1

Using favicons.nextdns.io to request other resources

Hi! I notice that all favicons are stored on your side using favicons.nextdns.io.

As parameter after slash theres an "/hex:HEX_OF_WEBSITE_URL@1x.png" so i tried to create simple server listener and while checking logs i just request for full URL with specified filename. Sometimes it doesnt work, sometimes i need to specify new subdomain but i got few working requests:

107.178.204.4 - - [21/Dec/2022:16:43:22 +0100] "GET / HTTP/1.1" 200 1516 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36"
107.178.204.4 - - [21/Dec/2022:16:43:22 +0100] "GET /favicon.ico HTTP/1.1" 404 270 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36"
107.178.204.4 - - [21/Dec/2022:16:43:39 +0100] "GET /robots2.txt HTTP/1.1" 404 270 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36"
107.178.204.4 - - [21/Dec/2022:16:43:39 +0100] "GET /favicon.ico HTTP/1.1" 404 270 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36"
107.178.204.4 - - [21/Dec/2022:16:43:39 +0100] "GET /robots2.txt HTTP/1.1" 404 273 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36"
107.178.204.4 - - [21/Dec/2022:16:47:08 +0100] "GET /1234.txt/favicon.ico HTTP/1.1" 404 273 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36"
107.178.204.3 - - [21/Dec/2022:17:00:33 +0100] "GET /new HTTP/1.1" 404 270 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36"
107.178.204.3 - - [21/Dec/2022:17:00:33 +0100] "GET /favicon.ico HTTP/1.1" 404 270 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36"

Most interesting part is request to /robots2.txt file, /new endpoint and /1234.txt/favicon.ico. I think that should allow other persons without login (during test i didnt use NextDNS and i wasnt logged into panel) to use your server to try request for malicious things like triggering an payload.

As i mentioned there is already some way of filtering due not all of my tries were working but few of them works!

To be sure, the last test /new was performed from clear Microsoft Edge webbrowser, without NextDNS, from clear Windows VM.

Regards!

3 replies

null
    • kucharskov
    • 1 yr ago
    • Reported - view

    Today i fight with that bug a little more. I got consistent request, just each time i need to specify new subdomain/URL to force new request. The most incredible thing is that i was able to perform query to server, on non standard port (8081) with specified file and parameter! 

    user@server:$ python3 -m http.server 8081
    Serving HTTP on 0.0.0.0 port 8081 (http://0.0.0.0:8081/) ...
    35.203.253.109 - - [22/Dec/2022 23:40:00] "GET /test HTTP/1.1" 404 -
    35.203.253.109 - - [22/Dec/2022 23:40:00] code 404, message File not found
    35.203.253.109 - - [22/Dec/2022 23:40:00] "GET /favicon.ico HTTP/1.1" 404 -
    35.203.253.109 - - [22/Dec/2022 23:40:10] code 404, message File not found
    35.203.253.109 - - [22/Dec/2022 23:40:10] "GET /test?param=1 HTTP/1.1" 404 -
    35.203.253.109 - - [22/Dec/2022 23:40:10] code 404, message File not found
    35.203.253.109 - - [22/Dec/2022 23:40:10] "GET /favicon.ico HTTP/1.1" 404 -
    35.203.253.109 - - [22/Dec/2022 23:40:10] code 404, message File not found

    I will call that "blind SSRF" (the closest vulnerability which is similar to what im able to do).

    favicons.nextdns.io replies with 404, but request is done, just add anything to URL to generate new no checked earlier HEX.

    • kucharskov
    • 1 yr ago
    • Reported - view

    Hello! Any reply in this topic? I re-think whole problem and i had in-mind solution for that. But without any response from @NextDNS i wont to dig deeper.

    • kucharskov
    • 1 yr ago
    • Reported - view

    What a wonderfull silent path ;) I dont know if you fixed anything but my todays tries to retry that kind of SSRF failed. Woah

Content aside

  • 1 Likes
  • 1 yr agoLast active
  • 3Replies
  • 144Views
  • 1 Following