BUG-000114489 : SSRF in Portal for ArcGIS Leaking NTLMv2 Hashes ~ Random stuff by yappare

Tuesday, January 29, 2019

BUG-000114489 : SSRF in Portal for ArcGIS Leaking NTLMv2 Hashes

on January 29, 2019 in Hall of Fame, Security, Tricks No comments

This was found and responsibly disclosed to the ArcGIS team last year. Issue was given BUG id 000114489 and patch has been released.

TL;DR

The attacking point can be captured from ArcGis Portal that located at /home/webmap/viewer.html
Example: http://www.arcgis.com/home/webmap/viewer.html

Steps to reproduce:

Click on “Modify Map”
Then click on Add > Add layer from Web Choose “A KML File”

The request will looks as follow: https://utility.arcgis.com/sharing/kml?url=[SSRF]
From the attacking point, you can either point it to your

Responder server
External webhook
localhost:[port] *check on the time responses to identify open/close ports

Thanks to Randall from ArcGIS.

Reference: https://support.esri.com/en/download/7660

Random stuff by yappare

Tuesday, January 29, 2019

BUG-000114489 : SSRF in Portal for ArcGIS Leaking NTLMv2 Hashes

Steps to reproduce:

0 comments:

Text Widget

Popular Posts

Pages

Blog Archive

Recent Posts

Unordered List

Categories