Bug Bytes #142 – Weird Google bugs, SAML padding Oracle & Apache path traversal continued

By Anna Hammond

October 13, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from October 4 to 11.

Our favorite 5 hacking items

1. Conference of the week

4 Weird Google VRP Bugs in 40 Minutes – Hacktivity 2021

@xdavidhu talks about four vulnerabilities he found in Google products. This is a great watch if you like weird but very creative bugs (or video over written writeups).

2. Writeup of the week

SAML Padding Oracle

Compass Security researchers discovered a padding Oracle vulnerability in the SAML login flow of ArcGIS. They were able to decrypt an encrypted assertion, and use an XSW4 attack and the oracle to reencrypt and login as other users.

3. Vulnerability of the week

Apache advisory for CVE-2021-42013

Remember last week’s CVE-2021–41773, a zero-day path traversal in Apache HTTP Server? It turns out it is also an RCE if mod-cgi is enabled, and the fix was incomplete which led to CVE-2021-42013. Here is a meme that sums it up, a Docker Playground and a couple new PentesterLab exercises to practice, as well as a Nuclei template for CVE-2021-42013 for automation.

4. Tips of the week

Use an array to bruteforce OTP without triggering rate limiting
HTTP header bruteforce

@EnesSaltk7 shared a creative idea that allowed them to bypass email verification and could be useful in other contexts too. They replaced the code for email verification (passed via JSON post data) with an array of codes. So, it is a way of bruteforcing codes with a single request, without triggering rate limiting.

Another handy tip by @nnwakelam is to bruteforce custom HTTP headers like x-FUZZ and x-FUZZ-internal. Also, keep a look at response lengths and status codes as they may indicate that you have found valid headers.

5. Tools of the week

Ghostinthepdf
reFlutter

Ghostinthepdf is a tool that embeds GhostScript exploits into PDF files that bypass signature checks. It can be used to first detect that a target is actually using GhostScript for PDF processing, then to run exploits against it.
Also, if you haven’t seen @emil_lerner’s previous work on GhostScript, it is worth checking out to see the type of vulnerabilities that he found with this tool.

Another helpful tool is @lmpact_l‘s reFlutter, a framework for reverse enginnering Flutter apps. It can be used to repack Flutter apps and make them trust installed certificates, so you can intercept their traffic (without root).

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

0-day & N-day vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

Tips & Tweets

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

You may also like