Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from December 13 to 20.
Last Bug Bytes of the year
This is the last Bug Bytes of the year as I am taking a week off to recharge. The next issue will be in the first week of January 2022.
Our favorite 5 hacking items
1. Articles of the week
Bring Your Own SSRF – The Gateway Actuator
A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution
@wdahlenb investigated the Spring Boot Gateway actuator (aka ‘/actuator/gateway’) and shares all the details: How the actuator works, why it could be exploited for SSRF and Denial of Service, and why other bug hunters seem to have missed it.
The second article is of an entirely different kind. It is a breakdown by Google’s Project Zero of FORCEDENTRY, the infamous NSO zero-click iMessage RCE.
The exploit is sent as a GIF that hides a PDF which uses JBIG2 (an old compression algorithm) to build a virtual CPU. Incredible.
2. Writeup of the week
Flickr Account Takeover (Flickr, $7,550)
@_lauritz_ found weaknesses in Flick’s implementation of OpenID Connect, and was able to exploit them to take over any account without user interaction. The writeup details everything and makes for a great read if you are interested in authentication vulnerabilities.
3. Tutorial of the week
Why is Exposing the Docker Socket a Really Bad Idea?
Why does an exposed Docker socket on Linux grant root access to the host?
If this question tickles your curiosity, you will probably enjoy this very detailed and well-written article.
4. Tips of the week
Hashing a URL in Java triggers a DNS lookup, and this has been weaponized to exploit Java deserialization bugs
Enumerating Files Using Server Side Request Forgery and the request Module (via @Agarri_FR)
I read in a Twitter thread that hashing a URL in Java triggers a DNS lookup as part of the hash function. All comments said that this is a really bad won’t fix bug, but I couldn’t understand why… until I saw @aaditya_purani‘s explanation.
The DNS lookups triggered by hashing URLs can be used to detect and exploit insecure deserialization bugs (see Triggering a DNS lookup using Java Deserialization for details).
Another old trick that I’ve just discovered is that the Request Node.js module supports a special URL format, http://unix:PATH-TO-FILE, that returns different errors if the file exists or not.
So, if you find an SSRF in a Node.js app that uses Requests, this behavior can be used to enumerate files on the remote file system.
5. Vulnerabilities of the week
CVE-2021-45046, CVE-2021-4104 & CVE-2021-45105 (new Log4j CVEs)
Last week, I mentioned that the original Log4Shell bug had a bypass that was a Denial of Service. It turned out to also be an RCE. There is also a new Log4j Denial of Service vulnerability, which brings us to a total of four bugs:
CVE-2021-44228 is the most critical since it is the only one that applies to the default configuration.
To help make sense of all the new related resources, here are some that I found particularly interesting or creative:
For more, take a look at pentesterland/Log4Shell.
Other amazing things we stumbled upon this week
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- dns-exfil: Custom DNS logger that can be used for exfiltration (e.g. when testing for Log4Shell)
- WhoEnum: Mass querying whois records
- AD Enum: Python tool to find misconfigurations via LDAP and exploit some of those weaknesses with kerberos
- Reverse Shell Generator & Intro: Bash script to generate reverse shells
- Oh365 User Finder: Python3 o365 User Enumeration Tool
Misc. pentest & bug bounty resources
Bug bounty & Pentest news