Bug Bytes #152 – SSRF via Gateway actuator, Flickr account takeover & Writeup of NSO’s iMessage RCE
By Anna Hammond
December 22, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from December 13 to 20.
Last Bug Bytes of the year
This is the last Bug Bytes of the year as I am taking a week off to recharge. The next issue will be in the first week of January 2022.
Intigriti news
Intigriti’s December XSS challenge By @E1u5iv3F0x
21 things that happened in 2021 at Intigriti: a year of milestones
Our favorite 5 hacking items
1. Articles of the week
Bring Your Own SSRF – The Gateway Actuator
A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution
@wdahlenb investigated the Spring Boot Gateway actuator (aka ‘/actuator/gateway’) and shares all the details: How the actuator works, why it could be exploited for SSRF and Denial of Service, and why other bug hunters seem to have missed it.
The second article is of an entirely different kind. It is a breakdown by Google’s Project Zero of FORCEDENTRY, the infamous NSO zero-click iMessage RCE.
The exploit is sent as a GIF that hides a PDF which uses JBIG2 (an old compression algorithm) to build a virtual CPU. Incredible.
2. Writeup of the week
Flickr Account Takeover (Flickr, $7,550)
@_lauritz_ found weaknesses in Flick’s implementation of OpenID Connect, and was able to exploit them to take over any account without user interaction. The writeup details everything and makes for a great read if you are interested in authentication vulnerabilities.
3. Tutorial of the week
Why is Exposing the Docker Socket a Really Bad Idea?
Why does an exposed Docker socket on Linux grant root access to the host?
If this question tickles your curiosity, you will probably enjoy this very detailed and well-written article.
4. Tips of the week
Hashing a URL in Java triggers a DNS lookup, and this has been weaponized to exploit Java deserialization bugs
Enumerating Files Using Server Side Request Forgery and the request Module (via @Agarri_FR)
I read in a Twitter thread that hashing a URL in Java triggers a DNS lookup as part of the hash function. All comments said that this is a really bad won’t fix bug, but I couldn’t understand why… until I saw @aaditya_purani‘s explanation.
The DNS lookups triggered by hashing URLs can be used to detect and exploit insecure deserialization bugs (see Triggering a DNS lookup using Java Deserialization for details).
Another old trick that I’ve just discovered is that the Request Node.js module supports a special URL format, http://unix:PATH-TO-FILE, that returns different errors if the file exists or not.
So, if you find an SSRF in a Node.js app that uses Requests, this behavior can be used to enumerate files on the remote file system.
5. Vulnerabilities of the week
CVE-2021-45046, CVE-2021-4104 & CVE-2021-45105 (new Log4j CVEs)
Last week, I mentioned that the original Log4Shell bug had a bypass that was a Denial of Service. It turned out to also be an RCE. There is also a new Log4j Denial of Service vulnerability, which brings us to a total of four bugs:
CVE-2021-44228 is the most critical since it is the only one that applies to the default configuration.
To help make sense of all the new related resources, here are some that I found particularly interesting or creative:
@LiveOverflow discusses Log4j features, JNDI and why the bug wasn’t discovered earlier
Polymorphic Log4J exploit that is a valid JSON REST API request
log4JFrida: Tool that modifies all characteristics of an Android device to return a Log4j payload instead.
Log4Shell Everywhere: A fork of Collaborator Everywhere, with the injection parameters changed to payloads for Log4j CVE-2021-44228.
For more, take a look at pentesterland/Log4Shell.
Other amazing things we stumbled upon this week
Videos
Webinars
Conferences
Tutorials
Medium to advanced
Beginners corner
Writeups
Challenge writeups
SSRF – Lab #2 Basic SSRF against another back-end system, Lab #3 SSRF with blacklist-based input filter & Lab #4 SSRF with whitelist-based input filter
Responsible(ish) disclosure writeups
Yes, fun browser extensions can have vulnerabilities too! #Web #BrowserExtension
Proctorio Chrome extension Universal Cross-Site Scripting #Web #BrowserExtension
Getting root on Ubuntu through wishful thinking #Linux #MemoryCorruption
Failed02 Pulse Secure VPN and Guacamole WebSocket Hooking #VPN #Websockets
Bug bounty writeups
How I was able to reveal page admin of almost any page on Facebook (Facebook, $4,500)
GHSL-2021-1053: Path traversal in Grafana REST API – CVE-2021-43813, CVE-2021-43815 (Grafana Labs)
Zero day path traversal vulnerability in Grafana 8.x allows unauthenticated arbitrary local file read (Aiven Ltd, $1,000)
RCE in Visual Studio Code’s Remote WSL for Fun and Negative Profit (Microsoft)
See more writeups on The list of bug bounty writeups.
Tools
dns-exfil: Custom DNS logger that can be used for exfiltration (e.g. when testing for Log4Shell)
WhoEnum: Mass querying whois records
AD Enum: Python tool to find misconfigurations via LDAP and exploit some of those weaknesses with kerberos
Reverse Shell Generator & Intro: Bash script to generate reverse shells
Oh365 User Finder: Python3 o365 User Enumeration Tool
Tips & Tweets
PNG that has different content when viewed on Apple devices vs other machines
How to build and run john-jumbo with mpi support using homebrew on macOS with an Apple Silicon chip
Misc. pentest & bug bounty resources
Challenges
bug-hunting-101 #BinaryExploitation
Snippet of code vulnerable to XSS. How would you exploit it?
Bug bounty & Pentest news
Bug bounty
Tool updates
New WebKit Features in Safari 15.2 (Added support for COOP/COEP HTTP Headers) )
Non technical
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023