Exploiting CSP in Webkit to Break Authentication & Authorization
π€ by Sachin/Prakash
The bug in the CSP implementation of WebKit, a browser engine used by Safari web browser lead to that an attacker able to steal codes/access_tokens or any other secrets that were part of the leaked URI& This allowed to carry out attacks including but not limited to account takeovers, CSRF, and sensitive information disclosure.
π Contents:
β’ TLDR;
β’ Single Sign-On (SSO)
β’ Content Security Policy (CSP)
β’ CSP Violation Reports
β’ Root Cause of the Vulnerability
β’ How can this be exploited in SSO
β’ Responsible Disclosure to Safari
β’ Setting up PoC
β’ Playground
β’ Impact
β’ Roadblocks
β’ Stats
β’ Fixes
β’ Browsers' Mitigation Strategies
β’ Bypasses & a new 0day
β’ DEMO
β’ Key Takeaways
β’ Timeline
https://threatnix.io/blog/exploiting-csp-in-webkit-to-break-authentication-authorization/
π€ by Sachin/Prakash
The bug in the CSP implementation of WebKit, a browser engine used by Safari web browser lead to that an attacker able to steal codes/access_tokens or any other secrets that were part of the leaked URI& This allowed to carry out attacks including but not limited to account takeovers, CSRF, and sensitive information disclosure.
π Contents:
β’ TLDR;
β’ Single Sign-On (SSO)
β’ Content Security Policy (CSP)
β’ CSP Violation Reports
β’ Root Cause of the Vulnerability
β’ How can this be exploited in SSO
β’ Responsible Disclosure to Safari
β’ Setting up PoC
β’ Playground
β’ Impact
β’ Roadblocks
β’ Stats
β’ Fixes
β’ Browsers' Mitigation Strategies
β’ Bypasses & a new 0day
β’ DEMO
β’ Key Takeaways
β’ Timeline
https://threatnix.io/blog/exploiting-csp-in-webkit-to-break-authentication-authorization/
threatnix.io
Exploiting CSP in Webkit to Break Authentication & Authorization
This blog post will discuss our findings that we presented in our Blackhat Europe talk titled "Exploiting CSP in Webkit to break Authentication/Authorization", a vulnerability that enabled us to takeover user accounts on most of the web applications out therebyβ¦
The persistent XSS in any message in vBulletin! Patched from 13 Apr 2021. The vulnerability was found by our researcher
Igor Sak-Sakovskiy.
PoC: [VIDEO="aaa;000"]a[FONT="a onmouseover=alert(location) a"]a[/FONT]a[/VIDEO]
Advisory: https://www.vbulletin.org/forum/showthread.php?t=328715
Igor Sak-Sakovskiy.
PoC: [VIDEO="aaa;000"]a[FONT="a onmouseover=alert(location) a"]a[/FONT]a[/VIDEO]
Advisory: https://www.vbulletin.org/forum/showthread.php?t=328715
PT SWARM
The persistent XSS in any message in vBulletin! Patched from 13 Apr 2021. The vulnerability was found by our researcher Igor Sak-Sakovskiy. PoC: [VIDEO="aaa;000"]a[FONT="a onmouseover=alert(location) a"]a[/FONT]a[/VIDEO] Advisory: https://www.vbulletinβ¦
No CVE, because of: https://twitter.com/ptswarm/status/1463883088589692930
Twitter
PT SWARM
Hey, @MITREcorp @CVEnew @CVEannounce! During the last 6 months, we have sent you around 18 CVE requests and we have no replies (not auto-replies) for all of them. We really do miss new CVEsπ’
PoC for a stored XSS in MyBB < 1.8.25 (CVE-2021-27279). The vulnerability was found by our researcher Igor Sak-Sakovskiy.
Payload:
Advisory: https://github.com/mybb/mybb/security/advisories/GHSA-6483-hcpp-p75w
Payload:
[email]a@a.a?[email=a@a.a? onmouseover=alert(1) a]a[/email][/email]Advisory: https://github.com/mybb/mybb/security/advisories/GHSA-6483-hcpp-p75w
RCE 0-day exploit found in log4j, a popular Java logging package
π€ by Free Wortley, Chris Thompson
0-day exploit in the popular Java logging library log4j was discovered that results in Remote Code Execution (RCE) by logging a certain string. This post provides resources to understand the vulnerability and how to mitigate it.
π Contents:
β’ Who is impacted?
β’ Affected Apache log4j Versions
β’ Temporary Mitigations
β’ How the exploit works
β’ Exploit Requirements
β’ Example Vulnerable Code
β’ Exploit Steps
β’ How you can prevent future attacks
https://www.lunasec.io/docs/blog/log4j-zero-day/
π€ by Free Wortley, Chris Thompson
0-day exploit in the popular Java logging library log4j was discovered that results in Remote Code Execution (RCE) by logging a certain string. This post provides resources to understand the vulnerability and how to mitigate it.
π Contents:
β’ Who is impacted?
β’ Affected Apache log4j Versions
β’ Temporary Mitigations
β’ How the exploit works
β’ Exploit Requirements
β’ Example Vulnerable Code
β’ Exploit Steps
β’ How you can prevent future attacks
https://www.lunasec.io/docs/blog/log4j-zero-day/
Cache Poisoning at Scale
π€ by Youstin
Even though Web Cache Poisoning has been around for years, the increasing complexity in technology stacks constantly introduces unexpected behaviour which can be abused to achieve novel cache poisoning attacks. In this paper author will present the techniques that he used to report over 70 cache poisoning vulnerabilities to various Bug Bounty programs.
π Contents:
β’ Backstory
β’ Incorrect Handling of the URL Fragment in Apache Traffic Server (CVE-2021-27577)
β’ GitHub CP-DoS
β’ GitLab CP-DoS
β’ X-Forwarded-Scheme - Rack Middleware
β’ CP-DoS on Hackerone.com static files
β’ Single request DoS of www.shopify.com
β’ Stored XSS on 21 subdomains
β’ Cloudflare and Storage Buckets
β’ S3 Bucket
β’ Azure Storage
β’ Fastly Host header injection
β’ Injecting Keyed Parameters
β’ User Agent Rules
β’ Illegal Header Fields
β’ Finding New Headers
β’ Common headers
β’ Conclusion
https://youst.in/posts/cache-poisoning-at-scale/
π€ by Youstin
Even though Web Cache Poisoning has been around for years, the increasing complexity in technology stacks constantly introduces unexpected behaviour which can be abused to achieve novel cache poisoning attacks. In this paper author will present the techniques that he used to report over 70 cache poisoning vulnerabilities to various Bug Bounty programs.
π Contents:
β’ Backstory
β’ Incorrect Handling of the URL Fragment in Apache Traffic Server (CVE-2021-27577)
β’ GitHub CP-DoS
β’ GitLab CP-DoS
β’ X-Forwarded-Scheme - Rack Middleware
β’ CP-DoS on Hackerone.com static files
β’ Single request DoS of www.shopify.com
β’ Stored XSS on 21 subdomains
β’ Cloudflare and Storage Buckets
β’ S3 Bucket
β’ Azure Storage
β’ Fastly Host header injection
β’ Injecting Keyed Parameters
β’ User Agent Rules
β’ Illegal Header Fields
β’ Finding New Headers
β’ Common headers
β’ Conclusion
https://youst.in/posts/cache-poisoning-at-scale/
New article "Fuzzing for XSS via nested parsers condition" by our researcher @Psych0tr1a.
This techniques allowed us to find a bunch of vulnerabilities in popular web products that no one had noticed before!
https://swarm.ptsecurity.com/fuzzing-for-xss-via-nested-parsers-condition/
This techniques allowed us to find a bunch of vulnerabilities in popular web products that no one had noticed before!
https://swarm.ptsecurity.com/fuzzing-for-xss-via-nested-parsers-condition/
π2
Our research "Fuzzing for XSS via nested parsers condition" is in the Top 10 Web Hacking Techniques of 2021 nomination list. Don't forget to vote for us if you enjoyed the technique π
Link for voting: https://portswigger.net/polls/top-10-web-hacking-techniques-2021
Link for voting: https://portswigger.net/polls/top-10-web-hacking-techniques-2021
π2
Hacking the Apple Webcam (again)
π€ by Ryan Pickren
Gaining unauthorized camera access via Safari UXSS, this research resulted in 4 0day bugs (CVE-2021-30861, CVE-2021-30975, and two without CVEs), 2 of which were used in the camera hack.
π Contents:
β’ Summary
β’ Background
β’ The Attack Plan
β’ Exploration of custom URI Schemes
β’ Exploit Requirements
β’ ShareBear Application
β’ Bonus Bug: Iframe Sandbox Escape
β’ Quarantine and Gatekeeper
β’ Shortcuts
β’ Full Chain
β’ Remediation
β’ Bonus Material (#1)
β’ Bonus Material (#2)
β’ Conclusion
https://www.ryanpickren.com/safari-uxss
π€ by Ryan Pickren
Gaining unauthorized camera access via Safari UXSS, this research resulted in 4 0day bugs (CVE-2021-30861, CVE-2021-30975, and two without CVEs), 2 of which were used in the camera hack.
π Contents:
β’ Summary
β’ Background
β’ The Attack Plan
β’ Exploration of custom URI Schemes
β’ Exploit Requirements
β’ ShareBear Application
β’ Bonus Bug: Iframe Sandbox Escape
β’ Quarantine and Gatekeeper
β’ Shortcuts
β’ Full Chain
β’ Remediation
β’ Bonus Material (#1)
β’ Bonus Material (#2)
β’ Conclusion
https://www.ryanpickren.com/safari-uxss
Ryan Pickren
Webcam Hacking (again) - Safari UXSS | Ryan Pickren
$100,500 Apple Bug Bounty for hacking the webcam via a Safari Universal Cross-Site Scripting (UXSS) bug. CVE-2021-30861, CVE-2021-30975
π5
The CFP for Positive Hack Days 2022 is open!
It's time to present your novel techniques/research.
This year the conference will be in a hybrid format (offline and online) both for speakers and participants.
Submit your proposal - https://cfp.phdays.com
It's time to present your novel techniques/research.
This year the conference will be in a hybrid format (offline and online) both for speakers and participants.
Submit your proposal - https://cfp.phdays.com
π7
A story of leaking uninitialized memory from Fastly
π€ by Emil Lerner
This post will go through a QUIC (HTTP/3) implementation bug in the H2O webserver. The bug is pretty interesting as it affected Fastly in a way that it allowed stealing random requests and responses from uninitialized memory of itsβ nodes, somewhat similar to CloudBleed
π Contents:
β’ Setting up a test environment
β’ Detecting which software is used
β’ QUIC streams
β’ Data transfer
β’ The bug
β’ The exploit plan
β’ Exploitation
β’ Disclosure
β’ Conclusion
https://medium.com/@emil.lerner/leaking-uninitialized-memory-from-fastly-83327bcbee1f
π€ by Emil Lerner
This post will go through a QUIC (HTTP/3) implementation bug in the H2O webserver. The bug is pretty interesting as it affected Fastly in a way that it allowed stealing random requests and responses from uninitialized memory of itsβ nodes, somewhat similar to CloudBleed
π Contents:
β’ Setting up a test environment
β’ Detecting which software is used
β’ QUIC streams
β’ Data transfer
β’ The bug
β’ The exploit plan
β’ Exploitation
β’ Disclosure
β’ Conclusion
https://medium.com/@emil.lerner/leaking-uninitialized-memory-from-fastly-83327bcbee1f
Medium
A story of leaking uninitialized memory from Fastly
The post go through a QUIC (HTTP/3) implementation bug in the H2O webserver. The bug is interesting as it affected Fastly, a well-knownβ¦
π9
New article by our researchers Mikhail Klyuchnikov and Egor Dimitrenko about unauth RCEs in VMware products: "Hunting for bugs in VMware: View Planner and vRealize Business for Cloud".
Read the article: https://swarm.ptsecurity.com/hunting-for-bugs-in-vmware-view-planner-and-vrealize-business-for-cloud/
This is the first article about our VMware research. More to come!
Read the article: https://swarm.ptsecurity.com/hunting-for-bugs-in-vmware-view-planner-and-vrealize-business-for-cloud/
This is the first article about our VMware research. More to come!
π15
PT SWARM
We have reproduced the fresh CVE-2022-24086 Improper Input Validation vulnerability in Magento Open Source and Adobe Commerce. Successful exploitation could lead to RCE from an unauthenticated user.
We have successfully bypassed the patch for RCE in Magento Open Source and Adobe Commerce (CVE-2022-24086), and have sent the report to Adobe (we weren't the first). The new CVE-2022-24087 was issued. Hotfix is available now.
Patch ASAP!
Patch ASAP!
π7
Relaying Kerberos over DNS using krbrelayx and mitm6
π€ by Dirk-jan Mollema
In scenario, where attacker have the ability to spoof a DNS server via DHCPv6 spoofing with mitm6, he can get victim machines to reliably authenticate to him using Kerberos and their machine account. This authentication can be relayed to any service that does not enforce integrity, such as Active Directory Certificate Services (AD CS) http(s) based enrollment, which in turn makes it possible to execute code as SYSTEM on that host. This technique is faster, more reliable and less invasive than relaying WPAD authentication with mitm6, but does of course require AD CS to be in use.
π Contents:
β’ Kerberos over DNS
β’ Abusing DNS authentication
β’ Changes to krbrelayx and mitm6
β’ Attack example
β’ Defenses
β’ Mitigating mitm6
β’ Mitigating relaying to AD CS
β’ Tools
https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6
π€ by Dirk-jan Mollema
In scenario, where attacker have the ability to spoof a DNS server via DHCPv6 spoofing with mitm6, he can get victim machines to reliably authenticate to him using Kerberos and their machine account. This authentication can be relayed to any service that does not enforce integrity, such as Active Directory Certificate Services (AD CS) http(s) based enrollment, which in turn makes it possible to execute code as SYSTEM on that host. This technique is faster, more reliable and less invasive than relaying WPAD authentication with mitm6, but does of course require AD CS to be in use.
π Contents:
β’ Kerberos over DNS
β’ Abusing DNS authentication
β’ Changes to krbrelayx and mitm6
β’ Attack example
β’ Defenses
β’ Mitigating mitm6
β’ Mitigating relaying to AD CS
β’ Tools
https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6
π6
Adding save function to impacket's ```reg.py``` for Backup Operators to Domain Admin exploitation
https://github.com/SecureAuthCorp/impacket/pull/1257
save feature to reg.py allows for remote saving of registry hives. The feature can be used to escalate from Backup Operators to Domain Admin by retrieving a Domain Controller's hives and using them to obtain hash and act as the Domain Controller or as the domain admin directly.backup method which doesn't mirror an existing function of the original reg cmdlet but instead allows to dump SAM, SYSTEM and SECURITY "at once".https://github.com/SecureAuthCorp/impacket/pull/1257
GitHub
Adding save function to reg.py for Backup Operators to Domain Admin exploitation by ShutdownRepo Β· Pull Request #1257 Β· fortra/impacket
Adding the save feature to reg.py to allow for remote saving of registry hives.
The feature can be used to escalate from Backup Operators to Domain Admin by retrieving a Domain Controller's...
The feature can be used to escalate from Backup Operators to Domain Admin by retrieving a Domain Controller's...
π1
New article by our researcher Egor Dimitrenko about unauth vulnerabilities in VMware products: "Catching bugs in VMware: Carbon Black Cloud Workload and vRealize Operations Manager". This is the second in series of our VMware research.
Read the article: https://swarm.ptsecurity.com/catching-bugs-in-vmware-carbon-black-cloud-workload-appliance-and-vrealize-operations-manager/
Read the article: https://swarm.ptsecurity.com/catching-bugs-in-vmware-carbon-black-cloud-workload-appliance-and-vrealize-operations-manager/
π8
The Dirty Pipe Vulnerability
π€ by Max Kellermann
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.
It is similar to CVE-2016-5195 βDirty Cowβ but is easier to exploit.
The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
π Contents:
β’ Abstract
β’ Corruption pt. I
β’ Access Logging
β’ Corruption pt. II
β’ Corruption pt. III
β’ Man staring at code
β’ Man staring at kernel code
β’ Pipes and Buffers and Pages
β’ Uninitialized
β’ Corruption pt. IV
β’ Exploiting
β’ Timeline
https://dirtypipe.cm4all.com
π€ by Max Kellermann
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.
It is similar to CVE-2016-5195 βDirty Cowβ but is easier to exploit.
The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
π Contents:
β’ Abstract
β’ Corruption pt. I
β’ Access Logging
β’ Corruption pt. II
β’ Corruption pt. III
β’ Man staring at code
β’ Man staring at kernel code
β’ Pipes and Buffers and Pages
β’ Uninitialized
β’ Corruption pt. IV
β’ Exploiting
β’ Timeline
https://dirtypipe.cm4all.com
π4
Oracle Access Manager Pre-Auth RCE (CVE-2021β35587 Analysis)
π€ by Jang and Peter
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victimβs server
https://testbnull.medium.com/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316
π€ by Jang and Peter
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victimβs server
https://testbnull.medium.com/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316
π4