We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections.This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, Java Script, Wget and c URL.We will discuss real situations from the last year where our community could have risen to the occasion, we will analyze what failed, and propose how we can further help protect people.In this presentation, one vulnerability in CSFB (Circuit Switched Fallback) in 4G LTE network is introduced.
We verified these attacks with our own phones in operators' network in a small controllable scale.
The attacker can also initiate a call/SMS by impersonating the victim.
Furthermore, Telephonist Attack can obtain the victim's phone number and then use the phone number to make advanced attack, e.g. The victim will not sense being attacked since no 4G or 2G fake base station is used and no cell re-selection.
The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as Word Press (27% of the Web), v Bulletin, My BB and Git Hub can also suffer, and 0days have been discovered in them via this technique.