By Anna Hammond
October 13, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from October 4 to 11.
4 Weird Google VRP Bugs in 40 Minutes – Hacktivity 2021
@xdavidhu talks about four vulnerabilities he found in Google products. This is a great watch if you like weird but very creative bugs (or video over written writeups).
Compass Security researchers discovered a padding Oracle vulnerability in the SAML login flow of ArcGIS. They were able to decrypt an encrypted assertion, and use an XSW4 attack and the oracle to reencrypt and login as other users.
Apache advisory for CVE-2021-42013
Remember last week’s CVE-2021–41773, a zero-day path traversal in Apache HTTP Server? It turns out it is also an RCE if mod-cgi is enabled, and the fix was incomplete which led to CVE-2021-42013. Here is a meme that sums it up, a Docker Playground and a couple new PentesterLab exercises to practice, as well as a Nuclei template for CVE-2021-42013 for automation.
Use an array to bruteforce OTP without triggering rate limiting
HTTP header bruteforce
@EnesSaltk7 shared a creative idea that allowed them to bypass email verification and could be useful in other contexts too. They replaced the code for email verification (passed via JSON post data) with an array of codes. So, it is a way of bruteforcing codes with a single request, without triggering rate limiting.
Another handy tip by @nnwakelam is to bruteforce custom HTTP headers like x-FUZZ and x-FUZZ-internal. Also, keep a look at response lengths and status codes as they may indicate that you have found valid headers.
Ghostinthepdf is a tool that embeds GhostScript exploits into PDF files that bypass signature checks. It can be used to first detect that a target is actually using GhostScript for PDF processing, then to run exploits against it.
Also, if you haven’t seen @emil_lerner’s previous work on GhostScript, it is worth checking out to see the type of vulnerabilities that he found with this tool.
Another helpful tool is @lmpact_l‘s reFlutter, a framework for reverse enginnering Flutter apps. It can be used to repack Flutter apps and make them trust installed certificates, so you can intercept their traffic (without root).
Day[0]: SharePoint RCE & an Apache Path Traversal [Bounty Hunting Podcast]
Radio Hack Ep6: Offensive Security – Mohammad Askar (in Arabic)
Hunting for Prototype Pollution and it’s vulnerable code on JS libraries
Never put AWS temporary credentials in the credentials file (or env vars)—there’s a better way
Persistence Through Service Workers—part 1: Introduction And Target Application Setup & Part 2: C2 Setup And Use
Practical strategies for exploiting FILE READ vulnerabilities
DNS Records and Record Types: Some Commonly Used, and Some You Might Not Know About
Testing Methodology for Insecure Deserialization Vulnerability
SnykCon CTF – “Invisible Ink” Prototype Pollution, Sauerkraut – Python Pickle Vulnerabilities & “Random Flag Generator” Weak PRNG Seed
Reverse engineering and decrypting CyberArk vault credential files #Crypto
Misconfigured Airflows Leak Thousands of Credentials from Popular Services #Web
23andMe’s Yamale Python code injection, and properly sanitizing eval() #Web
Swimming Upstream: Uncovering Broadcom SDK Vulnerabilities from Bug Reports. #MemoryCorruption
Accessing Apple’s internal UAT Slackbot for fun and non-profit (Apple)
[EN] Stored XSS in the administrator’s panel due to misuse of MarkupSafe (pass Culture)
Zero-Day: Hijacking iCloud Credentials with Apple Airtags (Stored XSS) (Apple)
CVE-2021-26420: Remote Code Execution In Sharepoint Via Workflow Compilation (Microsoft)
Improper Validation at Partners Login (Zomato, $2,000)
See more writeups on The list of bug bounty writeups.
vCenter SAML Login Tool & Intro: A tool to extract the IdP cert from vCenter backups and log in as Administrator
ReDoSHunter & Paper: A Combined Static and Dynamic Approach for Regular Expression DoS Detection
HTB University CTF (November 19-21)
Cybersecurity
Upcoming events
Visma Security Conference 2021 (November 11)
Pen Test HackFest FREE Virtual Summit (November 15-16)
Tool updates
Burp Professional / Community 2021.9 (New asynchronous SSTI payloads amongst other things)