Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 26 of June to 03 of July.
Our favorite 5 hacking items
1. Resource of the week
Cloud-ranges is a collection of IP ranges owned by cloud providers (AWS, Azure, GCP, Godaddy, Linode, Rackspace…). The script used to pull this information is run everyday by @pry0cc, and the repo updated. So helpful for internet scanning research!
2. Writeups of the week
Taking over Azure DevOps Accounts with 1 Click (Microsoft, $3,000)
Story of a 2.5k Bounty — SSRF on Zimbra Led to Dump All Credentials in Clear Text ($2,500)
The first bug is a 1-click account takeover of Azure DevOps accounts. @seanyeoh intiallty found a subdomain takeover that didn’t seem that critical. Except that he could exploit it to steal tokens used in another subdomain’s authentication flow.
Lesson learned: Subdomain takeovers can not only be used to capture emails (by setting MX records) or create valid SSL certificates, but also to bypass whitelists in redirection parameters of authentication flows, and steal sensitive tokens.
The second finding is also pretty interesting. It is an SSRF exploiting Zimbra with memcached exposed. By changing the backend server IP in cache, @YShahinzadeh was able to redirect server traffic, perform a MiTM attack and steal credentials.
3. Tools of the week
HUNT is an excellent Burp extension. It had only one fault: it did not work with Burp 2.0. This is not an issue anymore thanks to @OptionalValue who rewrote it for the current version of Burp.
The other tool I was really glad to discover this week is Bat. I wish I knew about it sooner because it truly is an upgrade of cat. It adds color, syntax highlighting for several programming and markup languages, shows non-printable characters, uses less for large files by default, plus lots of other cool features.
4. Tutorials of the week
Using SQL Injection to perform SSRF/XSPA attacks
Weaponizing favicon.ico for BugBounties , OSINT and what not , FavFreak & get-shodan-favicon-hash.py
The first article shows in detail how to leverage SQL injection to perform SSRF/XSPA. This is a fantastic ideas as it can help increase the impact of a SQL injection, and move from attacking the database to attacking cloud services (e.g. fetching sensitive metadata).
The second tutorial is also a nice technique to add to your recon arsenal. It is about using favicon.ico hashes for assets enumeration, with a Python script to automate the process.
5. News / Vulnerabilities of the week
RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence (includes PoCs) & How to find F5 BIG-IP instances
CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication, Additional info by author & CVE-2020-2021: Post Exploit Analysis
It is not everyday that a vulnerability so serious comes up and makes bug hunters stop anything they are doing to check it out. This week brought up not only one but two bugs of this kind.
The first one is an RCE on F5 BIG-IP. The initial advisory didn’t disclose much, but it was reverse engineered and different Proofs of Concepts were published. The second bug is an SAML authentication bypass on PAN-OS (Palo Alto Networks). It was also reverse engineered, but the PoC developed by Randori is not public yet.
CVE-2020-5902 and CVE-2020-2021 dominated hacker conversations on Twitter. They are worth analyzing given their impact and how widespread is the affected software. But remember to give bug bounty programs some time to patch, before starting to test for and report such n-day vulnerabilities. A lot of programs mention this in their rules anyway!
Other amazing things we stumbled upon this week
Webinars & Webcasts
- SANS webinars (require free registration)
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
- How I hacked a bank their application using it for hacking another bank company — 10K XSS ($10,000)
- Story of stealing mail conversation, contacts in mail.ru and myMail iOS applications via XSS (Mail.ru, $1,000)
- Patched Zoom Exploit: Altering Camera Settings via Remote SQL Injection (Zoom, $3,000)
- ZombieVPN, Breaking That Internet Security & Repo (Bitdefender & AnchorFree)
- Vulnerability in Electron-based Application: Unintentionally Giving Malicious Code Room to Run (Symbol) #CodeReview
- Mozilla sites vulnerable to HTTP Desync attacks
- Create any military unit in any age (InnoGames, $1,100)
- Keybase client (Windows 10): Write files anywhere in userland using relative path in “download attachement” feature (Keybase, $5,000)
- Tricking the “Create snippet” feature into displaying the wrong filetype can lead to RCE on Slack users (Slack, $1,500)
- Spoofing the redirect process using RTLO (Vanilla, $150)
- Cross-Site Scripting (XSS) on www.starbucks.com | .co.uk login pages (Starbucks, $500)
See more writeups on The list of bug bounty writeups.
If you don’t have time
- Browsertunnel: A tool for exfiltrating data from the browser using the DNS protocol
- PUFF: Simple clientside vulnerability fuzzer, powered by puppeteer
- DumpCN: A simple script that reads a list of domains (starting with https:// or not) from standard input, grabs the certificate and prints the CN
- Takemeon & Intro: nxdomain subdomain enumeration. Helps in scaling the automation. Currently, it only helps to resolve the nxdomain if possible
- Behave!: A monitoring browser extension for pages acting as bad boys. Warns if a Web page performs port scanning, access to private IPs or DNS rebinding attacks
- TrashEmail: A hosted disposable email telegram bot
- Psalm & Intro: Vimeo’s static analysis tool for finding errors in PHP applications
- OFJAAAH: Automated recon script
- FileSearcher & Intro: Unmanaged assembly file searcher for when a fully interactive beacon session is not opsec safe enough
- bof-NetworkServiceEscalate: Sample “Beacon Object File” (COFF really?) created with Mingw-w64 & Makefile : Can be used as a “getsystem” or to escalate to SYSTEM from NetworkService using Forshaw’s shared logon session issue
- SpoolSystem: A CNA script for Cobalt Strike which uses the Print Spooler named pipe impersonation trick to gain SYSTEM privileges
- Leonidas: Automated Attack Simulation in the Cloud, complete with detection use cases
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 06/26/2020 to 07/03/2020.