Wednesday, July 5, 2017

Exploit Galore: A tale of a private Bug bounty Program and how information disclosure lead to RCE.

I was recently invited to a private bug bounty program through twitter for a website that hosted videos of product demonstration and was a sister site to the company's vendor page.
Reconnaissance

An important thing about finding vulnerabilities is finding out as much information as you can about the website. What's being used on the site, any type of cms, old plugins,etc. During my initial check I noticed at the bottom of the page it said it was powered by Vshare. Vshare is a now defunct CMS for hosting videos and basically a clone of youtube in functionality. I read the documentation on the CMS from google then checked for common directories or sensitive files that were outlined in the  documentation and any other key information I could use to exploit the site  through google dorking. One of the files I noticed was phpinfo.php, which if you don't know what it is, it's basically commonly used to check configuration settings.  

Onto the fun stuff, I found that it supported Exif and decided to test out an idea.  What I found was that the User avatar uploaded allowed .jpg and .png, and did very basic check for malformed files or php disguised as an image file. Using an old and known trick, which involved manual tampering the upload post I was able to upload a php file through Exif data.  This page and this page,  showed me how to take advantage of the exif support.  I achieved arbitrary file upload and RCE but I decided to dig further into the website. Later I discovered Image Tragick also affected the website much to my dismay.
During my reconnaissance for subdomains that might be hosting staging, defunct  or unclaimed apps, beta environments, testing pages, etc using sublist3r.  I found a subdomain named videos.website.com and it was running the same CMS albeit lack of user submitted content and seemed more like testing subdomain, though I was planning to looking for any form of SQL injection due to the existence of mysql db being needed for the cms to work. From the documentation the search bar  used the Database to search for videos, and I checked using Time based commands such as 'sleep(), etc but came up with nothing then checked for XSS but much to my surprise I managed to get an SQL error  using  videos.website.com/search/'*/ 




Through the help of a fellow security researcher who didn't want to be named I was able to craft a payload that demonstrated capability to load the etc/passwd file, and yes it's totally possible to achieve RCE through sqli. This made two RCE vulnerabilities on one website, both were reported quickly. Most people would stop here but seeing how the site was handled and setup, it wouldn't be a surprised there were other vulnerabilities lurking around, and I did eventually find more.

Any further vulnerabilities on this website? 

 

 The website allows a user to make a publicly available playlist of their favorite videos. I used basic xss vectors, <svg/onload=alert()>,infamous <script>alert()</script>, but came up empty but I  was escaping  just not executing. I  checked a blog post and used an inline vector to trigger this xss, similar to the gofundme but this one using "autofocus/onfocus="[1].find(alert)" which worked as intended and viewing it as a random person also gave me the pop up confirming it's persistence.  There were also three reflective cross site scripting  as well but didn't qualify for a bounty. To close this bl log off by saying make sure you fully look through company assets. This private company opted to fully rebuild the entire website and remove the offending subdomain. 

No comments:

Post a Comment