Advertisement






Microsoft ADFS 4.0 Windows Server 2016 Server Side Request Forgery

CVE Category Price Severity
CVE-2018-16794 CWE-918 $5,000 Critical
Author Risk Exploitation Type Date
Unknown High Remote 2018-09-14
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018090135

Below is a copy:

Microsoft ADFS 4.0 Windows Server 2016 Server Side Request Forgery
I. VULNERABILITY
-------------------------
Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory
Federation Services) Server Side Request Forgery (SSRF)

II. CVE REFERENCE
-------------------------
CVE-2018-16794

III. VENDOR
-------------------------
https://www.microsoft.com
https://msdn.microsoft.com/en-us/library/bb897402.aspx

IV. TIMELINE
-------------------------
15/08/2018 Vulnerability discovered
18/08/2018 Vendor contacted
06/09/2018 Microsoft replay that will fix this in the next version of
Windows Server

V. CREDIT
-------------------------
Alphan Yavas from Biznet Bilisim A.S.

VI. DESCRIPTION
-------------------------
Microsoft ADFS 4.0 Windows Server 2016 and previous versions affected
from SSRF vulnerability. A remote attacker could force the vulnerable
server to send request to any remote server s/he wants.

VII. PROOF OF CONCEPT
-------------------------
Affected Component:
Path(inurl): /adfs/ls
Parameter: txtBoxEmail

Login page of ADFS affected from SSRF vulnerability. If username is
being sent with following format victim server will send out DNS
queries to xxx domain.  (xxx is the domain which you want to send
request from server)

username: ssrf.xxx.com\pentest
password: (doesn't matter)

If you want to listen this request you must listen with tcpdump to dns
port your own server(xxx) and you can see callback request.

-- 

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.