Intigriti

Bug Bytes #152 – SSRF via Gateway actuator, Flickr account takeover & Writeup of NSO’s iMessage RCE

By Anna Hammond

December 22, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from December 13 to 20.

Last Bug Bytes of the year

This is the last Bug Bytes of the year as I am taking a week off to recharge. The next issue will be in the first week of January 2022.

Intigriti news

Intigriti’s December XSS challenge By @E1u5iv3F0x

21 things that happened in 2021 at Intigriti: a year of milestones

Our favorite 5 hacking items

1. Articles of the week

Bring Your Own SSRF – The Gateway Actuator
A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution

@wdahlenb investigated the Spring Boot Gateway actuator (aka ‘/actuator/gateway’) and shares all the details: How the actuator works, why it could be exploited for SSRF and Denial of Service, and why other bug hunters seem to have missed it.

The second article is of an entirely different kind. It is a breakdown by Google’s Project Zero of FORCEDENTRY, the infamous NSO zero-click iMessage RCE.
The exploit is sent as a GIF that hides a PDF which uses JBIG2 (an old compression algorithm) to build a virtual CPU. Incredible.

2. Writeup of the week

Flickr Account Takeover (Flickr, $7,550)

@_lauritz_ found weaknesses in Flick’s implementation of OpenID Connect, and was able to exploit them to take over any account without user interaction. The writeup details everything and makes for a great read if you are interested in authentication vulnerabilities.

3. Tutorial of the week

Why is Exposing the Docker Socket a Really Bad Idea?

Why does an exposed Docker socket on Linux grant root access to the host?
If this question tickles your curiosity, you will probably enjoy this very detailed and well-written article.

4. Tips of the week

Hashing a URL in Java triggers a DNS lookup, and this has been weaponized to exploit Java deserialization bugs
Enumerating Files Using Server Side Request Forgery and the request Module (via @Agarri_FR)

I read in a Twitter thread that hashing a URL in Java triggers a DNS lookup as part of the hash function. All comments said that this is a really bad won’t fix bug, but I couldn’t understand why… until I saw @aaditya_purani‘s explanation.
The DNS lookups triggered by hashing URLs can be used to detect and exploit insecure deserialization bugs (see Triggering a DNS lookup using Java Deserialization for details).

Another old trick that I’ve just discovered is that the Request Node.js module supports a special URL format, http://unix:PATH-TO-FILE, that returns different errors if the file exists or not.
So, if you find an SSRF in a Node.js app that uses Requests, this behavior can be used to enumerate files on the remote file system.

5. Vulnerabilities of the week

CVE-2021-45046, CVE-2021-4104 & CVE-2021-45105 (new Log4j CVEs)

Last week, I mentioned that the original Log4Shell bug had a bypass that was a Denial of Service. It turned out to also be an RCE. There is also a new Log4j Denial of Service vulnerability, which brings us to a total of four bugs:

Source: Tenable blog

CVE-2021-44228 is the most critical since it is the only one that applies to the default configuration.

To help make sense of all the new related resources, here are some that I found particularly interesting or creative:

For more, take a look at pentesterland/Log4Shell.

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Webinars

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • dns-exfil: Custom DNS logger that can be used for exfiltration (e.g. when testing for Log4Shell)

  • WhoEnum: Mass querying whois records

  • AD Enum: Python tool to find misconfigurations via LDAP and exploit some of those weaknesses with kerberos

  • Reverse Shell Generator & Intro: Bash script to generate reverse shells

  • Oh365 User Finder: Python3 o365 User Enumeration Tool

Tips & Tweets

Misc. pentest & bug bounty resources

Challenges

Bug bounty & Pentest news

Non technical

You may also like