Bug Bytes #135 – Code review for bug hunters, Zoom $200K RCE & Breaking HTTP/2 and Exchange
By Anna Hammond
August 25, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from August 2 to 23.
Intigriti News
Intigriti launches fast lane program to incentivise cybersecurity research
Welcome to the 1337-club for Q3 2021, @oct0pus7, @bug_dutch, @kapytein & @mase289!
Our favorite 5 hacking items
1. Conference of the week
DEF CON 29 Main Stage Presentations & Media Server
Recon Village, AppSec Village & Red Team Village CTF: Day 1
There are so many amazing talks and new research in this DEF CON edition! So, I’m only going to mention two of the most notable ones:
HTTP/2: The Sequel is Always Worse by @albinowax (plus Tips on how to find a HTTP/2 playmate);
@orange_8361‘s From Pwn2Own 2021: A New Attack Surface On Microsoft Exchange – Proxyshell! that earned him $200K at Pwn2Own 2021.
2. Writeups of the week
Sophos UTM Preauth RCE: A Deep Dive into CVE-2020-25223
Zoom RCE from Pwn2Own 2021 (Zoom, $200,000)
@jstnkndy came across CVE-2020-25223 in a pentest and didn’t find any public exploit. So, he reverse engineered the vulnerability’s patch to develop his own proof of concept. The writeup is very well written and explains the methodology in great detail.
The second writeup is about a 0-click RCE via heap buffer overflow found in Zoom. Thijs Alkemade & Daan Keuper demonstrated the bug during Pwn2Own and share details on this impressive and lucrative finding.
3. Webinar of the week
How to do Code Review – The Offensive Security Way
If you’re interested in learning source code review to get a leverage as a bug hunter, this is a must-watch. @infosec_au shares insightful techniques for obtaining source code in the context of bug bounties, plus interesting bug examples and tips for both beginners and experienced code reviewers.
4. Video of the week
Working with HTTP/2 in Burp Suite & Blog post
Since @albinowax‘s talk on HTTP/2 desync attacks, Burp Suite was updated to enhance HTTP/2 support. This video demonstrates these new changes and how to use Burp to test for HTTP/2-exclusive vulnerabilities.
5. Tools of the week
Malicious PDF Generator
apk-recon.yaml, api-linkfinder.sh, Links & parameters wordlists extracted from the top 55 mobile apps
Malicious PDF Generator is a Python script that generates 10 different malicious PDF files and supports Burp for receiving out-of-band requests. @jonasl created it for Web app testers to automate several known attacks.
The other tools are a Nuclei template and a Bash script that @nullenc0de uses to extract parameters and links from APKs and API documentation. The regexes they use can also be tweaked if you need to dump more/different information.
Other amazing things we stumbled upon this week
Videos
“Game-Over For The Company” with @d0nut (Hacker Heroes #8), “I Want To Know Where The Aliens Are” with @RobinZekerNiet (Hacker Heroes #9) & “Unlimited Money To Your Account?” with @bug_dutch (Hacker Heroes #10)
Interview w @SherlockSecure : Top 15 on Github \| Top 400 on BC \| Approach, Mindset & More…
Learning to Hack in 2021: What resources should you use? & Blog post
Podcasts
Webinars
Ethical Hacking & System Defense (Free Ethical Hacking class by @PhillipWylie)
Conferences
USENIX Security ’21 Technical Sessions, including:
Weaponizing Middleboxes for TCP Reflected Amplification & Video
Can I Take Your Subdomain? Exploring Same-Site Attacks in the Modern Web
Why TLS is better without STARTTLS: A Security Analysis of STARTTLS in the Email Context, NO STARTTLS
Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS
Slides & Workshop material
CyberTruckChallenge19 (Android security workshop material)
Tutorials
Medium to advanced
Proxy managed by enterprise? No problem! Abusing PAC and the registry to get burpin’
Admin’s Nightmare: Combining HiveNightmare/SeriousSAM and AD CS Attack Path’s for Profit
The ultimate tag team: PetitPotam and ADCS pwnage from Linux
Beginners corner
Hacker Tools: Ciphey – Automatic decryption, decoding & cracking & Hacker Tools: How to set up XSSHunter
Blast Radius: Misconfigured Kubernetes & Blast Radius: DNS Takeovers
Writeups
Challenge writeups
Prototype pollution in Google Analytics?! Solution to August ’21 XSS Challenge & Written walkthrough by @WHOISbinit
Intigriti’s PHP challenge breakdown & Intigriti’s Flask Challenge Breakdown
Pentest writeups
Responsible(ish) disclosure writeups
Fortinet FortiPortal Vulnerability Disclosures #Web #CodeReview
(Authenticated) Remote Code Execution Possible in Pi-Hole Web Interface 5.5
Razer mouse + Physical access = Local admin on Windows 10 & PoC
Don’t shoot the emissary #CodeReview #Web
elFinder – A Case Study of Web File Manager Vulnerabilities #CodeReview #Web
0-day & N-day vulnerabilities
Bug bounty writeups
Zoom RCE from Pwn2Own 2021 (Zoom, $200,000)
How to Hack Apple ID (Apple, $10,000)
Modify in-flight data to payment provider Smart2Pay (Valve, $7,500)
A Bug’s Life: CVE-2021-21225 & Exploiting CVE-2021-21225 and disabling W^X (Google, $22,000)
Two weeks of securing Samsung devices: Part 2 (Samsung, $18,040)
Partial report contents leakage – via HTTP/2 concurrent stream handling (HackerOne, $2,500, related to the “Timeless timing attacks” DEF CON talk)
See more writeups on The list of bug bounty writeups.
Tools
WARCannon: High speed/Low cost CommonCrawl RegExp in Node.js
CAIDO: A lightweight web security auditing toolkit
PaperChaser: A Google Drive/Docs/Sheets/Slides Enumeration Spider
dirtywords & Intro: A targeted word list generation tool
Tips & Tweets
Misc. pentest & bug bounty resources
Challenges
Articles
Find real website ip bruteforcing ipv4 ranges & real_ip_discover
Mitigation schmitigation: Control HttpOnly cookies through XSS
Fingerprinting Windows versions, AV, wireless cards over the network—all without authentication
1Password Secret Retrieval — Methodology and Implementation & 1PasswordSuite
Bug bounty & Pentest news
Bug bounty
Cybersecurity
Upcoming events
OWASP Nagpur Meetup #12 (Virtual) featuring @codingo_ (August 28)
BSides Berlin 2021 (August 28)
Tool updates
Interactsh v0.0.4 (Added authentication for self-hosted instances)
Turbo Intruder introduced decorators for ffuf-like response matching/filtering
Non technical
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023