span>dns.<\/span>A, <\/span><\/span> cls=<\/span>dns.<\/span>IN, <\/span><\/span> ttl=<\/span>0<\/span>, # TTL设置为0<\/span> <\/span><\/span> payload=<\/span>dns.<\/span>Record_A(address=<\/span>b<\/span>'<\/span>%s<\/span>'<\/span>%<\/span>ip,ttl=<\/span>0<\/span>) <\/span><\/span> ) <\/span><\/span> answers =<\/span> [answer] <\/span><\/span> authority =<\/span> [] <\/span><\/span> additional =<\/span> [] <\/span><\/span> return<\/span> answers, authority, additional <\/span><\/span> <\/span><\/span> def<\/span> query<\/span>(self, query, timeout=<\/span>None<\/span>): <\/span><\/span> return<\/span> defer.<\/span>succeed(self.<\/span>_doDynamicResponse(query)) <\/span><\/span> <\/span><\/span>def<\/span> main<\/span>(): <\/span><\/span> factory =<\/span> server.<\/span>DNSServerFactory( <\/span><\/span> clients=<\/span>[DynamicResolver(), client.<\/span>Resolver(resolv=<\/span>'\/etc\/resolv.conf'<\/span>)] <\/span><\/span> ) <\/span><\/span> protocol =<\/span> dns.<\/span>DNSDatagramProtocol(controller=<\/span>factory) <\/span><\/span> reactor.<\/span>listenUDP(53<\/span>, protocol) <\/span><\/span> reactor.<\/span>run() <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>: <\/span><\/span> raise<\/span> SystemExit<\/span>(main()) <\/span><\/span><\/code><\/pre>TLS会话恢复机制<\/h3> 完整TLS握手<\/strong>：<\/p> Client发送ClientHello<\/li> Server回复ServerHello<\/li> Client回复最终确定的Key，Finished<\/li> Server回复Finished<\/li> 握手完毕，Client发送加密HTTP请求<\/li> Server回复加密HTTP响应<\/li> <\/ol> 花费2RTT(Round-Trip-Time)<\/em><\/p> 优化方案<\/strong>：<\/p> Session ID<\/strong>：<\/p> 服务端记住会话状态<\/li> 客户端发送带session id的client hello<\/li> 服务端返回之前存储的SSL会话<\/li> <\/ul> <\/li> Session Ticket<\/strong>：<\/p> 客户端记住会话状态<\/li> 服务端记住用于加密返回给客户端的ticket的密钥<\/li> <\/ul> <\/li> PSK(Pre-Shared Key)<\/strong>：<\/p> 首次建立会话时生成PSK<\/li> 服务器用ticket key加密PSK作为Session Ticket返回<\/li> <\/ul> <\/li> <\/ol> 注：session id只能存放32字节payload，session ticket能放更多字节<\/em><\/p> HTTPS协议实现(CURL)<\/h3> 在curl实现中只检查域名、端口和协议，未检查IP，因此可利用DNS重绑定绕过。<\/p> 攻击方法<\/h2> 攻击条件<\/h3> 受限的SSRF漏洞<\/li> 带外通信的TLS session<\/li> 本地端口上运行的应用<\/li> <\/ol> 实际漏洞案例<\/h3> Youtrack - CVE-2019-12852<\/li> Nextcloud - 分享功能造成的SSRF，使用TLS重绑定攻击本地memcached<\/li> <\/ol> 攻击面<\/h3> OIDC discovery<\/li> Webpush<\/li> Webmention<\/li> Apple Pay Web<\/li> Wifi captive portals<\/li> SSDP<\/li> SVG conversion<\/li> URL-based XXE<\/li> Scraping<\/li> Webhooks<\/li> PDF renderers with images enabled<\/li> <\/ul> 攻击流程(Demo: Phishing→CSRF→RCE)<\/h3> 攻击者制作钓鱼邮件，内容标签指向攻击者网站(如ssltest.jmaddux.com:11211)<\/li> 受害者打开邮件，请求域名<\/li> 客户端向攻击者DNS服务器请求解析<\/li> DNS服务器返回正常TLS Server地址，TTL=0<\/li> 客户端发送Client Hello<\/li> 服务端返回Server Hello，在session id\/ticket\/psk字段设置payload<\/li> 完成TLS握手<\/li> 网站返回301跳转到ssltest.jmaddux.com:11211<\/li> 由于TTL=0，客户端再次询问DNS<\/li> DNS返回127.0.0.1<\/li> 客户端使用带有payload的SSL会话缓存访问127.0.0.1:11211<\/li> payload加载完成实现RCE<\/li> <\/ol> 防御措施<\/h2> 技术层面<\/h3> 改变TLS缓存key值<\/strong>：<\/p> 当前：(hostname, port)<\/li> 建议：(hostname, port, ip_addr)或(hostname, port, addr_type(ip_addr))<\/li> <\/ul> <\/li> 禁用带外通信时的TLS session resumption<\/strong>：<\/p> libcurl: CURLOPT_SSL_SESSIONID_CACHE=false<\/code><\/li> Firefox: security.ssl.disable_session_identifiers=true<\/code><\/li> Tor browser: 默认禁用<\/li> Java, Nodejs, Chrome等: 无选项<\/li> <\/ul> <\/li> Web应用防御<\/strong>：<\/p> 关注webhooks, apple pay等应用<\/li> 对出站请求设置代理监控(如smokescreen工具)<\/li> 阻止未经验证的内部TCP内容运行，特别是带换行符的内容<\/li> <\/ul> <\/li> <\/ol> 替代方案<\/h3> 杜绝DNS重绑定：第一次解析后直接使用解析返回的IP替换域名访问URL<\/li> <\/ul> 总结与思考<\/h2> 技术启示：<\/p> HTTPS本为防止中间人攻击的安全协议，却因优化算法成为攻击媒介<\/li> 安全开销与时间开销的平衡问题<\/li> <\/ul> <\/li> 关键结论：<\/p> TLS对SSRF攻击有重要利用价值<\/li> 需要持续关注最新技术手段以打破常规<\/li> 必须认真权衡TLS会话重用的利弊<\/li> <\/ul> <\/li> 研究方向：<\/p> 建设更好的测试基础设施<\/li> 开发Alternating DNS Server、Custom TLS等工具<\/li> <\/ul> <\/li> <\/ol> 参考资源<\/h2> TLS-poison GitHub项目<\/a><\/li> PortSwigger相关报道<\/a><\/li> Security Boulevard报道<\/a><\/li> DEF CON演讲信息<\/a><\/li> TLS会话恢复技术文档<\/a><\/li> <\/ol>

协议名称<\/th>	简介<\/th> <\/tr> <\/thead>
Gopher<\/td>	攻击内部应用的主力军<\/td> <\/tr>
Dict<\/td>	端口探测，版本信息收集<\/td> <\/tr>
ftp<\/td>	探测是否存在ftp服务<\/td> <\/tr>
http<\/td>	探测是否存在SSRF<\/td> <\/tr>
file<\/td>	读取本地文件<\/td> <\/tr> <\/tbody> <\/table> 注：JDK 1.7后不再支持Gopher协议<\/em><\/p> 防御手段<\/strong>：<\/p> 禁止跳转<\/li> 过滤返回信息<\/li> 禁用不需要的协议<\/li> 设置URL白名单或限制内网IP<\/li> 限制请求端口为HTTP常用端口<\/li> 统一错误信息<\/li> 请求资源前先访问DNS服务器判断是否为内网IP<\/li> <\/ul> DNS重绑定技术<\/h3> 针对"请求资源前先访问DNS服务器判断是否为内网IP"这一防御手段的绕过技术。<\/p> TTL(Time-To-Live)<\/strong>：<\/p> DNS记录在DNS服务器上的缓存时间<\/li> 数值越小，修改记录各地生效时间越快<\/li> 设置为0表示不缓存<\/li> <\/ul> DNS解析流程<\/strong>：<\/p> 检查浏览器缓存<\/li> 检查本机系统缓存(如HOSTS文件)<\/li> 向本地域名解析服务系统发起请求<\/li> 递归查询运营商DNS → 根域名服务器 → 顶级域名服务器 → NS域名服务器<\/li> NS返回IP地址给本地服务器，本地服务器缓存解析结果(TTL)<\/li> 解析结果返回用户，建立TCP通信<\/li> <\/ol> DNS重绑定<\/strong>：<\/p> 第一次DNS查询返回IP地址A<\/li> 第二次DNS查询返回不同于A的IP地址B<\/li> 利用检查逻辑与请求间隔的差异实现绕过<\/li> <\/ul> 技术实现<\/h2> 实验设置<\/h3> DNS服务器配置<\/strong>：<\/p> 设置域名的A记录及NS记录<\/li> 指定DNS服务器为攻击者搭建的服务器<\/li> <\/ul> <\/li> DNS服务代码<\/strong>：<\/p> <\/li> <\/ol> from<\/span> twisted.internet import<\/span> reactor, defer <\/span><\/span>from<\/span> twisted.names import<\/span> client, dns, error, server <\/span><\/span> <\/span><\/span>record=<\/span>{} <\/span><\/span> <\/span><\/span>class<\/span> DynamicResolver<\/span>(object): <\/span><\/span> def<\/span> _doDynamicResponse<\/span>(self, query): <\/span><\/span> name =<\/span> query.<\/span>name.<\/span>name <\/span><\/span> if<\/span> name not<\/span> in<\/span> record or<\/span> record[name]<<\/span>1<\/span>: <\/span><\/span> ip=<\/span>"106.56.229.29"<\/span> # 外网IP<\/span> <\/span><\/span> else<\/span>: <\/span><\/span> ip=<\/span>"127.0.0.1"<\/span> <\/span><\/span> if<\/span> name not<\/span> in<\/span> record: <\/span><\/span> record[name]=<\/span>0<\/span> <\/span><\/span> record[name]+=<\/span>1<\/span> <\/span><\/span> print name+<\/span>" ===> "<\/span>+<\/span>ip <\/span><\/span> answer =<\/span> dns.<\/span>RRHeader( <\/span><\/span> name=<\/span>name, <\/span><\/span> type=<\/span>dns.<\/span>A, <\/span><\/span> cls=<\/span>dns.<\/span>IN, <\/span><\/span> ttl=<\/span>0<\/span>, # TTL设置为0<\/span> <\/span><\/span> payload=<\/span>dns.<\/span>Record_A(address=<\/span>b<\/span>'<\/span>%s<\/span>'<\/span>%<\/span>ip,ttl=<\/span>0<\/span>) <\/span><\/span> ) <\/span><\/span> answers =<\/span> [answer] <\/span><\/span> authority =<\/span> [] <\/span><\/span> additional =<\/span> [] <\/span><\/span> return<\/span> answers, authority, additional <\/span><\/span> <\/span><\/span> def<\/span> query<\/span>(self, query, timeout=<\/span>None<\/span>): <\/span><\/span> return<\/span> defer.<\/span>succeed(self.<\/span>_doDynamicResponse(query)) <\/span><\/span> <\/span><\/span>def<\/span> main<\/span>(): <\/span><\/span> factory =<\/span> server.<\/span>DNSServerFactory( <\/span><\/span> clients=<\/span>[DynamicResolver(), client.<\/span>Resolver(resolv=<\/span>'\/etc\/resolv.conf'<\/span>)] <\/span><\/span> ) <\/span><\/span> protocol =<\/span> dns.<\/span>DNSDatagramProtocol(controller=<\/span>factory) <\/span><\/span> reactor.<\/span>listenUDP(53<\/span>, protocol) <\/span><\/span> reactor.<\/span>run() <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>: <\/span><\/span> raise<\/span> SystemExit<\/span>(main()) <\/span><\/span><\/code><\/pre>TLS会话恢复机制<\/h3> 完整TLS握手<\/strong>：<\/p> Client发送ClientHello<\/li> Server回复ServerHello<\/li> Client回复最终确定的Key，Finished<\/li> Server回复Finished<\/li> 握手完毕，Client发送加密HTTP请求<\/li> Server回复加密HTTP响应<\/li> <\/ol> 花费2RTT(Round-Trip-Time)<\/em><\/p> 优化方案<\/strong>：<\/p> Session ID<\/strong>：<\/p> 服务端记住会话状态<\/li> 客户端发送带session id的client hello<\/li> 服务端返回之前存储的SSL会话<\/li> <\/ul> <\/li> Session Ticket<\/strong>：<\/p> 客户端记住会话状态<\/li> 服务端记住用于加密返回给客户端的ticket的密钥<\/li> <\/ul> <\/li> PSK(Pre-Shared Key)<\/strong>：<\/p> 首次建立会话时生成PSK<\/li> 服务器用ticket key加密PSK作为Session Ticket返回<\/li> <\/ul> <\/li> <\/ol> 注：session id只能存放32字节payload，session ticket能放更多字节<\/em><\/p> HTTPS协议实现(CURL)<\/h3> 在curl实现中只检查域名、端口和协议，未检查IP，因此可利用DNS重绑定绕过。<\/p> 攻击方法<\/h2> 攻击条件<\/h3> 受限的SSRF漏洞<\/li> 带外通信的TLS session<\/li> 本地端口上运行的应用<\/li> <\/ol> 实际漏洞案例<\/h3> Youtrack - CVE-2019-12852<\/li> Nextcloud - 分享功能造成的SSRF，使用TLS重绑定攻击本地memcached<\/li> <\/ol> 攻击面<\/h3> OIDC discovery<\/li> Webpush<\/li> Webmention<\/li> Apple Pay Web<\/li> Wifi captive portals<\/li> SSDP<\/li> SVG conversion<\/li> URL-based XXE<\/li> Scraping<\/li> Webhooks<\/li> PDF renderers with images enabled<\/li> <\/ul> 攻击流程(Demo: Phishing→CSRF→RCE)<\/h3> 攻击者制作钓鱼邮件，内容标签指向攻击者网站(如ssltest.jmaddux.com:11211)<\/li> 受害者打开邮件，请求域名<\/li> 客户端向攻击者DNS服务器请求解析<\/li> DNS服务器返回正常TLS Server地址，TTL=0<\/li> 客户端发送Client Hello<\/li> 服务端返回Server Hello，在session id\/ticket\/psk字段设置payload<\/li> 完成TLS握手<\/li> 网站返回301跳转到ssltest.jmaddux.com:11211<\/li> 由于TTL=0，客户端再次询问DNS<\/li> DNS返回127.0.0.1<\/li> 客户端使用带有payload的SSL会话缓存访问127.0.0.1:11211<\/li> payload加载完成实现RCE<\/li> <\/ol> 防御措施<\/h2> 技术层面<\/h3> 改变TLS缓存key值<\/strong>：<\/p> 当前：(hostname, port)<\/li> 建议：(hostname, port, ip_addr)或(hostname, port, addr_type(ip_addr))<\/li> <\/ul> <\/li> 禁用带外通信时的TLS session resumption<\/strong>：<\/p> libcurl: CURLOPT_SSL_SESSIONID_CACHE=false<\/code><\/li> Firefox: security.ssl.disable_session_identifiers=true<\/code><\/li> Tor browser: 默认禁用<\/li> Java, Nodejs, Chrome等: 无选项<\/li> <\/ul> <\/li> Web应用防御<\/strong>：<\/p> 关注webhooks, apple pay等应用<\/li> 对出站请求设置代理监控(如smokescreen工具)<\/li> 阻止未经验证的内部TCP内容运行，特别是带换行符的内容<\/li> <\/ul> <\/li> <\/ol> 替代方案<\/h3> 杜绝DNS重绑定：第一次解析后直接使用解析返回的IP替换域名访问URL<\/li> <\/ul> 总结与思考<\/h2> 技术启示：<\/p> HTTPS本为防止中间人攻击的安全协议，却因优化算法成为攻击媒介<\/li> 安全开销与时间开销的平衡问题<\/li> <\/ul> <\/li> 关键结论：<\/p> TLS对SSRF攻击有重要利用价值<\/li> 需要持续关注最新技术手段以打破常规<\/li> 必须认真权衡TLS会话重用的利弊<\/li> <\/ul> <\/li> 研究方向：<\/p> 建设更好的测试基础设施<\/li> 开发Alternating DNS Server、Custom TLS等工具<\/li> <\/ul> <\/li> <\/ol> 参考资源<\/h2> TLS-poison GitHub项目<\/a><\/li> PortSwigger相关报道<\/a><\/li> Security Boulevard报道<\/a><\/li> DEF CON演讲信息<\/a><\/li> TLS会话恢复技术文档<\/a><\/li> <\/ol>

利用DNS缓存和TLS协议将受限SSRF变为通用SSRF技术分析<\/h1>

前言<\/h2> 本文基于BlackHat 2020议题《When TLS Hacks You》的技术内容，详细分析如何结合DNS缓存和TLS会话恢复机制，将受限的SSRF漏洞转变为通用SSRF攻击的技术原理、实现方法和防御措施。<\/p>

背景知识<\/h2>

技术实现<\/h2>

攻击方法<\/h2>

防御措施<\/h2>

参考资源<\/h2> TLS-poison GitHub项目<\/a><\/li> PortSwigger相关报道<\/a><\/li> Security Boulevard报道<\/a><\/li> DEF CON演讲信息<\/a><\/li> TLS会话恢复技术文档<\/a><\/li> <\/ol>

前言<\/h2>
本文基于BlackHat 2020议题《When TLS Hacks You》的技术内容，详细分析如何结合DNS缓存和TLS会话恢复机制，将受限的SSRF漏洞转变为通用SSRF攻击的技术原理、实现方法和防御措施。<\/p>

参考资源<\/h2>

TLS-poison GitHub项目<\/a><\/li>
PortSwigger相关报道<\/a><\/li>
Security Boulevard报道<\/a><\/li>
DEF CON演讲信息<\/a><\/li>
TLS会话恢复技术文档<\/a><\/li> <\/ol>