Wednesday, July 5, 2017

Scope reconnaissance and using Shodan to discover vulnerable host used in a private bug bounty.

Normally for bug bounties, I check shodan.io using hostname:website.com and check for any hosts being used by them. One of their hosts stood out,  it lead to a default phpinfo page which listed out information about the  host. An attacker can obtain information such as:
•Exact PHP version.
•Exact OS and its version.
•Details of the PHP configuration.
•Internal IP addresses.
•Server environment variables.
•Loaded PHP extensions and their configurations.
This information can help an attacker gain more information on the system. After gaining detailed information, the attacker can research known vulnerabilities for that system under review. The attacker can also use this information during the exploitation of other vulnerabilities.  This lead me to discovering it's using Memcache and after reading Zephrfish's post,  about the issue I was able to  understand the issue more clearly. I connected using telnet to verify that i was able to easily access it and found that I was.
 Additionally I found that version of memcache was vulnerable to multiple integer overflow vulnerabilities exist within Memcached that could be exploited to achieve remote code execution on the targeted system.   From  http://www.talosintelligence.com/reports/TALOS-2016-0219/ and
http://www.talosintelligence.com/reports/TALOS-2016-0220/
 Short blog post, but it goes to show how shodan can reveal more vulnerabilities that you wouldn't normally find that use vulnerable services.

No comments:

Post a Comment