tag:blogger.com,1999:blog-91331247775709817052024-03-20T00:53:18.160-07:00Kravchenko Stas | Just another BugBounty Security ResearcherStas Kravchenkohttp://www.blogger.com/profile/06193945201926933874noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-9133124777570981705.post-57458946649527508002017-02-15T05:32:00.001-08:002017-02-15T06:29:34.715-08:00[Oracle] pwned by 2 RCE<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-size: normal;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Hello there,<br /><br />Finally, after a long time (3 month) of communication with Oracle Security Team - majority of reported by me vulnerabilities were fixed. Now I’m able to share interesting findings with a public. On this topic I’m gonna write about 2 different RCE vectors that I was able to exploit against of Oracle’ sites.</span></span><br />
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: large;"><b><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: inherit;"><span style="font-family: "georgia" , "times new roman" , serif;"><span style="font-size: medium;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><b>Finding #1 (The ShellShock via CGI entry-point)</b></span></span></span></span></span></b></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" id="docs-internal-guid-8c8362a1-41e2-c1d7-445e-d05b9554f5ad" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Well, I suppose that all of you (or majority) already know about vulnerability inside of BASH that were found in 2014, but just in case I will leave this link here: </span><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271" style="text-decoration: none;" target="_blank"><span style="background-color: transparent; color: #1155cc; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">CVE-2014-6271</span></a><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. In a nutshell, Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. As I see it widely occurred ShellShock is coming through HTTP_USER_AGENT header, CGI-based, but there are several more (e.g. OpenSSH, DHCP, etc). Back to CGI-based one, when a web server uses the Common Gateway Interface (CGI) to handle a document request, it passes various details of the request to a handler program in the environment variable list. For example, the variable HTTP_USER_AGENT has a value that, in usual usage, identifies the program sending the request.</span></span></span></div>
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span id="docs-internal-guid-8c8362a1-41e2-f850-d302-777e6201b2e1" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">A bit about flow of discovering. I hope everyone knows about Google Dorking and there is no need to write much, but just in case <a href="https://en.wikipedia.org/wiki/Google_hacking" target="_blank">here you can find more information.</a></span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Usually CGI scripts are located in /cgi/, /cgi-bin/ or /cgi-sys/ directories (i.e. /usr/local/apache/htdocs/cgi-bin) so basically URL will be following: https://example.com/cgi-bin/. The next step is gonna be - searching via </span><span style="background-color: transparent; color: black; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Google Dork</span><span style="font-family: "arial" , "helvetica" , sans-serif;">:</span></span></span></div>
<blockquote class="tr_bq">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: inherit;"><span style="font-size: small;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">inurl:/cgi-bin/ site:*.example.com</span></span></span></span></span></span></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: inherit;"><span style="font-size: small;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">inurl:/cgi/ </span></span><span style="font-size: small;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">site:*.example.com</span></span></span></span></span></span></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: inherit;"><span style="font-size: small;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">filetype:cgi </span></span><span style="font-size: small;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">site:*.example.com</span></span></span></span></span></span></span></span></div>
<span style="font-size: small;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: small;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: inherit;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">etc...</span></span></span></span></span></span></span></span></span></blockquote>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span id="docs-internal-guid-8c8362a1-41e3-de15-a233-503cdd69f162" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">But needless to say, the response on this dork request won’t return all existing files inside the /cgi-bin/ directory. As you know </span><span style="background-color: transparent; color: black; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Google Dork</span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> will return only the cached files / directories by Google search engine. To perform such an activity I preferred using brute force directories and files names tool called </span><span style="background-color: transparent; color: black; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Dirbuster</span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. This tool is embedded by default into Kali distribution. The tool is really simple in use - so, just open it and you will understand everything by yourself. Via </span><span style="background-color: transparent; color: black; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Dirbuster</span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> tool I was able to find following file: /cgi-bin/test-cgi with a 200 Status Code. Fast navigation at this endpoint returned me following stuff..</span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgut4BlaxCKLGUQKZCkbwrbuHLG8evNNtLAevFQe2zB4FhRnzDRBD4Ef8cIATRNscjObBdtMIuCPe3Lc6Hy6aha2JCAt5EiD_2HQfJ8YxCUW3jSuiAN4RJYbVixKHmBErReUShIlBVgrVY0/s1600/01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgut4BlaxCKLGUQKZCkbwrbuHLG8evNNtLAevFQe2zB4FhRnzDRBD4Ef8cIATRNscjObBdtMIuCPe3Lc6Hy6aha2JCAt5EiD_2HQfJ8YxCUW3jSuiAN4RJYbVixKHmBErReUShIlBVgrVY0/s400/01.png" width="400" /></a></div>
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Let’s take a brief look at how CGI ShellShock works.</span></span></span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">So, the syntax is pretty trivial of vulnerability in Bourne Again Shell (BASH), aka “Shellshock”, <i><span style="background-color: #eeeeee;">() { :; }; echo;</span></i> is the key to the exploit. Then we have the payload of <i><span style="background-color: #eeeeee;">/bin/bash</span></i> which allows for an arbitrary script.</span></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Here is crafted HTTP request to execute Unix <span style="background-color: #eeeeee;"><i>uname -a</i></span> command:</span></span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv7vUc2DlT9B2MCuEgjXjGs4ptekqHUmKuoDTIYa_hH6DJJWNq6Zi92YgqjAM6cXvH9EbU83DvFngTdHYMrDmxZ8bPfihAiOIuY8GsfJiUNSA1OKjdLXrn3KDsrevsrA2v_J8iDUvzeo6T/s1600/02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="75" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv7vUc2DlT9B2MCuEgjXjGs4ptekqHUmKuoDTIYa_hH6DJJWNq6Zi92YgqjAM6cXvH9EbU83DvFngTdHYMrDmxZ8bPfihAiOIuY8GsfJiUNSA1OKjdLXrn3KDsrevsrA2v_J8iDUvzeo6T/s400/02.png" width="400" /></a></div>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span id="docs-internal-guid-8c8362a1-41e5-e719-4bfb-32ab80f58631" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As a result - server returned me all the information about system. Quite easy, right? Let’s retrieve more interesting information from the server:</span></span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwC4Je5RUZwG-EVTabRWjDoK0dRaHNbHsSlR923A4YfNq01D08RE_fru-ZFbqmRsF8eTMfK3a9gAw-7-hGvYrYqwXc7MJUxDsyakyWflua0w0e19Uby8CJPZx8moYknopO5uG_Oa8fQdWE/s1600/03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwC4Je5RUZwG-EVTabRWjDoK0dRaHNbHsSlR923A4YfNq01D08RE_fru-ZFbqmRsF8eTMfK3a9gAw-7-hGvYrYqwXc7MJUxDsyakyWflua0w0e19Uby8CJPZx8moYknopO5uG_Oa8fQdWE/s400/03.png" width="400" /></a></div>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The command was executed successfully as I expected. Now I was able to perform a lot of actions against this particular server in order to compromise it (e.g. open a port for reverse shell).</span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: x-small;"><br /><span style="font-size: small;"><u><b>Conclusions<span style="font-family: "arial" , "helvetica" , sans-serif;">:</span></b></u></span></span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span id="docs-internal-guid-03e8f1a2-41e6-5dcc-416a-2d674387ea42" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">While the exploration of Shellshock here postulates a vulnerable CGI script, the vulnerability can be exploited even without CGI being involved. That said, if you have </span><span style="background-color: transparent; color: black; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">any</span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> CGI script that executes bash explicitly or even implicitly on </span><span style="background-color: transparent; color: black; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">any</span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> code path, the above attacks apply to you.</span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: inherit;"><br /></span></span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: inherit;"><span style="font-size: x-small;"><br /></span></span></span></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: large;"><b><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: inherit;"><span style="font-family: "georgia" , "times new roman" , serif;"><span style="font-size: medium;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><b>Finding #2 (Running</b> <b>Outdated version of GitWeb)</b></span></span></span></span></span></b></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; clear: right; color: black; float: right; font-style: normal; font-variant: normal; font-weight: 400; margin-bottom: 1em; margin-left: 1em; text-decoration: none; vertical-align: baseline;"><img height="224" src="https://lh6.googleusercontent.com/mNUvuGIjJgKOPtofGx7jZGECswnKFguu35WblmNZ6kAzrMmb-P59IBSWM_Xzb7ZBaB2DnC3heiT1xhhGSwVoZ1815CQ22e-h2zEe2GFZ9pf6CD_TDGLfHfmopU0KSpA8xJq8HT1b" style="border: medium none; transform: rotate(0rad);" width="245" /></span><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: inherit;"><span style="font-size: x-small;"></span></span></span></span></div>
<div dir="ltr" id="docs-internal-guid-03e8f1a2-41e6-f945-f740-2ab7ec7c233d" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Each time that I find a new vulnerability at such giants companies I’m surprising less and less. This time I have found running out-dated GitWeb version at one of Oracle’s subdomains. One of my scripts have detected old version of running application. It’s an obvious step - verify for already written exploits online. Without any difficulty I found assigned CVEs: </span><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5516" style="text-decoration: none;" target="_blank"><span style="background-color: transparent; color: #1155cc; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">CVE-2008-5516</span></a><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and </span><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5517" style="text-decoration: none;" target="_blank"><span style="background-color: transparent; color: #1155cc; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">CVE-2008-5517</span></a><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> that is causing arbitrary code execution. Vulnerability is 9 years old and still has a place for the use… But as I mentioned above I’m not surprised.</span></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In a nutshell about vulnerability: Vulnerable functions in gitweb.cgi: git_snapshot(), git_search(), git_object() leads remote attackers to execute arbitrary commands </span></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The initial request looks like following:</span></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: #eeeeee;"><i><span style="color: black;"><a href="https://vp-oss.oracle.com/git/gitweb.cgi?p=agrover/early-rds.git;a=object;f=1477970881;h=2755f7ab033b0f1653dd5f6e5bcc142d;hb=b667dde7342fc8d9adb7c9ef217cc47c" style="text-decoration: none;" target="_blank"><span style="font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://vp-oss.oracle.com/git/gitweb.cgi?p=agrover/early-rds.git;a=object;f=1477970881;h=2755f7ab033b0f1653dd5f6e5bcc142d;hb=b667dde7342fc8d9adb7c9ef217cc47c</span></a></span></i></span></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Here is vulnerable gitweb.cgi endpoint with a different parameters, but we are interested in ‘a’ and ‘h’ parameters. Where ‘a’ parameter calls one of vulnerable function and via ‘h’ parameter remote attacker is able to inject arbitrary code, like this:</span></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl05-M1htar3Q9AtPLkqSPxxqCsONBgYot5jQz7-VwjQgR3gmBS4ZVhjkMrU06Inxh0AAvEmBCBWnx920dUD0dTBVOOF442xWKIEgyHHGQnszqE6NuFPdOyxoMftAWD48YJEjOQW2MnG0F/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl05-M1htar3Q9AtPLkqSPxxqCsONBgYot5jQz7-VwjQgR3gmBS4ZVhjkMrU06Inxh0AAvEmBCBWnx920dUD0dTBVOOF442xWKIEgyHHGQnszqE6NuFPdOyxoMftAWD48YJEjOQW2MnG0F/s400/1.png" width="400" /></a></div>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span id="docs-internal-guid-03e8f1a2-41e9-6420-0d52-bfd75b240605" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In this particular case the result on the command execution will be returned inside of HTTP Response in Location header. The object function from a parameter will be substituted with a result of command. The problem that I have faced here is how to make a request that contains ‘space’ (e.g. cat /etc/passwd). Even with </span><span style="background-color: #eeeeee;"><span style="color: black; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">uname -a</span></span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> command and different types of encoding doesn’t work here all the time I got ‘403 Forbidden - Invalid hash parameter’. </span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFnIkHI3ogdh37dDPodkxrkoom9O_fi-4hSZ_JxDNOmAyHk_lEEzApNDTjlCzevL-PAsI6KvxpCAchgUHuFrtewnuvq0e5XyMmLJyl4Rqk5NLt1oxg_kMSghNFC4g2QdKnji0ZBfisBnOd/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="75" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFnIkHI3ogdh37dDPodkxrkoom9O_fi-4hSZ_JxDNOmAyHk_lEEzApNDTjlCzevL-PAsI6KvxpCAchgUHuFrtewnuvq0e5XyMmLJyl4Rqk5NLt1oxg_kMSghNFC4g2QdKnji0ZBfisBnOd/s400/2.png" width="400" /></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" id="docs-internal-guid-03e8f1a2-41ec-2f23-ef45-d800acdc56f5" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Thanks to my co-worker and just nice guy <a href="https://twitter.com/@crashbrz" target="_blank">@crashbrz</a>, he advised me to check out IFS (eventually it helps).</span></span></span></div>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><b><i><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><b>What is</b> <b>$IFS? </b></span></i></b></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">IFS stands for Internal Field Separator - it's a character that separates fields. This variable determines how Bash recognizes fields, or word boundaries, when it interprets character strings. $IFS defaults to whitespace (space, tab, and newline), but may be changed, for example, to parse a comma-separated data file</span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikZXs8JygkZIzOM0B9cpdjUJU4647Yv1F-WTRThorSKqymM-iUb3-RSIlZxE-ZK8oSGsgclJM6SKcXX_os3UKsuTAwjbIO9AHuIkg0Py3SmJ0Qx7ASSjmHNcwPsngSBbxXWHepdgV7wjS4/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="71" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikZXs8JygkZIzOM0B9cpdjUJU4647Yv1F-WTRThorSKqymM-iUb3-RSIlZxE-ZK8oSGsgclJM6SKcXX_os3UKsuTAwjbIO9AHuIkg0Py3SmJ0Qx7ASSjmHNcwPsngSBbxXWHepdgV7wjS4/s400/3.png" width="400" /></a></div>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Boom, now I was able to execute any command without any limitation! Despite that there was another small tricky situation - you are able to retrieve data only line by line. :) To automate the whole process you can write your own script or use Burp Suite Repeater if you are not going to retrieve a lot of information.</span></span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQjOdpfb_39cUVzPB5MfdIb_q-kMuUnCb_zCf_0ao_XSJkz-VMm8UzI67xX3siT0THnGzr2q3AvvHaRRdvt2xspzmEVESJasaMYUmj5XAVA9QUANu6M4XvQlxIsgckVQ9XwWcmMkKUY75s/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="98" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQjOdpfb_39cUVzPB5MfdIb_q-kMuUnCb_zCf_0ao_XSJkz-VMm8UzI67xX3siT0THnGzr2q3AvvHaRRdvt2xspzmEVESJasaMYUmj5XAVA9QUANu6M4XvQlxIsgckVQ9XwWcmMkKUY75s/s400/4.png" width="400" /></a></div>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Since I’m able to read only 1st object - I need to craft a request that will allow me to retrieve other information. The request for reading 2nd object of current directory looks following:</span><span style="background-color: #eeeeee;"><i><span style="color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><i><span style="background-color: white;"> </span><span style="font-family: "courier new" , "courier" , monospace;">ls|head -2|tail -1</span></i></span></i></span></span></span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">substituted with IFS variable + URL Encoded:</span></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: #eeeeee;"><i><span style="color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><i>ls%7chead%24IFS%2d2%7ctail%24IFS%2d1</i></span></i></span></span></span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAglBVn7iiK_Y-PwlM_n804M_oaSahUUuB6Xu-mC-RHpO0CKilSLfOcm1jZHXSDakBfANG6QZILOO25FsaKU6AHOIYXycqHOIY3UJ0wt7_NlV6jGhOzaj5oEXo_N3YmeZj7v932ThLgRKm/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="101" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAglBVn7iiK_Y-PwlM_n804M_oaSahUUuB6Xu-mC-RHpO0CKilSLfOcm1jZHXSDakBfANG6QZILOO25FsaKU6AHOIYXycqHOIY3UJ0wt7_NlV6jGhOzaj5oEXo_N3YmeZj7v932ThLgRKm/s400/5.png" width="400" /></a></div>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Reading more sensitive data:</span></span></span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">cat /etc/passwd → <i><span style="background-color: #eeeeee;">cat%24IFS%2fetc%2fpasswd</span></i></span></span></span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhfXelmWyDPuRyda0KPksjKm0BOZ1H_7YatABLt_JRbqXxqgNn4f9fSoHx4_nZKRMMycFf2L1QwDrbFfeFLdns_QyGMLHgw7rR5eW-ia0kSsuqlcqCaDKcPWxMj0CDbXXPl2v9kX8Mgs37/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="101" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhfXelmWyDPuRyda0KPksjKm0BOZ1H_7YatABLt_JRbqXxqgNn4f9fSoHx4_nZKRMMycFf2L1QwDrbFfeFLdns_QyGMLHgw7rR5eW-ia0kSsuqlcqCaDKcPWxMj0CDbXXPl2v9kX8Mgs37/s400/6.png" width="400" /></a></div>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><i><span style="background-color: #eeeeee;"><span style="color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><i>head%24IFS%2d2%24IFS%2fetc%2fpasswd%7ctail%24IFS%2d1</i></span></span></i></span></span></span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUYZjCToivrw8agdgecocAoARwNjeWmZS3qmG3maL_N2fRuW7z8VWkja5a-dhkCRU5XJPxkictrMOOXlQOJYmYkO2fMl-_pg8rUZ3NWdi8ezhp5O-xydykyivSis4wQMn6OTMtWh0JzMyZ/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="102" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUYZjCToivrw8agdgecocAoARwNjeWmZS3qmG3maL_N2fRuW7z8VWkja5a-dhkCRU5XJPxkictrMOOXlQOJYmYkO2fMl-_pg8rUZ3NWdi8ezhp5O-xydykyivSis4wQMn6OTMtWh0JzMyZ/s400/7.png" width="400" /></a></div>
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<u><b><span class="short_text" id="result_box" lang="en"><span class="">RESULTS:</span></span></b></u>
<br />
<table cellpadding="0" cellspacing="0" style="border-collapse: collapse;"><tbody>
<tr><td style="border-color: transparent rgb(0, 0, 0) transparent transparent; border-style: solid; border-width: 0px 1px 0px 0px; height: 13px; padding: 8px 0px 0px 4px; width: 66px;" valign="top"><span style="font-size: small;"><b style="font-family: "helvetica";"><span style="font-size: small;">Bounty</span></b></span></td><td style="border-color: transparent transparent rgb(0, 0, 0) rgb(0, 0, 0); border-style: solid; border-width: 0px 0px 1px 1px; height: 13px; padding: 0px; width: 27px;" valign="top"><div style="font-family: Helvetica; font-size: 12px; font-stretch: normal; font-variant-numeric: normal; line-height: normal; min-height: 14px;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyp7hyphenhyphenpjXzY7e7rT0nlSreWWPpFg7RL8L41fLzdsifc8jT7KiuubTywHkvLwwRavdnejI4u_fU-FeNg6pUaBEdWEgZ5siBCefHtD1xCG7z__ZFjVXgA_4ldFK6jJ5175Ehsxk_e4cfuZke/s1600/blog_nok.png" imageanchor="1" style="font-family: Times; font-size: medium; margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyp7hyphenhyphenpjXzY7e7rT0nlSreWWPpFg7RL8L41fLzdsifc8jT7KiuubTywHkvLwwRavdnejI4u_fU-FeNg6pUaBEdWEgZ5siBCefHtD1xCG7z__ZFjVXgA_4ldFK6jJ5175Ehsxk_e4cfuZke/s1600/blog_ok.png" /></a></div>
</td></tr>
<tr><td style="border-color: transparent rgb(0, 0, 0) transparent transparent; border-style: solid; border-width: 0px 1px 0px 0px; height: 14px; padding: 8px 0px 0px 4px; width: 66px;" valign="top"><span style="font-size: small;"><b style="font-family: "helvetica";">Swag</b></span></td><td style="border-color: rgb(0, 0, 0) transparent rgb(0, 0, 0) rgb(0, 0, 0); border-style: solid; border-width: 1px 0px 1px 1px; height: 13px; padding: 0px; width: 27px;" valign="top"><div style="font-family: Helvetica; font-size: 12px; font-stretch: normal; font-variant-numeric: normal; line-height: normal; min-height: 14px;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyp7hyphenhyphenpjXzY7e7rT0nlSreWWPpFg7RL8L41fLzdsifc8jT7KiuubTywHkvLwwRavdnejI4u_fU-FeNg6pUaBEdWEgZ5siBCefHtD1xCG7z__ZFjVXgA_4ldFK6jJ5175Ehsxk_e4cfuZke/s1600/blog_nok.png" imageanchor="1" style="font-family: Times; font-size: medium; margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyp7hyphenhyphenpjXzY7e7rT0nlSreWWPpFg7RL8L41fLzdsifc8jT7KiuubTywHkvLwwRavdnejI4u_fU-FeNg6pUaBEdWEgZ5siBCefHtD1xCG7z__ZFjVXgA_4ldFK6jJ5175Ehsxk_e4cfuZke/s1600/blog_nok.png" /></a></div>
</td></tr>
<tr><td style="border-color: transparent rgb(0, 0, 0) transparent transparent; border-style: solid; border-width: 0px 1px 0px 0px; height: 14px; padding: 8px 0px 0px 4px; width: 66px;" valign="top"><span style="font-size: small;"><b style="font-family: "helvetica";">HoF</b></span></td><td style="border-color: rgb(0, 0, 0) transparent transparent rgb(0, 0, 0); border-style: solid; border-width: 1px 0px 0px 1px; height: 13px; padding: 0px; width: 27px;" valign="top"><div style="font-family: Helvetica; font-size: 12px; font-stretch: normal; font-variant-numeric: normal; line-height: normal; min-height: 14px;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSJED4NNSKkEKjnWrMG-Siv7oUT0bWaDTgs7YiTLhBVO_dyzKn0ndfw9E6lgFjH4qbmWNRoxdZE_OX7e6KlUpxlCimZgFys-yv4v6w9PFL9KOqKRi1kSkCLrW4adTXT91BPfZ0__HlDFZp/s1600/blog_nok.png" imageanchor="1" style="font-family: Times; font-size: medium; margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSJED4NNSKkEKjnWrMG-Siv7oUT0bWaDTgs7YiTLhBVO_dyzKn0ndfw9E6lgFjH4qbmWNRoxdZE_OX7e6KlUpxlCimZgFys-yv4v6w9PFL9KOqKRi1kSkCLrW4adTXT91BPfZ0__HlDFZp/s1600/blog_ok.png" /></a></div>
</td></tr>
</tbody></table>
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Always believe in yourself and good luck.</span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="short_text" id="result_box" lang="en"><span class="">Thanks for your attention.</span></span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="short_text" id="result_box" lang="en"><span class="">Stas</span></span></span></span></div>
</div>
Stas Kravchenkohttp://www.blogger.com/profile/06193945201926933874noreply@blogger.com4tag:blogger.com,1999:blog-9133124777570981705.post-58422125280989121052016-11-01T12:18:00.001-07:002017-02-17T03:08:16.202-08:00[Yahoo] Disclosure phpinfo.php file at one of Yahoo's subdomain<div dir="ltr" style="text-align: left;" trbidi="on">
Hi there,<br />
<br />
This article is <span class="" id="result_box" lang="en">about more trivial finding, <span class="">but nonetheless</span>, misconfiguration was previously missed by<span class=""> other researchers. So, I decided to share it with a public as well.</span></span><br />
<span class="" id="result_box" lang="en"><span class="">As I wrote in my <a href="https://zuh4n.blogspot.com/2016/10/adobe-importance-of-up-to-date.html">previous topic</a>, all my research starts from reconnaissance </span></span>of a target, and Yahoo <span class="short_text" id="result_box" lang="en"><span class="">was not</span> an <span class="">exception. When all my 'first round' custom scripts were finished, there were found ~4k subdomains for Yahoo domain, sure thing that not all of them were alive, but still too much... Now the time had come for the 'second round' of custom scripts, one of them is looking for common default files that have incorrect access permissions (e.g. phpinfo.php).</span></span><br />
<span class="short_text" id="result_box" lang="en"><span class=""><br /></span></span>
<span class="short_text" id="result_box" lang="en"><span class="">In couple of hours my script detected </span></span><span class="short_text" id="result_box" lang="en"><span class=""><span class="short_text" id="result_box" lang="en"><span class="">accessible phpinfo.php file </span></span>at one of subdomains. </span></span><span class="short_text" id="result_box" lang="en"><span class="">My first thought was: "it's probably false-positive detection". But no, indeed, file was accessible at following URL: '<span style="background-color: #eeeeee;"><i>http://druid-hist25.lh.bf1.yahoo.com/phpinfo.php</i></span>'</span></span><br />
<br />
<span class="short_text" id="result_box" lang="en"><span class=""></span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7nWuLq-8hyt_pzzdD9aHRj7qEb2KWfizJ-VEjIc-iUpxC8c0VZMAPT2rIhnDzkQbp932xH8Le8IYHgTS9Tirc1V-ll9ruxpL_RWsRF3BOz6SCAoY97SgssOreZL2L5Sv1_8qVxT8d9Nm9/s1600/yahoo_php.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7nWuLq-8hyt_pzzdD9aHRj7qEb2KWfizJ-VEjIc-iUpxC8c0VZMAPT2rIhnDzkQbp932xH8Le8IYHgTS9Tirc1V-ll9ruxpL_RWsRF3BOz6SCAoY97SgssOreZL2L5Sv1_8qVxT8d9Nm9/s400/yahoo_php.jpg" width="400" /></a></div>
<br />
<span style="background-color: white;"><br /></span>
<br />
<div style="text-align: left;">
<span class="short_text" id="result_box" lang="en"><span class=""><span style="background-color: white;">Frankly speaking, I was quite surprised by this finding, and due to the fact that I'm reading a lot of blogs written by another researchers. I remembered a finding by Patrik Fehrenbach at his <span style="color: black;"><a href="https://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/">blog post</a>.</span> </span>The vulnerability is totally the same, target is the same, plus scanning whole Yahoo's NetRange for accessible file. My question was "How was the file missed?". In couple seconds I realized that such a huge corporation should </span></span>probably have another Networks..</div>
<span class="short_text" id="result_box" lang="en"><span class="">The quick ping of 'druid-hist25.lh.bf1.yahoo.com' putted everything into its place.</span></span><br />
<span class="short_text" id="result_box" lang="en"><span class=""><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu-nvJmgeepagiXESTJEyKrkGg4laiOeiJqYEat6NzTlT28DpayMa1fkEbTLAk7iUW1kkYziICCSDfndtzS8zNOwZifGK_i1srQqiyoS-U6L1HoqJMsigTPFAnSwm7NLuB2h7rWPQAiHAk/s1600/yahoo_ping.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="71" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu-nvJmgeepagiXESTJEyKrkGg4laiOeiJqYEat6NzTlT28DpayMa1fkEbTLAk7iUW1kkYziICCSDfndtzS8zNOwZifGK_i1srQqiyoS-U6L1HoqJMsigTPFAnSwm7NLuB2h7rWPQAiHAk/s400/yahoo_ping.jpg" width="400" /></a></div>
<br />
<span class="short_text" id="result_box" lang="en"><span class="">As you have noticed, subdomain found by me is in another Network than has been scanned by Patrik (CIDR: 98.136.0.0/14). </span></span><br />
<span class="short_text" id="result_box" lang="en"><span class="">Now I need to find out IP range for a Network which contains following IP 74.6.49.57. I did it via <a href="http://whois.domaintools.com/">whois service</a>, and retrieved following info:</span></span><br />
NetRange: 74.6.0.0 - 74.6.255.255<br />
CIDR: 74.6.0.0/16<br />
NetName: INKTOMI-BLK-6<br />
NetHandle: NET-74-6-0-0-1<br />
Parent: NET74 (NET-74-0-0-0-0)<br />
<br />
<span class="short_text" id="result_box" lang="en"><span class=""><span class="short_text" id="result_box" lang="en"><span class=""> I have dared to 'borrow<span id="goog_498982353"></span><span id="goog_498982354"></span>' Patrik's script and </span></span>follow by his example - scan all 65,025 IPs. The script executed ~2.5days, but that's fine, because of my non-stop server at DigitalOcean. :) And btw, </span></span>on a commercial right, I would like to recommend you to use <span class="short_text" id="result_box" lang="en"><span class="">DigitalOcean platform for your remote pentesting server, use my <a href="https://m.do.co/c/1be6d6c0c645">referral link</a> and get 10$ to your account.</span></span><br />
<span class="short_text" id="result_box" lang="en"><span class=""><br /></span></span>
<span class="short_text" id="result_box" lang="en"><span class="">Fortunately or unfortunately - I didn't find anything else at that IP range.</span></span><br />
<span class="short_text" id="result_box" lang="en"><span class=""><br /></span></span><span class="short_text" id="result_box" lang="en"><span class=""></span></span>
<u><b><span class="short_text" id="result_box" lang="en"><span class="">RESULTS:</span></span></b></u>
<br />
<table cellpadding="0" cellspacing="0" style="border-collapse: collapse;"><tbody>
<tr><td style="border-color: transparent rgb(0, 0, 0) transparent transparent; border-style: solid; border-width: 0px 1px 0px 0px; height: 13px; padding: 8px 0px 0px 4px; width: 66px;" valign="top"><span style="font-size: small;"><b style="font-family: "helvetica";"><span style="font-size: small;">Bounty</span></b></span></td><td style="border-color: transparent transparent rgb(0, 0, 0) rgb(0, 0, 0); border-style: solid; border-width: 0px 0px 1px 1px; height: 13px; padding: 0px; width: 27px;" valign="top"><div style="font-family: Helvetica; font-size: 12px; font-stretch: normal; font-variant-numeric: normal; line-height: normal; min-height: 14px;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyp7hyphenhyphenpjXzY7e7rT0nlSreWWPpFg7RL8L41fLzdsifc8jT7KiuubTywHkvLwwRavdnejI4u_fU-FeNg6pUaBEdWEgZ5siBCefHtD1xCG7z__ZFjVXgA_4ldFK6jJ5175Ehsxk_e4cfuZke/s1600/blog_ok.png" imageanchor="1" style="font-family: Times; font-size: medium; margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSJED4NNSKkEKjnWrMG-Siv7oUT0bWaDTgs7YiTLhBVO_dyzKn0ndfw9E6lgFjH4qbmWNRoxdZE_OX7e6KlUpxlCimZgFys-yv4v6w9PFL9KOqKRi1kSkCLrW4adTXT91BPfZ0__HlDFZp/s1600/blog_nok.png" /></a></div>
</td></tr>
<tr><td style="border-color: transparent rgb(0, 0, 0) transparent transparent; border-style: solid; border-width: 0px 1px 0px 0px; height: 14px; padding: 8px 0px 0px 4px; width: 66px;" valign="top"><span style="font-size: small;"><b style="font-family: "helvetica";">Swag</b></span></td><td style="border-color: rgb(0, 0, 0) transparent rgb(0, 0, 0) rgb(0, 0, 0); border-style: solid; border-width: 1px 0px 1px 1px; height: 13px; padding: 0px; width: 27px;" valign="top"><div style="font-family: Helvetica; font-size: 12px; font-stretch: normal; font-variant-numeric: normal; line-height: normal; min-height: 14px;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyp7hyphenhyphenpjXzY7e7rT0nlSreWWPpFg7RL8L41fLzdsifc8jT7KiuubTywHkvLwwRavdnejI4u_fU-FeNg6pUaBEdWEgZ5siBCefHtD1xCG7z__ZFjVXgA_4ldFK6jJ5175Ehsxk_e4cfuZke/s1600/blog_nok.png" imageanchor="1" style="font-family: Times; font-size: medium; margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyp7hyphenhyphenpjXzY7e7rT0nlSreWWPpFg7RL8L41fLzdsifc8jT7KiuubTywHkvLwwRavdnejI4u_fU-FeNg6pUaBEdWEgZ5siBCefHtD1xCG7z__ZFjVXgA_4ldFK6jJ5175Ehsxk_e4cfuZke/s1600/blog_nok.png" /></a></div>
</td></tr>
<tr><td style="border-color: transparent rgb(0, 0, 0) transparent transparent; border-style: solid; border-width: 0px 1px 0px 0px; height: 14px; padding: 8px 0px 0px 4px; width: 66px;" valign="top"><span style="font-size: small;"><b style="font-family: "helvetica";">HoF</b></span></td><td style="border-color: rgb(0, 0, 0) transparent transparent rgb(0, 0, 0); border-style: solid; border-width: 1px 0px 0px 1px; height: 13px; padding: 0px; width: 27px;" valign="top"><div style="font-family: Helvetica; font-size: 12px; font-stretch: normal; font-variant-numeric: normal; line-height: normal; min-height: 14px;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSJED4NNSKkEKjnWrMG-Siv7oUT0bWaDTgs7YiTLhBVO_dyzKn0ndfw9E6lgFjH4qbmWNRoxdZE_OX7e6KlUpxlCimZgFys-yv4v6w9PFL9KOqKRi1kSkCLrW4adTXT91BPfZ0__HlDFZp/s1600/blog_nok.png" imageanchor="1" style="font-family: Times; font-size: medium; margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyp7hyphenhyphenpjXzY7e7rT0nlSreWWPpFg7RL8L41fLzdsifc8jT7KiuubTywHkvLwwRavdnejI4u_fU-FeNg6pUaBEdWEgZ5siBCefHtD1xCG7z__ZFjVXgA_4ldFK6jJ5175Ehsxk_e4cfuZke/s1600/blog_nok.png" /></a></div>
</td></tr>
</tbody></table>
<br />
<br />
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Helvetica; -webkit-text-stroke: #000000; min-height: 13.0px}
span.s1 {font-kerning: none}
</style>
Always believe in yourself and good luck.<br />
<br />
<span class="short_text" id="result_box" lang="en"><span class="">Thanks for your attention.</span></span><br />
<span class="short_text" id="result_box" lang="en"><span class="">Stas</span></span><br />
<span class="short_text" id="result_box" lang="en"><span class=""><span id="goog_498982315"></span><span id="goog_498982316"></span></span></span></div>
Stas Kravchenkohttp://www.blogger.com/profile/06193945201926933874noreply@blogger.com0tag:blogger.com,1999:blog-9133124777570981705.post-9973157076166357492016-10-14T03:14:00.000-07:002016-11-01T14:26:02.077-07:00[ADOBE] Importance of up-to-date application usage plus complex password OR from directory traversal to admin panel takeover.<div dir="ltr" style="text-align: left;" trbidi="on">
Hi all, well, today I would like to start my blog, and hope I will be able to update it from time to time. Unfortunately, I am not quite eloquent, and my posts may seem a bit plain, but I'm going to improve this skill. Finally I found interesting topic to share with a public, at least from my perspective ☺ Hope this article will be motivating and of course useful ;)<br />
<br />
<br />
<u><b>HOW DID IT START</b></u><br />
In scope of bugbounty hunting, I perform Web application penetration testing for many of companies. A couple month ago my eye fell at Adobe program, but I got quick response from my subconscious: ‘Come on… It’s such a famous company, hundreds of hunters have already tested them, no sense to spend time on it. Forget.’ A month later, leafing through the companies list my eye fell once again, but now I asked myself: ‘Why not?’<br />
<br />
Probably would be correctly to start from my approach to pentesting... In my daily work / hunting I always using PTES methodology. In nutshell about PTES: The penetration testing execution standard consists of seven (7) main sections. These cover everything related to a penetration test - from the initial communication and reasoning behind a pentest, through the intelligence gathering and threat modeling phases where testers are working behind the scenes in order to get a better understanding of the tested organization, through vulnerability research, exploitation and post exploitation, where the technical security expertise of the testers come to play and combine with the business understanding of the engagement, and finally to the reporting, which captures the entire process, in a manner that makes sense to the customer and provides the most value to it.<br />
<br />
Why do I need it or why it’s useful? Imagine that you are shooting at a target from a distance of 50m, it will be hard to get - right? But if somebody bring its closer up to 25m – I suppose to hit the target will be much easier. Same here, when you have multiple subdomains to test – much easier to find some interesting stuff.<br />
<br />
<br />
<u><b>FINDING</b></u><br />
So, first thing that I did is reconnaissance of the target. For this purposes I used multiple DNS enumeration tools, here are couple of them: subbrute, theharvester, etc. Well, let’s move further. During ‘Information Gathering’ PTES phase I have found that ‘<i>lighthouse.adobe.com:8500</i>’ host on 8500 port was vulnerable to Directory listing<br />
<br />
<span id="docs-internal-guid-d8129fe9-c2a3-e348-b752-d16f67276150" style="background-color: transparent; color: black; font-family: "calibri"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="208" src="https://lh5.googleusercontent.com/Vec7DdZhZj-_BC6ym3Sth_D_11UxvJ-xryklYr3wu72jGIa9I6bKp3-dW5fVDgFVVlXi5QS5c3Xm0-gGbv89vFeJ_oEMiQTqxc-JNc-pcFpYL7DrxvtPoUa72ZkMx15lNhfOwvgPKKE9cywAug" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="384" /></span><br />
<br />
As you can see, the latest changes at this host were done at 04/04/11, seems Adobe forgot about this site at all.. So, there a chance to find running outdated services. After some time of investigation - I have found admin panel login page, and yes, application was running at ‘<i>lighthouse.adobe.com:8500</i>’ outdated (latest version of ColdFusion at the time of writing is 13):<br />
<br />
<span id="docs-internal-guid-d8129fe9-c2a4-06a3-ddb7-75af4ecaad65" style="background-color: transparent; color: black; font-family: "calibri"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="353" src="https://lh3.googleusercontent.com/JjF4Xg6y6-rIFKPycaHT8CWpjiPwwHegrYzEKzbCGVJttxTO09bM57Y-lVvCeBzaVf-cOHvwMRS9xSPz-rLgvPM5I50sxJ-LPPAIdwTJtSKV4DYi4ezO2q0xuidLCrREyU6GIY4w5EOjs2uqHQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="577" /></span><br />
<br />
First thing that came to my mind – check exploits online for ColdFusion 9. As turned out – there are plenty of them, ColdFusion 9 is vulnerable to the following security vulnerabilities: DoS, Information Disclosing, XSS, CSRF, Administrative login Bypass, Directory Traversal, etc. That is interesting… Sure thing that my first try was to find exploit for ‘Administrative login Bypass’, it was easy to find plus as turned out, metasploit already has embedded module for it: <span style="background-color: #eeeeee;">exploit/multi/http/coldfusion_rds.</span> Unfortunately I was failed to exploit this particular metasploit module… Time to re-read description of exploit ☺ <br />
<blockquote class="tr_bq">
Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication using the RDS component. Its password can by default or by misconfiguration be set to an empty value. This allows you to create a session via the RDS login that can be carried over to the admin web interface even though the passwords might be different. Therefore bypassing authentication on the admin web interface which then could lead to arbitrary code execution.</blockquote>
So, seems administrator disable RDS at ColdFusion and I’m not able to use this exploit. Ok, move further, application is still vulnerable to plenty of vulnerabilities. There is one more stuff, Directory Traversal, how can I exploit it, and is there any exploits online? Yes, here is one more exploit: <a href="https://www.exploit-db.com/exploits/14641/">https://www.exploit-db.com/exploits/14641/</a>. Run it against of our target, and, vuala – we got hash value of our password: 50A826CED903EFF995651D65C21B5A6F67D9616A<br />
<br />
<span id="docs-internal-guid-d8129fe9-c2a4-2616-54ac-9aad363971ab" style="background-color: transparent; color: black; font-family: "calibri"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="132" src="https://lh3.googleusercontent.com/y-m_aIhxbCHHlItWPj4LFjxaDGA8QMSZ3d936xizLaxlI7jznCBfVVpZJKga-O5Z4cNGgwnSOqxq2aVF4pKa0jzad9tuRWaCTq5yzSRoeVGU7A6d0v5OgYJ0OlwO0FxDcjmDCoZmbhbkIGDRSg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="558" /></span><br />
<br />
According to the size and length of the hash - seems password is encrypted via SHA-1. For decrypt purpose I will use <a href="https://hashkiller.co.uk/sha1-decrypter.aspx">https://hashkiller.co.uk/sha1-decrypter.aspx</a>. Wow, password was successfully decrypted: <span style="background-color: #eeeeee;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: small;"><b>slapstick</b></span></span></span>.<br />
<br />
<span id="docs-internal-guid-d8129fe9-c2a4-3bbe-e339-1766f7855ec4" style="background-color: transparent; color: black; font-family: "calibri"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="307" src="https://lh3.googleusercontent.com/BXzDKVntBkx860iATlqANyRNf06POkOmbUn6eh3BC085B6-tWVVnp08fEctVfVLGBmsPLngoGTzin-Asay82PIes3MpiA5HoSVDXhlIqj-wWVV_kVNHSbS3rRJ47ZEzH1DUrfAsyF2KD0xuvPQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="581" /></span><br />
<br />
<br />
<u><b>POST-EXPLOITATION:</b></u><br />
Being as an Ethical Hacker – here my work is over, I will not harm the server – I just notified Abode security team regarding this breach. It was the fastest ever report triggering (~1.5 min)<br />
<br />
<span id="docs-internal-guid-d8129fe9-c2a4-593b-73ef-a098779a3530" style="background-color: transparent; color: black; font-family: "calibri"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="137" src="https://lh6.googleusercontent.com/gMukHBW1dEMMpmJMS8nxwwlgfa4qR8mMCXn0L-fx2RDlLwjgoqOrnBy9i53ZF2zAs4pnD-jr0jSEIowsUp6JsIA5p9vQgGVfj2-CfPPsMO2RAdRAQ8VQOg_cJLIc851j3UeK5y9w9hBDkg_X3Q" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="548" /></span><br />
<br />
About fix, I can say nothing much, because Adobe just turned off the application runned at 8500 port.<br />
<br />
<br />
<u><b>CONCLUSION:</b></u><br />
Two ridiculous things that I found here:<br />
- The Adobe, who are the owners of ColdFusion Application Server have runned out-of-dated version;<br />
- Complexity of the password was suck, as for such a company.<br />
<br />
<br />
<b><u>RESULTS:</u></b><br />
In 3 days of penetration testing against Adobe, I was able to find:<br />
- Admin panel takeover;<br />
- 4 Stored XSS;<br />
- 6 Directory Listings;<br />
- 1 sensitive world-accessible config file;<br />
- E-Mail Content Spoofing;<br />
- 4 other minor server misconfiguration.<br />
<br />
I suppose there could be found more interesting things, but to my big disappointment – Adobe doesn’t have any monetary rewards.. But still that is great start for me, since now you can find my name on their <a href="https://helpx.adobe.com/security/acknowledgements.html">acknowledgement web-page</a><br />
<br />
<table cellpadding="0" cellspacing="0" style="border-collapse: collapse;"><tbody>
<tr><td style="border-color: transparent rgb(0, 0, 0) transparent transparent; border-style: solid; border-width: 0px 1px 0px 0px; height: 13px; padding: 8px 0px 0px 4px; width: 66px;" valign="top"><span style="font-size: small;"><b style="font-family: "helvetica";"><span style="font-size: small;">Bounty</span></b></span></td><td style="border-color: transparent transparent rgb(0, 0, 0) rgb(0, 0, 0); border-style: solid; border-width: 0px 0px 1px 1px; height: 13px; padding: 0px; width: 27px;" valign="top"><div style="font-family: Helvetica; font-size: 12px; font-stretch: normal; font-variant-numeric: normal; line-height: normal; min-height: 14px;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyp7hyphenhyphenpjXzY7e7rT0nlSreWWPpFg7RL8L41fLzdsifc8jT7KiuubTywHkvLwwRavdnejI4u_fU-FeNg6pUaBEdWEgZ5siBCefHtD1xCG7z__ZFjVXgA_4ldFK6jJ5175Ehsxk_e4cfuZke/s1600/blog_nok.png" imageanchor="1" style="font-family: Times; font-size: medium; margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyp7hyphenhyphenpjXzY7e7rT0nlSreWWPpFg7RL8L41fLzdsifc8jT7KiuubTywHkvLwwRavdnejI4u_fU-FeNg6pUaBEdWEgZ5siBCefHtD1xCG7z__ZFjVXgA_4ldFK6jJ5175Ehsxk_e4cfuZke/s1600/blog_nok.png" /></a></div>
</td></tr>
<tr><td style="border-color: transparent rgb(0, 0, 0) transparent transparent; border-style: solid; border-width: 0px 1px 0px 0px; height: 14px; padding: 8px 0px 0px 4px; width: 66px;" valign="top"><span style="font-size: small;"><b style="font-family: "helvetica";">Swag</b></span></td><td style="border-color: rgb(0, 0, 0) transparent rgb(0, 0, 0) rgb(0, 0, 0); border-style: solid; border-width: 1px 0px 1px 1px; height: 13px; padding: 0px; width: 27px;" valign="top"><div style="font-family: Helvetica; font-size: 12px; font-stretch: normal; font-variant-numeric: normal; line-height: normal; min-height: 14px;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyp7hyphenhyphenpjXzY7e7rT0nlSreWWPpFg7RL8L41fLzdsifc8jT7KiuubTywHkvLwwRavdnejI4u_fU-FeNg6pUaBEdWEgZ5siBCefHtD1xCG7z__ZFjVXgA_4ldFK6jJ5175Ehsxk_e4cfuZke/s1600/blog_nok.png" imageanchor="1" style="font-family: Times; font-size: medium; margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyp7hyphenhyphenpjXzY7e7rT0nlSreWWPpFg7RL8L41fLzdsifc8jT7KiuubTywHkvLwwRavdnejI4u_fU-FeNg6pUaBEdWEgZ5siBCefHtD1xCG7z__ZFjVXgA_4ldFK6jJ5175Ehsxk_e4cfuZke/s1600/blog_nok.png" /></a></div>
</td></tr>
<tr><td style="border-color: transparent rgb(0, 0, 0) transparent transparent; border-style: solid; border-width: 0px 1px 0px 0px; height: 14px; padding: 8px 0px 0px 4px; width: 66px;" valign="top"><span style="font-size: small;"><b style="font-family: "helvetica";">HoF</b></span></td><td style="border-color: rgb(0, 0, 0) transparent transparent rgb(0, 0, 0); border-style: solid; border-width: 1px 0px 0px 1px; height: 13px; padding: 0px; width: 27px;" valign="top"><div style="font-family: Helvetica; font-size: 12px; font-stretch: normal; font-variant-numeric: normal; line-height: normal; min-height: 14px;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSJED4NNSKkEKjnWrMG-Siv7oUT0bWaDTgs7YiTLhBVO_dyzKn0ndfw9E6lgFjH4qbmWNRoxdZE_OX7e6KlUpxlCimZgFys-yv4v6w9PFL9KOqKRi1kSkCLrW4adTXT91BPfZ0__HlDFZp/s1600/blog_ok.png" imageanchor="1" style="font-family: Times; font-size: medium; margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSJED4NNSKkEKjnWrMG-Siv7oUT0bWaDTgs7YiTLhBVO_dyzKn0ndfw9E6lgFjH4qbmWNRoxdZE_OX7e6KlUpxlCimZgFys-yv4v6w9PFL9KOqKRi1kSkCLrW4adTXT91BPfZ0__HlDFZp/s1600/blog_ok.png" /></a></div>
</td></tr>
</tbody></table>
<br />
<u><b>REFERENCES:</b></u><br />
Unfortunately, I found this presentation after whole my research, but I guess it will be useful to leave it here: <a href="http://www.carnal0wnage.com/papers/LARES-ColdFusion.pdf">http://www.carnal0wnage.com/papers/LARES-ColdFusion.pdf</a><br />
<br />
Always believe in yourself and try yourself, even against such a huge and famous companies. <br />
<br />
Good luck! :)<br />
<br />
Thanks for your attention.</div>
Stas Kravchenkohttp://www.blogger.com/profile/06193945201926933874noreply@blogger.com1