Microsoft ADFS 4.0 Windows Server 2016 Server Side Request Forgery

Credit: Alphan Yavas
Risk: Medium
Local: No
Remote: Yes

I. VULNERABILITY ------------------------- Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) Server Side Request Forgery (SSRF) II. CVE REFERENCE ------------------------- CVE-2018-16794 III. VENDOR ------------------------- IV. TIMELINE ------------------------- 15/08/2018 Vulnerability discovered 18/08/2018 Vendor contacted 06/09/2018 Microsoft replay that will fix this in the next version of Windows Server V. CREDIT ------------------------- Alphan Yavas from Biznet Bilisim A.S. VI. DESCRIPTION ------------------------- Microsoft ADFS 4.0 Windows Server 2016 and previous versions affected from SSRF vulnerability. A remote attacker could force the vulnerable server to send request to any remote server s/he wants. VII. PROOF OF CONCEPT ------------------------- Affected Component: Path(inurl): /adfs/ls Parameter: txtBoxEmail Login page of ADFS affected from SSRF vulnerability. If username is being sent with following format victim server will send out DNS queries to xxx domain. (xxx is the domain which you want to send request from server) username:\pentest password: (doesn't matter) If you want to listen this request you must listen with tcpdump to dns port your own server(xxx) and you can see callback request. --

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018,


Back to Top