Tuesday, January 29, 2019

BUG-000114489 : SSRF in Portal for ArcGIS Leaking NTLMv2 Hashes

This was found and responsibly disclosed to the ArcGIS team last year. Issue was given BUG id 000114489 and patch has been released.


The attacking point can be captured from ArcGis Portal that located at /home/webmap/viewer.html
Example: http://www.arcgis.com/home/webmap/viewer.html

Steps to reproduce:

  • Click on “Modify Map”
  • Then click on Add > Add layer from Web Choose “A KML File”
  • The request will looks as follow: https://utility.arcgis.com/sharing/kml?url=[SSRF]
  • From the attacking point, you can either point it to your 
    • Responder server
    • External webhook
    • localhost:[port] *check on the time responses to identify open/close ports

Thanks to Randall from ArcGIS.
Reference: https://support.esri.com/en/download/7660