Hardcoded Crypto Keys leading to SSRF in VMWare Workspace One UEM

We discussed this vulnerability during Episode 141 on 02 May 2022

Hard-coded crednetials strike again, enabled a couple Server Side Request Forgeries as the URL to be requested was inside an encrypted, but user-provided URL parameter. Within the application there were a couple endpoints that would take a Url parameter. The purpose of the endpoints was to serve up cached requests or to make/proxy those requests. So something from the Url parameter was being used to determine the request that should be made.

What was found was a custom encryption/decryption class was being used (DataEncryption.DecryptString(...)) to decrypt the parameter. Which is a huge red-flag when reading code, not rolling your own cryption includes not rolling your own crypto protocols. What they found was that the Url parameter was a base64 encoded string with several colon separated values:

{cryptoVersion}:{keyVersion}:{text}:{cipherText}

Of note for this vulnerability is the keyVersion field, when set to kv0 it would fall back to using a hard-coded key to decrypt the cipher-text provided. Knowing this one could encrypt their own data using this hard-coded key and have the server make a request to the desired location. They were able to use this to access the metadata instance and leak AWS instance secrets.

To me, this comes across as an inappropriate use of encryption where signing would have made more sense. Granted there may have been reason that the URLs being requested needed to remain secret also inwhich case encryption makes sense. If the goal is to prevent the end-user from being able to craft their own destinations then using public key cryptography

Video Correction: During the discussion on crypto I made a reference to an AED mode of operation, in my ahead i was thinking AEAD (Authenticated Encryption with Associated Data). But this is not an operation mode but just a term of the type of crypto. In my head I was thinking of AES-GCM (Galios Counter Mode). Which uses authentication tags to provide an authenticated cryptosystem.