By Anna Hammond
November 25, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 15 to 22 of November.
12 Cisco bugs, 200 most common passwords, Weird bounties & SAD DNS
Getting Organised: Making a //TODO list
Hacking 1Password | Episode 3 – Decrypting the data without Crypto Knowledge
@InsiderPhD shares the tools and time management techniques that allow her to get so much done as a PhD student, Youtuber and bug bounty hunter. If you’d like more hours in the day (who doesn’t?), you’ll probably find this insightful.
In the second video, @ngalongc continues his series on hacking 1password. It is helpful to see his method for breaking down such a complex topic (decrypting requests and responses of the 1password app).
ImageMagick – Shell injection via PDF password
Apache Unomi CVE-2020-13942: RCE Vulnerabilities Discovered & CVE-2020-13942 POC
Exploiting dynamic rendering engines to take control of web apps ($5,000)
Firefox: How a website could steal all your cookies & CVE-2020-15647 PoC (Mozilla, $5,000)
The first writeup is about OS command injection in ImageMagick. The payload is injected in the password passed with the “-authenticate” command line parameter to encrypt the PDF.
The second writeup is about two RCEs in Apache Unomi that got the maximum CVSS score of 10! I have a feeling some bug hunters are busy testing for “/context.json”…
The third writeup presents fantastic research on vulnerabilities in Web apps that use dynamic rendering engines. Everything is well explained, from what they are and how to identify them in black box testing to finding vulnerabilities and exploiting them.
The fourth finding is fixed, but it is very interesting for anyone who wants to see a real-life Android app vulnerability involving content providers, intents and the SOP.
Privileged Container Escape – Control Groups release_agent
Real-life OIDC Security
The first article by @ajxchapman is about escaping privileged Docker containers to execute arbitrary commands on the container host. It is based on past work by @_fel1x. Pretty interesting for anyone who is into hacking CI/CD systems and containers!
The second article is the introduction to a 7 posts series on OpenID Connect and Single Sign-On security. It includes analysis of several implementations and attack patterns, and examples of bugs reported to five vendors. Great research by _lauritz_ as part of his master’s thesis.
This is huge! Assetnote launched this collection of wordlist for assets and content discovery (DNS bruteforce, API routes, GET parameters, subdomains…). Some are automatically updated each month using Commonspeak2 and GitHub Actions, while others are curated manually.
The wordlists are cleaned with clean_wordlist.sh, a script suggested by @BonJarber to remove noise. It is worth checking out too if you want to curate your own wordlists.
Webscan is a browser-based internal network scanner by @samykamkar. Just by visiting a Web page, it remotely detects your LAN IPs using WebRTC and any live hosts. Mindblowing and dangerous if combined with other vulnerabilities such as NAT Slipstreaming!
CTFNote is a must for CTF players. It allows you to keep track of CTFs you’re playing and who is available to participate or not, to assign tasks to team members, to shares notes, etc. This makes collaboration easier and would be nice to have for bug bounty too.
BitK Talks about CTFNot, GoogleCTF Finals, CTF Tools, Hacker Mindset and more!
Stealing your Github code with malicious YAML file – Bug Bounty Reports Explained
Discovering Email Addresses (OSINT) & Hunting Usernames and Accounts (OSINT)
The InfoSec & OSINT Show 34 – John Strand & Moving Beyond 0-Days
Security Now: SAD DNS – Malicious Android Apps, Ransomware-as-a-Service
Creative Mindsets, Reaching Goals, & Encouraging Accountability – BSW #197
Krebs Fired at CISA, DNS Is Not Your Friend, & ‘Stone Panda’ – Wrap Up – SWN #84
IoT Cybersecurity Improvement Act, TCL Smart TV Flaw, & Popping Reverse Shells – PSW #675
Embrace Secure Defaults, Block Anti-patterns, and Kill Bug Classes with Semgrep with Clint Gibler
Accelerate Your Career By Building FIVE Critical Professional Skills – SANS@Mic
Pen Test HackFest Summit – Cloud Penetration Testing Workshop
Purgalicious VBA: Macro Obfuscation With VBA Purging & OfficePurge
Exploits in The Attic – Visiting Forgotten Metasploit Modules
Cisco pre-auth RCEs #Web
Windows RpcEptMapper Service Insecure Registry Permissions EoP #Windows #LPE
CVE-2020-16995: Microsoft Azure Network Watcher Linux Extension EoP #LPE
Microsoft Teams For Macos Local Privilege Escalation #Windows #LPE
Turning Blind Error Based SQL Injection into Exploitable Boolean One
@bugraeskici’s bug reports to Automattic (Automattic, $3,100)
Staff with no permissions can listen to Shopify Ping conversations by registering to its different WebSocket Events (Shopify, $800)
Access token stealing. (PlayStation, $1,200)
Authorization Token on PlayStation Network Leaks via postMessage function (PlayStation, $1,000)
See more writeups on The list of bug bounty writeups.
Urlhunter: Recon tool that allows searching for URLs exposed via shortener services (using URLTeam data)
exclude-cdn: Wraps projectdiscovery’s cdncheck library to exclude CDN hosts from input passed over stdin
403Bypasser: Burpsuite Extension to bypass 403 restricted directory
Phonerator: A search engine that allows you to provide a few digits and generate a list of possible valid phone numbers for #OSINT
Nimplant & Implant Roulette Part 1: Nimplant: A cross-platform implant written in Nim
Goshs: A SimpleHTTPServer written in Go, enhanced with features and with a nice design
Advent of Cyber: Start on December 1st
Project Resonance Wave 1: Internet-Wide Analysis of Subdomain Takeover & Top vulnerable subdomain names
Detecting Cobalt Strike Default Modules via Named Pipe Analysis
Facebook: Marking the 10th Anniversary of Our Bug Bounty Program
Bugcrowd Platform Updates: Portfolio Accounts And Security Settings & Introducing Our New Researcher Dashboard!
Porchetta Industries / byt3bl33d3r is partnering up with Kali Linux
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/15/2020 to 11/22/2020.