Bug Bytes #65 – Hacking webcams, internal servicedesks & parsers
By Intigriti
April 7, 2020
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 27 of March to 03 of April.
Our favorite 5 hacking items
1. Slides of the week
@samwcyo’s Kernelcon talk explores attacking various secondary contexts (APIs, reverse proxies, middleware) in Web applications. He shows how to detect application routing (in black box), and examples of vulnerabilities that can result from interactions between different servers.
This is excellent research and an interesting area to explore further. The talk video is not available yet, but will be released soon hopefully.
Also good to know, you can reproduce the last trick (Authy 2FA bypass) in @PentesterLab‘s “Idor to Shell”.
2. Writeups of the week
iPhone Camera Hack ($75,000)
–Hundreds of internal servicedesks exposed due to COVID-19 (>$10,000)
It was impossible to feature only one writeups as these 3 are all awesome! The iPhone Camera Hack is a deep dive into several bugs found in Safari. They allowed Ryan Pickren to gain zero-click unauthorized camera access on iOS and macOS, and earned him an impressive $75,000 bounty.
The second article sums up @securinti’s findings after scanning 10.000 popular domain names for misconfigured Atlassian instances. He noticed a 12% increase of exposed instances since last summer, maybe because of remote work due to COVID-19.
The third writeup reads like an investigation. @redtimmysec identified middleware in use (a WAF and a Bluecoat proxy), and was able to bypass the WAF to exfiltrate sensitive data with SSRF. This is an excellent example of a “secondary contexts” bug.
3. Article of the week
Gitlab’s transparency is amazing. This is a writeup for a file upload vulnerability found internally. It illustrates the concept of parser differentials which is similar to @samwcyo’s “secondary contexts” attacks, but applied to file uploads.
This is a unique opportunity to learn about a critical bug with details, from the company itself, about the source code and how file uploads are handled.
4. Video of the week
@Codingo_ Talks About Pentesting, Escalating Bugs, OSCP, Working at Bugcrowd, Burp Suite and More!
The interview with @codingo_ is A-M-A-Z-I-N-G! He shares so many ideas and good insights. For instance his philosophy around XSS proofs of concept got him a much bigger bounty for a duplicate XSS than its first reporter! He has a unique background, and a strong opinion on which programming languages to learn.
Also a big shout-out to @NahamSec for being a great interviewer and asking all the questions I had in mind.
5. Tool of the week
Crithit allows you to do directory and file brute forcing at large scale. It takes each entry from a wordlist and tests it against all targets before moving on to the next entry.
If this reminds you of something, it is probably of Inception which is similar. The difference is that Inception takes a configuration file with specific endpoints to test for as input (e.g. .env, .git, etc), while Crithit can be used with any wordlist. So, Crithit is more practical when you want to test bigger or existing wordlists. It also support filtering outputs using HTTP response codes and signatures to look for in responses.
Other amazing things we stumbled upon this week
Videos
Note-Taking for Bug Bounty Hunters – How I Use Notion and How You Can Too, TL;DR version & Reply if you want to share your notes/organisational system
HackerOne #h1-2004 Community Day: Intro to Web Hacking – OWASP Juice Shop
Ron Chan’s Secret to Finding Critical Security Issues on GitLab
How to access protected intents via exported Android activity embedded intent
Bounty Thursdays – April 2nd – zlz delivers magic, Crithit, Joberts Vulncode & ctfchallenges!
Working From Home // How to Stay Motivated, Focused, and Productive
Podcasts
Paul’s Security Weekly #645 – Security News – To Zoom or Not to Zoom
A Chat with Jonathan Cran About Intrigue and Security in the COVID-19 Pandemic
Securiosity: How has COVID-19 changed the cybersecurity community?
Security Weekly News #22 – DEER.IO, Maze Ransomware, & Unacast – Wrap Up
Webinars & Webcasts
Webcast: Pandemic Paradigm Shift: Remote Working is the New Normal
Real-Time OSINT: Investigating Events as They Happen | SANS OSINT Summit 2020
Virtual Barcelona Security Community Meetup – WoSEC + CyberBCN
Adversary emulation using CALDERA – Building custom abilities – Part #2
Conferences
Tutorials
Medium to advanced
Beginners corner
Writeups
Challenge writeups
Pentest writeups
Combining Request Smuggling and CBC Byte-flipping to stored-XSS
Chaining multiple techniques and tools for domain takeover using RBCD
Responsible(ish) disclosure writeups
[DrayTek] – Unauthenticated RCE in Draytek Vigor 2960, 3900 and 300B (CVE-2020-8515) & PoC #Web #RCE
Exploring the minimist prototype pollution security vulnerability #Web
CVE-2020-10560 – OSSN Arbitrary File Read #Web #Crypto
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request Header Injection’) #Web #CodeReview
Imperva WAF Bypass #Web
[BugWithoutBounty] Missing Authentication in TheCoffeeHouse Api #Mobile #API
Bug bounty writeups
Attacking HelpDesks Part 1: RCE Chain on DeskPro, with Bitdefender as a Case Study (Bitdefender, $5,000)
Limited freemarker ssti to arbitrary liql query and manage lithium cms
Touch ID Authentication Bypass on Evernote and Dropbox IOS Apps
Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO (Shopify, $15,000)
[Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation (Shopify, $15,000)
Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation (Shopify, $7,500)
Periscope iOS app CSRF in follow action due to deeplink (Twitter, $2,940)
Relative Path Vulnerability Results in Arbitrary Command Execution/Privilege Escalation (Slack, $750)
H1514 CSRF in Domain transfer allows adding your domain to other user’s account (Shopify, $500)
An attacker can buy marketplace articles for lower prices as it allows for negative quantity values leading to business loss (SEMrush, $2,111)
See more writeups on The list of bug bounty writeups.
Tools
If you don’t have time
JSScanner & Introduction: Automated scanning of JS Files for Endpoints and Secrets
Runtime Mobile Security: A powerful web interface that helps you to manipulate Android Java Classes and Methods at Runtime
More tools, if you have time
dupknock: Python tool to help you knockout duplicate entries from multiple files and generate the final output
Subgen: A Go utility to concatenate wordlists to a domain name – to pipe into your favourite resolver!
Snaffler: A tool for pentesters to help find delicious candy
EyeWitness for Windows & Introduction: A .Net implementation of EyeWitness
padding-oracle-attacker: CLI tool and library to execute padding oracle attacks easily, with support for concurrent network requests and an elegant UI
linkedin-profile-scraper & Introduction: Python script for Scalable LinkedIn Username Hunting
CVE-2020-0796 Local Privilege Escalation POC: PoC to exploit SMBGhost (CVE-2020-0796) for Local Privilege Escalation
LockLess: C# tool that allows for the enumeration of open file handles and the copying of locked files
payload.edn: POST-exploitation persistence using Leiningen profiles.clj (Clojure’s dependency management tool)
gTunnel: A robust tunelling solution written in Golang
Misc. pentest & bug bounty resources
C2Hack: Tips and tricks for pentesters
Rainbow Crackalack Project Releases NTLM 9-Character Rainbow Tables!
Challenges
Slayer Labs: Free for the next few weeks
Articles
Machine learning – Predict vulnerabilities by examining the words in a URL
Quick exploration of the use of .chm and .hta files in APT phishing campaigns
Taking Back What Is Already Yours: Router Wars Episode I , Episode II & Episode III
News
Bug bounty & Pentest news
Intigriti Bug Bounty Q&A #1: Isn’t bug bounty only for large companies with large budgets?
HackerOne cuts ties with mobile voting firm Voatz after it clashed with researchers
Bugcrowd’s Waitlisted Programs: Applying to Private Programs
Reports
Vulnerabilities
Microsoft is working on mitigating an entire Windows bug class
Remote working security: Thousands of misconfigured Atlassian instances ripe for unauthorized access
Safari vulnerabilities created means for attackers to covertly access iPhone cameras
Critical WordPress Plugin Bug Lets Hackers Turn Users Into Admins
Zoom
Dispelling Zoom Bugbears: What You Need to Know About the Latest Zoom Vulnerabilities
Zoom simplifies privacy policy in a bid to head off security concerns
Zoom security: Devs announce feature freeze and enhanced bug bounty program & TL;DR
Breaches & Attacks
Top Email Protections Fail in Latest COVID-19 Phishing Campaign
Office 365 Phishing Uses CSS Tricks to Bypass Email Gateways
A crypto-mining botnet has been hijacking MSSQL servers for almost two years
Microsoft: Emotet Took Down a Network by Overheating All Computers
Data on almost every citizen of Georgia posted on hacker forum
A hacker has wiped, defaced more than 15,000 Elasticsearch servers
Critical flaws in DrayTek Vigor routers patched following attacks
Hacker hijacks YouTube accounts to broadcast Bill Gates-themed crypto Ponzi scam
Malicious apps/sites
Other news
Houseparty app offers $1m reward to unmask entity behind hacking smear campaign
The 31 Cyber Security Influencers you NEED to be following in 2020
Coronavirus
COVID-19 forces browser makers to continue supporting TLS 1.0
Chinese COVID-19 disinformation campaigns commenced as early as January: Stanford
Researchers propose method to track coronavirus through smartphones while protecting privacy
Hackers target World Health Organization in attempt to steal passwords
Non technical
Bug Bounty Hunting Tips #5 — Aim to Become World-Class in Your Niche
Worth a read if you’re ever considering reaching out to someone about mentoring
Hacking styles: technology mastery + “evil” creativity + focussed effort = maximum result
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/27/2020 to 04/03/2020.
Curated by Pentester Land & Sponsored by Intigriti
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023