otx.alienvault.com Local File Disclosure

Those who know me are aware that I partake in bug bounty programs.  Today I’m giving you a brief post on a recent finding and the response/reward received after the submission.

AlienVault had a swag based bug bounty posted, which appears to have gone offline as I can no longer find the page detailing the program.  But while it was live, I decided to take a look since swag based programs are often less examined compared with that of their monetary based brethren.

Within a couple hours I had identified a JSON API by simply altering the unique ID in the URL to that of an invalid ID.  This allowed me to inspect the particular call a little more closely, and that’s where the fun began.

2

By following this same strategy I was able to find information on other API functions, including one called ‘extract’ (https://otx.alienvault.com/otxapi/extract).

The extract query appeared to be pulling data from a flat file, and creating a CSV from the contents before presenting to the user for download.  Clearly this looked interesting.  I tried a few basic path traversals with no luck, then tried escaping the forward slash…..and….

OTX AlienVault Local File DisclosureUh oh.  Victory for me, red flag for the security team.

I don’t like leaving bugs with this level of severity on the table for even a short period of time.  Reflected XSS, sure I’ll stack a few and send en masse.  But not higher criticality bugs.  So I drafted a rather brief email to the PoC for the bug program, with the above screenshot, and sent it on it’s way.

I submitted the bug on May 8th, and by the 13th I was notified that the bug had been confirmed and mitigated.  Excellent response time 🙂

With the mitigation I received the following insight into the finding:

By the way an interesting note on your particular vuln is that we are running inside a container.  We still treat a vuln like this with the highest priority as there are things in that container that are secrets, but for the most part we considering the risk of this vuln largely mitigated by that encapsulation.

This was good to hear as it meant that segmentation was built in.  Good security practice, so kudos there.  Additionally, I’m always happy to see forward thinking companies, like AlienVault, that take a proactive stance to improving security.  Programs like this greatly improve overall security posture, often at a fraction of the cost, and help encourage those of us who want to do the right thing, to do exactly that.

As thanks, AlienVault sent me the following swag bag.

20160602_074255There was actually a second laptop cam cover, but I promptly used it to remove the taped on paper cover I have been using heh.

I plan on wearing the ‘gray hat’ at cons in the future.  Thanks to AlienVault for doing the right thing, and special thanks to Russell Spitler for the quick and friendly responses on the finding!