By Anna Hammond
February 2, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from January 24 to 31, 2022.
Nullcon Berlin Student Scholarship (Sponsored by Intigriti)
pwnkit: Local Privilege Escalation in polkit’s pkexec (CVE-2021-4034)
PwnKit or CVE-2021-4034 is a Local Privilege Escalation in polkit’s pkexec that was discovered by Qualys researchers.
It is noteworthy because it affects all major Linux distributions by default and all pkexec versions since 2009. Actually, @ryiron blogged about the root cause behind it in 2013.
Also, the vulnerability is exploitable reliably even though it is a memory corruption bug.
To practice, there is a free TryHackMe room, and some exploits by the community:
Hacking Google Drive Integrations (Dropbox, $17,576)
How I could have read your confidential bug reports by simple mail? (Microsoft)
A story of leaking uninitialized memory from Fastly (Fastly)
These are three entirely different types of findings but all very impressive and worth reading: @rootxharsh found a full read SSRF on Google Drive integrations in Drobox, @Sudhakarmuthu04 found a way to read other bug hunters’ reports on the Microsoft research portal, and @emil_lerner discovered a memory leak in the QUIC (HTTP/3) implementation of the H2O webserver.
Recordings from Black Hat Europe 2021 were just released! Need I say more?
Maybe only that slides and whitepapers can be found here, and @albinowax really recommends @_danielthatcher‘s talk “Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond”.
🐛 Bug Bounty Recap 🐜 January 20-26
I’m really enjoying these daily bug bounty recaps by @PinkDraconian. They are crisp and easy to digest, a fun way to stay up-to-date or get clarifications on writeups you’re struggling to understand.
CodExt is both a CLI tool and Python library for encoding/decoding anything. It extends the Python coded library with 120+ new codecs and has a “guess mode”.
I know there are many tools that do the same thing, but if you prefer the CLI and need support for both Bash and Python, this is a handy alternative.
Har Har Har Viewer is another useful tool. Like its name suggests it is a HAR viewer, worth bookmarking for the next time you need to handle HAR files.
Web App Pentesting – HTTP Headers & Methods & Web App Pentesting – Setting Up OWASP bWAPP With Docker
Enumerating 100 targets at once! Meg – Hacker Tools & Blog post
Kiosk Breakout & HOW TO Install Windows 11: VMware Workstation
Password spraying and MFA bypasses in the modern security landscape
How To Extract Credentials from Azure Kubernetes Service (AKS)
How to disable XXE processing? #BlueTeam
Paranoids’ Vulnerability Research: PrinterLogic Issues Security Alert #Printer
Bypassing Little Snitch Firewall with Empty TCP Packets #MacOS
Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters #CLI
Moodle: Blind SQL Injection (CVE-2021-36393) and Broken Access Control (CVE-2021-36397) (Moodle)
Bypassing SSRF Protection to Exfiltrate AWS Metadata from LarkSuite (Lark Technologies)
Microsoft OneDrive For Macos Local Privilege Escalation (Microsoft)
CVE-2020-0696 – Microsoft Outlook Security Feature Bypass Vulnerability (Microsoft)
WPA2-Enterprise/EAP Subject Matching Vulnerability (Google Chromium, $3000)
CVE-2022-0185 – Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google’s KCTF Containers (Google, $31,337)
See more writeups on The list of bug bounty writeups.
PurplePanda: Identify privilege escalation paths within and across different clouds
LDAP Relay Scan: Check for LDAP protections regarding the relay of NTLM authentication
Trickest Log4j & Collaboration with @Six2dez1 to automate updating OneListForAll
RTCSec newsletter – STIR/SHAKEN DoS, Cisco phone passwords, Zoom and Yealink
Stratus Red team: Granular, Actionable Adversary Emulation for the Cloud (like “Atomic Red Team™” for the cloud)
Unauthenticated Dumping of Usernames via Cisco Unified Call Manager (CUCM)
Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA
A list for free Penetration Testing & Red Teaming Labs to build locally
A free HTB machine added every month to the Starting Point Track
Bug bounty
Cybersecurity
Jobs
Upcoming events
OAuth 2.0 Hacking for Beginners with Farah Hawa (February 6)
Nullcon Berlin Student Scholarship (Apply before March 10)
Updates