Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 26 of June to 03 of July.
Cloud-ranges
Cloud-ranges is a collection of IP ranges owned by cloud providers (AWS, Azure, GCP, Godaddy, Linode, Rackspace…). The script used to pull this information is run everyday by @pry0cc, and the repo updated. So helpful for internet scanning research!
Taking over Azure DevOps Accounts with 1 Click (Microsoft, $3,000)
Story of a 2.5k Bounty — SSRF on Zimbra Led to Dump All Credentials in Clear Text ($2,500)
The first bug is a 1-click account takeover of Azure DevOps accounts. @seanyeoh intiallty found a subdomain takeover that didn’t seem that critical. Except that he could exploit it to steal tokens used in another subdomain’s authentication flow.
Lesson learned: Subdomain takeovers can not only be used to capture emails (by setting MX records) or create valid SSL certificates, but also to bypass whitelists in redirection parameters of authentication flows, and steal sensitive tokens.
The second finding is also pretty interesting. It is an SSRF exploiting Zimbra with memcached exposed. By changing the backend server IP in cache, @YShahinzadeh was able to redirect server traffic, perform a MiTM attack and steal credentials.
Hunt Scanner
Bat
HUNT is an excellent Burp extension. It had only one fault: it did not work with Burp 2.0. This is not an issue anymore thanks to @OptionalValue who rewrote it for the current version of Burp.
The other tool I was really glad to discover this week is Bat. I wish I knew about it sooner because it truly is an upgrade of cat. It adds color, syntax highlighting for several programming and markup languages, shows non-printable characters, uses less for large files by default, plus lots of other cool features.
Using SQL Injection to perform SSRF/XSPA attacks
Weaponizing favicon.ico for BugBounties , OSINT and what not , FavFreak & get-shodan-favicon-hash.py
The first article shows in detail how to leverage SQL injection to perform SSRF/XSPA. This is a fantastic ideas as it can help increase the impact of a SQL injection, and move from attacking the database to attacking cloud services (e.g. fetching sensitive metadata).
The second tutorial is also a nice technique to add to your recon arsenal. It is about using favicon.ico hashes for assets enumeration, with a Python script to automate the process.
RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence (includes PoCs) & How to find F5 BIG-IP instances
CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication, Additional info by author & CVE-2020-2021: Post Exploit Analysis
It is not everyday that a vulnerability so serious comes up and makes bug hunters stop anything they are doing to check it out. This week brought up not only one but two bugs of this kind.
The first one is an RCE on F5 BIG-IP. The initial advisory didn’t disclose much, but it was reverse engineered and different Proofs of Concepts were published. The second bug is an SAML authentication bypass on PAN-OS (Palo Alto Networks). It was also reverse engineered, but the PoC developed by Randori is not public yet.
CVE-2020-5902 and CVE-2020-2021 dominated hacker conversations on Twitter. They are worth analyzing given their impact and how widespread is the affected software. But remember to give bug bounty programs some time to patch, before starting to test for and report such n-day vulnerabilities. A lot of programs mention this in their rules anyway!
How I hacked a bank their application using it for hacking another bank company — 10K XSS ($10,000)
Story of stealing mail conversation, contacts in mail.ru and myMail iOS applications via XSS (Mail.ru, $1,000)
Patched Zoom Exploit: Altering Camera Settings via Remote SQL Injection (Zoom, $3,000)
ZombieVPN, Breaking That Internet Security & Repo (Bitdefender & AnchorFree)
Vulnerability in Electron-based Application: Unintentionally Giving Malicious Code Room to Run (Symbol) #CodeReview
Mozilla sites vulnerable to HTTP Desync attacks
Create any military unit in any age (InnoGames, $1,100)
Keybase client (Windows 10): Write files anywhere in userland using relative path in “download attachement” feature (Keybase, $5,000)
Tricking the “Create snippet” feature into displaying the wrong filetype can lead to RCE on Slack users (Slack, $1,500)
Spoofing the redirect process using RTLO (Vanilla, $150)
Cross-Site Scripting (XSS) on www.starbucks.com | .co.uk login pages (Starbucks, $500)
See more writeups on The list of bug bounty writeups.
Browsertunnel: A tool for exfiltrating data from the browser using the DNS protocol
PUFF: Simple clientside vulnerability fuzzer, powered by puppeteer
DumpCN: A simple script that reads a list of domains (starting with https:// or not) from standard input, grabs the certificate and prints the CN
Takemeon & Intro: nxdomain subdomain enumeration. Helps in scaling the automation. Currently, it only helps to resolve the nxdomain if possible
Behave!: A monitoring browser extension for pages acting as bad boys. Warns if a Web page performs port scanning, access to private IPs or DNS rebinding attacks
TrashEmail: A hosted disposable email telegram bot
Psalm & Intro: Vimeo’s static analysis tool for finding errors in PHP applications
OFJAAAH: Automated recon script
FileSearcher & Intro: Unmanaged assembly file searcher for when a fully interactive beacon session is not opsec safe enough
bof-NetworkServiceEscalate: Sample “Beacon Object File” (COFF really?) created with Mingw-w64 & Makefile : Can be used as a “getsystem” or to escalate to SYSTEM from NetworkService using Forshaw’s shared logon session issue
SpoolSystem: A CNA script for Cobalt Strike which uses the Print Spooler named pipe impersonation trick to gain SYSTEM privileges
Leonidas: Automated Attack Simulation in the Cloud, complete with detection use cases
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 06/26/2020 to 07/03/2020.
