Miggo Logo

CVE-2022-29188: Smokescreen SSRF via deny list bypass (square brackets)

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.46313%
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/stripe/smokescreengo< 0.0.40.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper hostname normalization when checking deny lists. The commit diff shows critical changes in hostname handling:

  1. In BuildProxy, switching from req.Host to req.URL.Hostname() for remoteHost determination
  2. In handleConnect, changing from pctx.Req.Host to pctx.Req.URL.Hostname() for security checks These functions were vulnerable because req.Host preserves square brackets around hostnames, while URL.Hostname() properly strips them. The original implementation allowed attackers to bypass deny lists by wrapping domains in square brackets, as the deny list matching would see '[example.com]' instead of 'example.com'.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** prim*ry us* **s* *or Smok*s*r**n is to pr*v*nt s*rv*r-si** r*qu*st *or**ry (SSR*) *tt**ks in w*i** *xt*rn*l *tt**k*rs l*v*r*** t** ****vior o* *ppli**tions to *onn**t to or s**n int*rn*l in*r*stru*tur*. Smok*s*r**n *lso o***rs *n opti

Reasoning

T** vuln*r**ility st*ms *rom improp*r *ostn*m* norm*liz*tion w**n ****kin* **ny lists. T** *ommit *i** s*ows *riti**l ***n**s in *ostn*m* **n*lin*: *. In *uil*Proxy, swit**in* *rom r*q.*ost to r*q.URL.*ostn*m*() *or r*mot**ost **t*rmin*tion *. In **n