By Anna Hammond
December 22, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from December 13 to 20.
This is the last Bug Bytes of the year as I am taking a week off to recharge. The next issue will be in the first week of January 2022.
Intigriti’s December XSS challenge By @E1u5iv3F0x
21 things that happened in 2021 at Intigriti: a year of milestones
Bring Your Own SSRF – The Gateway Actuator
A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution
@wdahlenb investigated the Spring Boot Gateway actuator (aka ‘/actuator/gateway’) and shares all the details: How the actuator works, why it could be exploited for SSRF and Denial of Service, and why other bug hunters seem to have missed it.
The second article is of an entirely different kind. It is a breakdown by Google’s Project Zero of FORCEDENTRY, the infamous NSO zero-click iMessage RCE.
The exploit is sent as a GIF that hides a PDF which uses JBIG2 (an old compression algorithm) to build a virtual CPU. Incredible.
Flickr Account Takeover (Flickr, $7,550)
@_lauritz_ found weaknesses in Flick’s implementation of OpenID Connect, and was able to exploit them to take over any account without user interaction. The writeup details everything and makes for a great read if you are interested in authentication vulnerabilities.
Why is Exposing the Docker Socket a Really Bad Idea?
Why does an exposed Docker socket on Linux grant root access to the host?
If this question tickles your curiosity, you will probably enjoy this very detailed and well-written article.
Hashing a URL in Java triggers a DNS lookup, and this has been weaponized to exploit Java deserialization bugs
Enumerating Files Using Server Side Request Forgery and the request Module (via @Agarri_FR)
I read in a Twitter thread that hashing a URL in Java triggers a DNS lookup as part of the hash function. All comments said that this is a really bad won’t fix bug, but I couldn’t understand why… until I saw @aaditya_purani‘s explanation.
The DNS lookups triggered by hashing URLs can be used to detect and exploit insecure deserialization bugs (see Triggering a DNS lookup using Java Deserialization for details).
Another old trick that I’ve just discovered is that the Request Node.js module supports a special URL format, http://unix:PATH-TO-FILE, that returns different errors if the file exists or not.
So, if you find an SSRF in a Node.js app that uses Requests, this behavior can be used to enumerate files on the remote file system.
CVE-2021-45046, CVE-2021-4104 & CVE-2021-45105 (new Log4j CVEs)
Last week, I mentioned that the original Log4Shell bug had a bypass that was a Denial of Service. It turned out to also be an RCE. There is also a new Log4j Denial of Service vulnerability, which brings us to a total of four bugs:
CVE-2021-44228 is the most critical since it is the only one that applies to the default configuration.
To help make sense of all the new related resources, here are some that I found particularly interesting or creative:
@LiveOverflow discusses Log4j features, JNDI and why the bug wasn’t discovered earlier
Polymorphic Log4J exploit that is a valid JSON REST API request
log4JFrida: Tool that modifies all characteristics of an Android device to return a Log4j payload instead.
Log4Shell Everywhere: A fork of Collaborator Everywhere, with the injection parameters changed to payloads for Log4j CVE-2021-44228.
For more, take a look at pentesterland/Log4Shell.
SSRF – Lab #2 Basic SSRF against another back-end system, Lab #3 SSRF with blacklist-based input filter & Lab #4 SSRF with whitelist-based input filter
Yes, fun browser extensions can have vulnerabilities too! #Web #BrowserExtension
Proctorio Chrome extension Universal Cross-Site Scripting #Web #BrowserExtension
Getting root on Ubuntu through wishful thinking #Linux #MemoryCorruption
Failed02 Pulse Secure VPN and Guacamole WebSocket Hooking #VPN #Websockets
How I was able to reveal page admin of almost any page on Facebook (Facebook, $4,500)
GHSL-2021-1053: Path traversal in Grafana REST API – CVE-2021-43813, CVE-2021-43815 (Grafana Labs)
Zero day path traversal vulnerability in Grafana 8.x allows unauthenticated arbitrary local file read (Aiven Ltd, $1,000)
RCE in Visual Studio Code’s Remote WSL for Fun and Negative Profit (Microsoft)
See more writeups on The list of bug bounty writeups.
dns-exfil: Custom DNS logger that can be used for exfiltration (e.g. when testing for Log4Shell)
WhoEnum: Mass querying whois records
AD Enum: Python tool to find misconfigurations via LDAP and exploit some of those weaknesses with kerberos
Reverse Shell Generator & Intro: Bash script to generate reverse shells
Oh365 User Finder: Python3 o365 User Enumeration Tool
PNG that has different content when viewed on Apple devices vs other machines
How to build and run john-jumbo with mpi support using homebrew on macOS with an Apple Silicon chip
bug-hunting-101 #BinaryExploitation
Snippet of code vulnerable to XSS. How would you exploit it?
Bug bounty
Tool updates
New WebKit Features in Safari 15.2 (Added support for COOP/COEP HTTP Headers) )