A user with a valid administrator account could leverage SSRF to perform arbitrary SSRF, e.g. to download another user’s data. A user with a valid administrator account could enable SSRF on a vulnerable server to download another user’s data.

Detection of cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures. cn.keking.web.controller.OnlinePreviewController#getCorsFile was detected by Cisco Talon as SSRF via Malware Signatures. Cisco Talon monitors endpoints for the presence of files called _keking_cn_sample.zip, which are detected as SSRF. Cisco Talon also detects the presence of files called _keking_cn_sample.zip, which are detected as SSRF. Cisco Talon also detects the presence of cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures. Cisco Endpoints detects cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures. Cisco Endpoints monitors endpoints for the presence of cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures.

References

Cisco Talon detects cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures:
CN-KEKING-WEB-CONTROLLER#GETCORSFILE_A_SSRF_VIA_MALWARE_SIGNATURES

Summary

A user with a valid administrator account could enable SSRF on a vulnerable server to download another user’s data.
SSRF was detected by Cisco Talon as SSRF via Malware Signatures.

Summary of Cisco Talon detections for cn.keking.web.controller.OnlinePreviewController#getCorsFile

Cisco Talon detects cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures (.zip file name). Cisco Endpoints detects cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures (cn.keking.web.controller.OnlinePreviewController#getCorsFile in config/configuration directory).

Cisco Talon Indicator of Compromise (IOC)

Cisco Talon monitors endpoints for the presence of files called _keking_cn_sample.zip, which are detected as SSRF. Cisco Talon also detects the presence of files called _keking_cn_sample.zip, which are detected as SSRF. Cisco Talon also detects the presence of cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures. Cisco Endpoints detects cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures

Timeline

Published on: 11/17/2022 17:15:00 UTC
Last modified on: 11/18/2022 19:11:00 UTC

References