Bug Bytes #78 – BIG-IP RCE, Azure account takeover & Hunt scanner is back!

bugbytes-78

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 26 of June to 03 of July.

Our favorite 5 hacking items

1. Resource of the week

Cloud-ranges

Cloud-ranges is a collection of IP ranges owned by cloud providers (AWS, Azure, GCP, Godaddy, Linode, Rackspace…). The script used to pull this information is run everyday by @pry0cc, and the repo updated. So helpful for internet scanning research!

2. Writeups of the week

Taking over Azure DevOps Accounts with 1 Click (Microsoft, $3,000)

Story of a 2.5k Bounty — SSRF on Zimbra Led to Dump All Credentials in Clear Text ($2,500)

The first bug is a 1-click account takeover of Azure DevOps accounts. @seanyeoh intiallty found a subdomain takeover that didn’t seem that critical. Except that he could exploit it to steal tokens used in another subdomain’s authentication flow.

Lesson learned: Subdomain takeovers can not only be used to capture emails (by setting MX records) or create valid SSL certificates, but also to bypass whitelists in redirection parameters of authentication flows, and steal sensitive tokens.

The second finding is also pretty interesting. It is an SSRF exploiting Zimbra with memcached exposed. By changing the backend server IP in cache, @YShahinzadeh was able to redirect server traffic, perform a MiTM attack and steal credentials.

3. Tools of the week

Hunt Scanner

Bat

HUNT is an excellent Burp extension. It had only one fault: it did not work with Burp 2.0. This is not an issue anymore thanks to @OptionalValue who rewrote it for the current version of Burp.

The other tool I was really glad to discover this week is Bat. I wish I knew about it sooner because it truly is an upgrade of cat. It adds color, syntax highlighting for several programming and markup languages, shows non-printable characters, uses less for large files by default, plus lots of other cool features.

4. Tutorials of the week

Using SQL Injection to perform SSRF/XSPA attacks

Weaponizing favicon.ico for BugBounties , OSINT and what not , FavFreak & get-shodan-favicon-hash.py

The first article shows in detail how to leverage SQL injection to perform SSRF/XSPA. This is a fantastic ideas as it can help increase the impact of a SQL injection, and move from attacking the database to attacking cloud services (e.g. fetching sensitive metadata).

The second tutorial is also a nice technique to add to your recon arsenal. It is about using favicon.ico hashes for assets enumeration, with a Python script to automate the process.

5. News / Vulnerabilities of the week

RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence (includes PoCs) & How to find F5 BIG-IP instances

CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication, Additional info by author & CVE-2020-2021: Post Exploit Analysis

It is not everyday that a vulnerability so serious comes up and makes bug hunters stop anything they are doing to check it out. This week brought up not only one but two bugs of this kind.

The first one is an RCE on F5 BIG-IP. The initial advisory didn’t disclose much, but it was reverse engineered and different Proofs of Concepts were published. The second bug is an SAML authentication bypass on PAN-OS (Palo Alto Networks). It was also reverse engineered, but the PoC developed by Randori is not public yet.

CVE-2020-5902 and CVE-2020-2021 dominated hacker conversations on Twitter. They are worth analyzing given their impact and how widespread is the affected software. But remember to give bug bounty programs some time to patch, before starting to test for and report such n-day vulnerabilities. A lot of programs mention this in their rules anyway!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

More tools, if you have time

  • Browsertunnel: A tool for exfiltrating data from the browser using the DNS protocol
  • PUFF: Simple clientside vulnerability fuzzer, powered by puppeteer
  • DumpCN: A simple script that reads a list of domains (starting with https:// or not) from standard input, grabs the certificate and prints the CN
  • Takemeon & Intro: nxdomain subdomain enumeration. Helps in scaling the automation. Currently, it only helps to resolve the nxdomain if possible
  • Behave!: A monitoring browser extension for pages acting as bad boys. Warns if a Web page performs port scanning, access to private IPs or DNS rebinding attacks
  • TrashEmail: A hosted disposable email telegram bot
  • Psalm & Intro: Vimeo’s static analysis tool for finding errors in PHP applications
  • OFJAAAH: Automated recon script
  • FileSearcher & Intro: Unmanaged assembly file searcher for when a fully interactive beacon session is not opsec safe enough
  • bof-NetworkServiceEscalate: Sample “Beacon Object File” (COFF really?) created with Mingw-w64 & Makefile : Can be used as a “getsystem” or to escalate to SYSTEM from NetworkService using Forshaw’s shared logon session issue
  • SpoolSystem: A CNA script for Cobalt Strike which uses the Print Spooler named pipe impersonation trick to gain SYSTEM privileges
  • Leonidas: Automated Attack Simulation in the Cloud, complete with detection use cases

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 06/26/2020 to 07/03/2020.