By Anna Hammond
September 16, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 04 to 11 of September.
h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c) & h2cSmuggler
Using HTTP/2 used to mitigate HTTP Request Smuggling vulnerabilities. That was until Jake Miller (@theBumbleSec) came up with this variant that leverages HTTP/2 over cleartext (h2c) connections. The idea is to upgrade the HTTP/1.1 connection to HTTP/2 by sending an h2c upgrade header. If the backend server is compatible, the TCP tunnel created is unmanaged, allowing you to bypass the reverse proxy access controls.
This works on HAProxy, Nuster, and Traefik’s default reverse proxy configurations.
The Git repo provides a tool and demo to reproduce the attack.
How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM
[Blog] Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472), Official testing script & NCC’s .NET exploit
Zerologon (CVE-2020-1472) is a CVSS-10 privilege escalation vulnerability in Microsoft’s Netlogon authentication process. It is caused by a flaw in the cryptographic implementation of AES encryption. The reason it is making headlines is its ease of exploitation and critical impact: It allows attackers with unauthenticated network access to Domain Controllers, to obtain Domain Admin privileges and take over Active Directory domains.
The second writeup is about @orange_8361’s new research on Facebook’s MobileIron MDM. He found an RCE using JNDI injection, Authentication bypass and Arbitrary file reading. It is interesting to read how he turns Black box testing into White box testing, and revives his old “Breaking Parser Logic” attack.
Full Time Bug Hunting with Alex Chapman
Interview With @akita_zen || Bug Bounty Methodology, Avoiding Dupes & Staying Zen
@InsiderPhD interviews @ajxchapman about full time bug hunting, with a focus on strategy, risk managament and financial planning. It’s cool to get a peak at the life of a full-time bug hunter and how he makes it sustainable.
@farah_hawa01’s interview with @akita_zen is about all things recon, methodology, avoind dupes, favorite personal findings, subdomain takeovers, advice for beginners, etc.
XXE aficionados, this wordlist is for you! Pieter Hiele (@honoki) shared his XXE bruteforce list that includes 65 payloads. It’s worth checking out as he knows something about XXE (considering his past writeups).
CloudBrute is a new Go tool for enumerating a target’s resources on cloud providers (including Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr and Linode). It takes a keyword (for example the domain or company name) and a wordlist, builds a list of potential URLs by doing mutations, then tests which ones are live and accessible based on their status code.
The only API key needed is a free IPINFO key, and a second tool (ProxyFor) was also released to help with bypassing rate and region limitations.
Security Now – IoT Isolation Strategies – Isolate Your IoT Devices, Threema Goes Open-Source
Risky Business #598 — China closing the “cyber gap” with USA
The InfoSec & OSINT Show 24 – Ira Winkler & How to Stop Stupid
SWN #63 – Argentina Ransomware, WhatsApp Bugs, & Cisco Jabber RCE
N1QL Injection: Kind of SQL Injection in a NoSQL Database & N1QLMap
Bypass AMSI by manual modification part II – Invoke-Mimikatz
F5 BIG-IP Remote Code Execution Exploit – CVE-2020-5902 #Web
Escalating to Domain Admin in Microsoft’s Cloud Hosted Active Directory (Azure AD Domain Services) #AD
WSUS Attacks Part 1: Introducing PyWSUS & WSUS Attacks Part 2: CVE-2020-1013 a Windows 10 Local Privilege Escalation 1-Day #WSUS #Windows #PrivEsc
Wekan Authentication Bypass – Exploiting Common Pitfalls Of Meteorjs #Web
Ubuntu PPP’s CVE-2020-15704 Wrap-up #Linux #PrivEsc
Microsoft Exchange Server DlpUtils AddTenantDlpPolicy Remote Code Execution Vulnerability (CVE-2020-16875) #Exchange #RCE
XSS->Fix->Bypass: 10000$ bounty in Google Maps (Google, $10,000)
Safe Redirect Bypass (Twitter, $560)
Account Takeover via IDOR ($25,000)
Instagram Web DM bug and Followers bug PoC (video) (Facebook)
Blind HTTP GET SSRF via website icon fetch (bypass of pull#812) (Bitwarden)
Stored XSS in markdown when redacting references (GitLab, $5,000)
Injection of http.<url>.*
git config settings leading to SSRF (GitLab, $3,000)
See more writeups on The list of bug bounty writeups.
Twistr & Intro: A domain name permutation and enumeration library powered by Rust
Gooey: Turn (almost) any Python command line program into a full GUI application with one line
StreamDivert & Intro: Redirecting (specific) TCP, UDP and ICMP traffic to another destination.
bufferover: Extracting DNS data from bufferover API for penetration testers
FES: Fast Endpoint Scanner in Rust, based on TomNomNom’s meg
check-put.sh: Script to test for PUT upload method against a list of hosts
Recon-007 [V1 Beta]: Python tool to automate the bug bounty recon process
uniqurl: Use uniqurl to filter only unique content from a list of URLs with stdin, making it usable within piped commands
get-title: multi threaded python tool to get pages’s title
rakkess: Review Access – kubectl plugin to show an access matrix for k8s server resources
Maigret: Collect a dossier on a person by username from a huge number of sites (Fork of Sherlock)
Wacker: A WPA3 dictionary cracker
Bluescan: A powerful Bluetooth scanner for scanning BR/LE devices, LMP, SDP, GATT and vulnerabilities!
DVS: D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife – Lateral movement using DCOM Objects
TREVORspray: A featureful Python O365 sprayer based on MSOLSpray which uses the Microsoft Graph API & bypasses microsoft’s new anti-password-spraying countermeasures
Zerologon attack lets hackers take over enterprise networks: Patch now
Microsoft addresses critical SharePoint and DNS-related flaws in Patch Tuesday update
Difficult-to-execute attack could break TLS encryption in rare circumstances
New BlindSide attack uses speculative execution to bypass ASLR
BLURtooth vulnerability lets attackers overwrite Bluetooth authentication keys
Academics find crypto bugs in 306 popular Android apps, none get patched
Positive Technologies: vulnerabilities in PAN-OS could threaten internal networks security
ZShlayer: New macOS malware variant obfuscates scripts to slip past security tools
Ransomware And Zoom-Bombing: Cyberattacks Disrupt Back-to-School Plans
Baka credit card skimmer bundles stealth, anti-detection capabilities, warns Visa
Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks
DDoS attacks against SwissSign prompt temporary CA switch for ProtonMail
New CDRThief malware targets VoIP softswitches to steal call detail records
Malware gang uses .NET library to generate Excel docs that bypass security checks
Gartner Predicts 75% of CEOs Will be Personally Liable for Cyber-Physical Security Incidents by 2024
With a Simple Piece of Paper, Engineers Create Self-Powered, Wireless Keyboard
Windows 10 now lets you mount Linux ext4 filesystems in WSL 2
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/04/2020 to 09/11/2020.