Bug Bytes #156 – Python NaN Injection, Null-byte based file inclusion & $100K for hacking the Apple webcam

By Anna Hammond

January 26, 2022

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from January 17 to 24, 2022.

Intigriti news

New responsible disclosure program

Congratulations @3th1c_yuk1, @alph4byt3 and @putsi for being Top 3 in the Intigriti Q1 2021 leaderboard!

European Commission’s Open Source Programme Office starts bug bounties

Our favorite 5 hacking items

1. Vulnerability of the week

Python NaN Injection, Repo & Decipher Podcast: Robert Hansen Returns

It’s strange that this new Python vulnerability class went unnoticed. It may be complex and difficult to identify but it is also novel and an interesting area to explore.
For the anecdote, Robert Hansen / @RSnake is one of the first hackers I followed when I started in 2012. Among other things, he created the old ha.ckers.org XSS Cheat Sheet on which the OWASP XSS Filter Evasion Cheat Sheet was based.

2. Writeups of the week

Hacking the Apple Webcam (again) (Apple, $100,500)
CVE-2021-45467: CWP CentOS Web Panel – preauth RCE
The Tale of a Click leading to RCE

Ryan Pickren discovered a UXSS and other issues on Safari that could give an attacker access to victims’ camera and any website they visited, bypassing Gatekeeper.

@0xLupin‘s writeup is an amazing red teaming story that demonstrates how SSRF can be upgraded to RCE in a real-world (but CTF-like) scenario.

The third writeup is about a curious RCE via local file write on CentOS Web Panel.
In @PaulosYibelo‘s words, .%00./ is the new ..;/.

3. Tutorials of the week

Creating easy proof-of-concept scripts with Python and Curl.
Debugging a Java application with decompiled source code

The first tutorial shows how to use curl.se/h2c/ and curl.trillworks.com to easily convert HTTP requests (e.g. copied from Burp) to curl commands, and curl commands to Python or other languages (PHP, JavaScript, Go, Rust, JSON and many others).
It can be handy if you are short on time or struggle with creating custom scripts/curl commands.

The second tutorial is about dynamic analysis of Java apps using IntelliJ IDEA. If you perform static analysis of Java apps and find it difficult to trace sinks and sources, this debugging method by @dozernz can make the process much easier.

4. Resource of the week

Free SQL injection section of Bug Bounty – An Advanced Guide to Finding Good Bugs

@HusseiN98D gave an advanced bug bounty workshop at THREAT CON and published the recording on Udemy.
It is not free ($49.99 until the end of the week, then $139.99) but the SQL injection section is. It is more than one hour on SQL injection with a couple of advanced bug bounty use cases that may teach you some useful tricks.

Note that it is extremely rare for me to feature paid content in this newsletter. The only reason I am making this exception is its quality and the juicy hour long free video it includes.

5. Tip of the week

A tip for exploiting tricky blind SQL injections

If you find a blind SQL injection and have a hard time exfiltrating data, try @mcipekci‘s technique (adapted to your context of course) to force the app to return an error.

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Podcasts

Tutorials

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Known vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • ripgen: Rust-based high performance domain permutation generator

  • ShadowClone: Allows you to distribute your long running tasks dynamically across thousands of serverless functions

  • jo: JSON output from a shell

  • Chrome Bandit: Programmatically extract saved passwords from Google Chrome

  • TREVORproxy, TREVORspray 2.0 & Intro: Increasing the speed and effectiveness of password sprays

Tips & Tweets

Misc. pentest & bug bounty resources

Articles

Challenges

Bug bounty & Pentest news

Non technical

You may also like