Showing posts with label BugBounty. Show all posts
Showing posts with label BugBounty. Show all posts

Monday 17 February 2020

Sharepoint RCE

Summary:
Few days ago I saw a post from alienvault which says attackers are still exploiting SharePoint vulnerability to attack middle east government organization. Having said that I found Income Tax Department India and MIT Sloan was also vulnerable to CVE-2019-0604 a remote code execution vulnerability which exists in Microsoft SharePoint. A malicious actor could exploit this vulnerability by simply sending a specially crafted SharePoint application package.

Technical analysis:
I found this vulnerability during my free time while I was browsing to ZoomEye to find such component. The application (incometaxindia.gov.in) was found to be vulnerable as it was using SharePoint as a technology to host its service. To verify this I've sent a crafted payload which enable the remote server (incometaxindia.gov.in) to perform a DNS lookup on my burp collaborator. You can do this manual by sending the crafted XML payload or via desharialize.


Aside, MIT Sloan School of Management was also found to be vulnerable with CVE-2019-0604.


Responsible Disclosure:
CERT-In (IncomeTaxIndia):
This was sent to CERT-In on Feb 12, 2020, got initial response by them on Feb 13, 2020. Post that the vulnerability was patch silently.
For MIT:
This was sent to MIT security team on Feb 13, 2020, got initial response by them on Feb 14, 2020. Post that the vulnerability was patch silently on Feb 15, 2020.
Share:

Saturday 29 September 2018

Telegram anonymity fails in desktop - CVE-2018-17780

Hi Internet,

Summary: Strangely tdesktop 1.3.14 and Telegram for windows (3.3.0.0 WP8.1) leaks end user private and public IP address while making calls. This bug was awarded €2000 by Telegram security team. (Sweeet..)
Img Src: https://telegram.org/img/tl_card_synchronize.gif
Telegram is supposedly a secure messaging application, but it forces clients to only use P2P connection while initiating a call, however this setting can also be changed from "Settings > Privacy and security > Calls > peer-to-peer" to other available options. The tdesktop and telegram for windows breaks this trust by leaking public/private IP address of end user and there was no such option available yet for setting "P2P > nobody" in tdesktop and telegram for windows.

PS: Even telegram for android will also leak your IP address if you have not set "Settings > Privacy and security > Calls > peer-to-peer > nobody" (But Peer-to-Peer settings for call option already exists in telegram for android).

To view this in action in tdesktop:
1. Open tdesktop,
2. Initiate a call to anyone,
3. You will notice the end user IP address is leaking.
 

Other scenario:
1. Open tdesktop in Ubuntu and login with user A
2. Open telegram in windows phone login with user B
3. Let user B initiate the call to user A
4. While user A access log will have public/private IP address of user B.
Not only the MTProto Mobile Protocol fails here in covering the IP address, rather such information can also be used for OSINT. This issue was fixed in 1.3.17 beta and v1.4.0 which have an option of setting your "P2P to Nobody/My contacts", Later CVE-2018-17780 was assign to this vulnerability.


Regards
Share:

Saturday 28 April 2018

Facebook, Friend or Evil ?

Hi Internet,

Summary:
During checkout from faasos, I observed that their are several request going to facebook, which carries your faasos detail's without user's consent, Facebook closed my report saying "Unfortunately what you have described is not currently covered by this program, We will follow up with you regarding any questions we may have." (Data Abuse BBP).
Img Src: https://swaggyimages.com/devil/devil-images-for-facebook/
So, lets get started,
You will be aware with the "Cambridge Analytica" case of Facebook,  and after that Facebook launched "Data Abuse Bounty Program" - 9th April 2018.

Well, we all are aware that we have been tracked from years! Whatever we search on the Internet no matter what object it is, in a day or hours it will be on your suggestion or any advertisement banner.

This is the most recent example : Google is always listening: Live Test

I really love eating veg warps from faasos and it was normal day when I did checkout and ordered few of them, however I have a very bad habit of capturing packets.

What I observed was, there were few `GET` & `POST` request of facebook as well in between checkout of faasos at that time I didn't pay much attention on it. On same day, I created a test account on faasos to dig more and clicked on some random wraps, went till checkout and guess what I was still able to see those Facebook request.

I cleared all my history, cookies etc. for the entire day, and thought of doing again, All the request start from login to faasos, and browsing your items in it.

Goes only to `*faasos.io` based asset but as soon as you press checkout a `GET` request goes to Facebook which carries my juicy information of faasos which also include my ordering details.(Strange) Apart from that, I start getting suggestion on my facebook wall regarding faasos.

Okay, then I thought of reporting it to Facebook under Data Abuse Bounty Program and we had a long discussion about this, they(Facebook Security Team) also told me to connect with Faasos Security team and I did the same.

However Faasos security team are not much active but they finally replied me after 4-5 days saying
"Hey Dhiraj, This tool helps us understand customer better and show them more appropriate adverts."

I asked them specifically about tool and where it is been deployed and what all it collects - No reply yet, that's bad I "personally"  feel Faasos been a data-broker over here. While collecting such info Faasos don't even take user's consent. I have seen many application's which take users consent for such things.
The image might not be clear please visit : https://konqueror.org/features/browser.php
And they also offer you to Opt-out from not been track. Pheewww! Now, I understand how all these things work!
That gives lot more understanding of my bug as well, or specifically look the above video from 3.47.25 to 3.51.40 Mins.

On safer side, I would suggest you to enable "Do Not Track Me" on your browser.
Video PoC of my Bug: Facebook Tracking PoC via Faasos.  I hope you like the read. Tweet me your views @mishradhiraj_

Regards
Dhiraj
Share:

Monday 5 March 2018

Thankyou McDonald for free cookies

Summary:
Pwing McDonald's  in 3 step and getting access to 5000+ usernames and passwords of McDonald's users. Hope you like the read..
Img Src: https://www.creativebloq.com/logo-design/mcdonalds-logo-short-11135325

Abstract:

Well, finding this bug was not a pain it was simple, and if you are not aware www.mcdelivery.co.in is under bug bounty program.

Lets Get Started :
As usual i started with sub-domain enumeration where I got a  subdomain (email.mcdelivery.co.in) which was not hosting any services for customers. Moving further I ran dirsearch on same, and  got 200 OK @ (email.mcdelivery.co.in/dump.tar.gz) (Looks like some kind of backup for McDelivery).

FYI
Okay so, extracting the tar file made me concluded it's actual a backup of McDelivery which consists of many things such as their DB, Website Backup's and many other juicy information. (Still I feel there must me something more...)

Lets Do Some Old School Tricks :
Why not simply do keyword search in entire dump file using grep
Then come's the results, their were multiple files having match of keyword "password" but then there was an excel sheet as well which I couldn't find during my manual search (GUI based).
The excel file had ~ (tilde) symbol after extension, obviously askubuntu have an answer for this. Anyways, guess what the excel sheet had username, email ID and password's !!!
and the count goes on .....

Big deal huhh !

Quick Flash :
25th February 2018: Informed McDonald's
26th February 2018: McDonald's Acknowledged 
28th February 2018: Reminder sent to McDonald's
28th February 2018: McDonald's Escalated Internally
28th February 2018: Issue Resolved
Share: