Francisco Correa Security.log

One Cloud-based Local File Inclusion = Many Companies affected

2017-05-17T15:57:00.001-07:00

Hi everyone, Today, I'm going to share how I found a Local File Inclusion that affected companies like Facebook, Linkedin, Dropbox and many others.

The LFI was located at the cloud system of Oracle Responsys. For those who do not know Responsys is an enterprise-scale cloud-based business to consumer (B2C). Responsys gives every Business their own "private IP" to use the system in a private way. Business are not sharing IP with other companies.)

How did I found this bug?

Well as usual I was looking for bugs and I note that Facebook was sending me developer emails from the subdomain em.facebookmail.com. For example on my inbox, I had emails from fbdev@em.facebookmail.com

This got me interested on the subdomain em.facebookmail.com and after a quick DIG I note that this subdomain was connected to "Responsys" which I had previously seen in other Pentests

Responsys is providing em.facebookmail.com with the email services as you can see above. The original link I found in my inbox was something like this:

http://em.facebookmail.com/pub/cc?_ri_=X0Gzc2X%3DWQpglLjHJlYQGkSIGbc52zaRY0i6zgzdzc6jpzcASTGzdzeRfAzbzgJyH0zfzbLVXtpKX%3DSRTRYRSY&_ei_=EolaGGF4SNMvxFF7KucKuWNhjeSKbKRsHLVV55xSq7EoplYQTaISpeSzfMJxPAX8oMMhFTpOYUvvmgn-WhyT6yBDeImov65NsCKxmYwyOL0.

I note that the parameter "_ri_=" is required in order to generate a valid request. And after a bit of testing around, I found that the system was not correctly handling double URL Encoding and using a correct value at the parameter "_ri_" I could inject "%252fetc%252fpasswd" into the URL path.

This was not properly sanitized and was allowing directory traversal characters to be injected and with this retrieve internal files from the affected server.

An example of the Vulnerable URL:

http://em.facebookmail.com/pub/sf/%252fetc%252fpasswd?_ri_=X0Gzc2X%3DYQpglLjHJlYQGrzdLoyD13pHoGgHNjCWGRBIk4d6Uw74cgmmfaDIiK4za7bf4aUdgSVXMtX%3DYQpglLjHJlYQGnnlO8Rp71zfzabzewzgLczg7Ulwbazahw8uszbNYzeazdMjhDzcmJizdNFCXgn&_ei_=Ep0e16vSBKEscHnsTNRZT2jxEz5WyG1Wpm_OvAU-aJZRZ_wzYDw97ETX_iSmseE

Soon as I saw the vulnerability I knew that this LFI was not only affecting Facebook but also many other companies. All of them using different Private IPs provided by Responsys.

A quick Google Search show me other affected companies with this same bug.

Copying a valid value from the parameter _ri_ to the target company I could retrieve internal information using the same technique.

The impacts of exploiting a Local File Inclusion (LFI) vary from information disclosure to complete compromise of the systems. In this case the impact it worst because one vulnerability affected multiple companies data.

I report this bug to Oracle and the bug got fixed within a week.

Stored XSS at Google firebase via Google Cloud IAM

2017-04-17T15:47:00.001-07:00

Google Firebase demo console platform was allowing an attacker to store an XSS under the project name. This vulnerability was created on the main page of the select project.

-

"The Firebase demo project is a standard Firebase project with fully functioning Analytics, Crash Reporting, Test Lab, Notifications, Google Tag Manager and Remote Config features. Any Google user can access it. It’s a great way to look at real app data and explore the Firebase feature set." https://support.google.com/firebase/answer/7157552
-

Using Google IAM (console.cloud.google.com) was possible to create a payload and share it to the victim. Once the victim accepts the invitation at console.firebase.google.com the payload was rendered on the main project page.

Impact:

The attacker could share a project from "console.cloud.google.com" and store an XSS payload under console.firebase.google.com. This stored payload was been rendered every time the victim access the project page.

Bug Status:
I report this bug to Google Security and they reward me and patch the bug within a week. I like to thanks, Google security team for the quick response and reward.

Video POC:

Store XSS on Main page of Flickr.com and Mobile Inteface

2014-10-04T10:33:00.001-07:00

Flickr is an image hosting and video hosting website, and web services suite that was created by Ludicorp in 2004 and acquired by Yahoo in 2005.

Flickr had a total of 87 million registered members and more than 3.5 million new images uploaded daily.In August 2011 the site reported that it was hosting more than 6 billion images and this number continues to grow steadily according to reporting sources.

I start doing my security research on flickr.com and I found some cool bugs but this XSS was my favorite because the XSS was showing on Flickr main page and on the Mobile interface at m.flickr.com.

Affecting millions of users for sure..

This attack works by inviting the Victim to a group. The XSS loads when the victim get notify about a group invitation. Making this XSS very dangerous and perfect to target specific people or people in general.

I report this two bugs to Yahoo Security team and I got two nice reward.

Thanks Yahoo security Team!

Video: Soon.

Store XSS on Shopping Express Checkout [Reward]

2014-05-20T05:52:00.003-07:00

Google Shopping Express is a same-day shopping service ("shop local stores online and get items delivered on the same day") from Google that was launched on a free trial basis in San Francisco and Silicon Valley in spring 2013 and publicly in September that year.

This store XSS was showing at "Shopping Express Checkout" and by adding payload on the parameter "City" in wallet.google.com I could bypass restrictions and trigger this XSS back on Google Checkout.

Image of Proof:

This XSS was trigger just before paying pretty handy don't you think?

Well I report this to Google Security Team and they reply very quick. Fixing this bug within a week:

I'm very happy to be back on Google Hall of Fame and I like to thanks Google Security Team for the reward.

I create a video reproducing this XSS:

Bypass Flash Same Origin Policy with Add-On

2014-05-11T16:13:00.000-07:00

The same-origin policy is an important concept in the web application security model. The policy permits scripts running on pages originating from the same site.

I found that users using FlashFirebug are vulnerable to same-origin policy bypass. This Firefox add-ons create a files on the Flash Player Trust directory disallowing same-origin policy.

For this example I will use Facebook Video preview box to trigger this Flash XSS. (Fortunately Faceboook use attachment.fbsbx.com )

By using a Flash XSS plus having FlashFirebug install on the Victim Firefox I can trigger this XSS and bypass Same Origin Policy

I report this to Facebook and this was the response:

And me as a good bounty hunter I report to Adobe:

After doing a bit of looking I found that o-minds.com have a report bug page and here is their response:

I reply to them and after that I didn't receive a response.

My conclusion:
External Addons can bypass Flash "Same Origin Policy" by adding a files to flash trust directory allowing all Script Access ignoring the Same Origin Policy and this happen without the user knowledge.

Video Poc:

Status:

This bug still works and apparently is not geting fixed soon.

Dangerous Persistent XSS at Here.com [FIX]

2013-10-16T06:19:00.001-07:00

Here.com, is a Nokia business unit that brings together Nokia's mapping and location assets under one brand. The technology of Here is based on a cloud-computing model, in which location data and services are stored on remote servers so that users have access to it regardless of which device they use.

HERE Map Creator is a service launched by Nokia in November 2012 to allow users to map their neighborhood.

With this bug I could SAVE a Road name with a payload on the map. Any user that try on re-edit the street name will get this XSS.
I report a similar bug to Waza.com a few months ago.

Nokia Reponse:

Thanks to Nokia for starting this bug bounty program.

FLASH XSS AT ATT.COM [FIX]

2013-10-15T18:36:00.002-07:00

I found a Flash XSS at AT&T main domain where an attacker could stealing credentials of users.

Vuln URL:

http://www.att.com/media/en_US/scripts/JSAM/JSAM_VideoPlayer.swf?completeHandler=JSAM.flashCompleteHandler);}catch(e) {alert(document.cookie);}//&source=https://www.wireless.att.com/home/video_progressive/video_marquees/B2CNDA-24-emerald-hp-marquee-bkd.mp4

Payload: JSAM.flashCompleteHandler);}catch(e) {alert(document.cookie);}//

Flash Vuln Code:

public function videoPlayer_completeHandler(_arg1:VideoEvent):void{ if (ExternalInterface.available){ ExternalInterface.call(completeHandler, ExternalInterface.objectID); } else { trace("JSAM_VideoPlayer cannot call completeHandler because ExternalInterface is not available."); }; }

Proof:

After 2 months AT&T Response:

I hope to be on the top 10 Award :)

SQL Injection at Movistar.es [FIX]

2013-09-26T07:38:00.000-07:00

Movistar is a major Spanish mobile phone operator owned by Telefónica S.A. operating in Spain and in many Latin American countries. It is the largest carrier in Spain with 22 million customers (cellphone services only)

I found this MSSQL Injection. By Adding ' WAITFOR DELAY '0:0:20'-- getting a positive response of 20-second delay. Proving this parameter SEOname is Vulnerable to SQL INJECTION.

I Report this to Movistar and they reply and FIX quick :)

Great job Movistar!

SQL Injection at archive.org [Fix]

2013-09-25T09:20:00.003-07:00

The Internet Archive allows the public to upload and download digital material to its data cluster, but the bulk of its data is collected automatically by its web crawlers, which work to preserve as much of the public web as possible. Its web archive, The Wayback Machine, contains over 150+ billion web captures.

Looking at archive.org I found a cool MySql Injection on the user panel. Using " and "1"="1"# instead of ' and '1'='1'#

I did this by updating my nickname to 1" and "1"="1" union select version(0)# geting the version of mysql successfully.

Vulnerable URL:
https://archive.org/account/?screenname=1"+and+"1"="1"+union+select+version(0)#&action=change-screenname&submit=Change

I report this to archive.org and I never have a reply. After 4 months they fix it.

Proof:

A simple thank you would be nice.

Sql Injection in Apple and Ubuntu - Apology emails...

2013-07-24T11:06:00.001-07:00

This week I got two emails one from Apple and an other one from Ubuntu saying:

Now all users have to change there passwords. Even I... Maybe in the future they will care more about their security.

This is why all companies should have a Bug Bounty Program

Highly XSS at Google Hangouts (Reward)

2013-07-17T06:23:00.000-07:00

First of all I like to said this XSS it's stored on Google "sandbox" and it impossible to grap Cookies.

But its possible to send it to an other user using "Google Art Project Add-ons" at https://plus.google.com/hangouts/_/.

Hangouts allows users to hold conversations between two or more users. The service can be accessed online through the Gmail or Google+ websites, or through mobile apps available for Android and iOS (which were distributed as a successor to their existing Google Talk apps).

This Persistent XSS can be more significant than other types because an attacker's malicious script is rendered automatically when an modify art project it's share to the Victim using hangouts add-ons.
(like showing under)

(This is an Interactive Chat and can be easy use by anyone)

I first modify the Art Protect I want to inject at http://www.google.com/culturalinstitute/project/art-project?hl=en

Then using Google Art Project Add-ons on "Google Hangouts" I can share it to all users in the chat triggering the XSS.

(Below Google Art Injection Points)

This attack can be use to publish user login cross site scripting attack or other malicious scripts.

Google response:

I like to thanks Google again for this Reward.

Google pay me $3.133USD!!

2013-07-10T10:51:00.002-07:00

Finally! I find the bug a was looking for!! last week looking at sketchup.google.com I find a flash file vulnerable to xss at parameter eventHandler

with this was possible to get a positive XSS :)

Google Response:

This is my first big reward and Im happy as.

I like to thanks to google for starting this program.

Report:Fri, Jul 5, 2013 at 2:13 PM

Fix: Tues, Jul 9, 2013 at 9:00 AM

Dangerous XSS Persistent at Waze.com

2013-07-07T00:08:00.003-07:00

Waze is currently using its second generation map editing interface. Known as the Waze Map Editor (or WME for short), it is the default editor for Waze since September 19, 2011. This editor interface is internally code-named "Papyrus", and was functionally upgraded on April 21, 2013.

When adding an alternate city and street name was possible to inject a nice XSS.

If I save on the editor all users that click on the street get the XSS.

Google Response:

Next time I will wait 6 months :)

Report: Wed, Jun 26, 2013 at 7:53 PM

Fix: Tue, Jul 02, 2013 at 9:00 PM

Swf file Preview at googlegroups.com

2013-07-06T23:54:00.000-07:00

Today looking at googlegroups.com when uploading a file swf I could preview the file on the server triggering bugs like XSS, Redirection, http request

XSS proof:
https://anon4v.googlegroups.com/attach/ad95b6883d02ee92/xss.swf?gda=--h2a0cAAAAf1aJvtdZvL0V0Vur0XewTV1qzvAInIaFKdkrbn96pkZ1koWdz85XW-WM6SHiL84IbQwFxJw55cVwemAxM-EWmeV4duv6pDMGhhhZdjQlNAw&c=alert(document.cookie)&a=eval&view=1&part=4

Redirection proof:
https://anon4v.googlegroups.com/attach/ad95b6883d02ee92/xss.swf?gda=--h2a0cAAAAf1aJvtdZvL0V0Vur0XewTV1qzvAInIaFKdkrbn96pkZ1koWdz85XW-WM6SHiL84IbQwFxJw55cVwemAxM-EWmeV4duv6pDMGhhhZdjQlNAw&a=location&c=http://www.paypal.com/&view=1&part=4

http request to url proof:
https://anon4v.googlegroups.com/attach/ad95b6883d02ee92/xss.swf?gda=--h2a0cAAAAf1aJvtdZvL0V0Vur0XewTV1qzvAInIaFKdkrbn96pkZ1koWdz85XW-WM6SHiL84IbQwFxJw55cVwemAxM-EWmeV4duv6pDMGhhhZdjQlNAw&a=get&c=http://www.webcrea.cl/&view=1&part=4

Xss.swf source:
https://github.com/evilcos/xss.swf/blob/master/xss_source.txt

Google security team response:

On the Wall of Fame of SproutSocial

2013-07-06T23:39:00.001-07:00

Nice I'm on the Wall of Fame of SproutSocial.com

http://sproutsocial.com/responsible-disclosure-policy

Reward from Bugcrowd for Beta015 and Beta016!

2013-07-06T23:24:00.002-07:00

Nice I got reward from Bugcrowd for Beta015 and Beta016!

Thanks Bugcrowd

Google Webchat | Cross Site Scripting Vulnerability

2013-07-06T22:46:00.001-07:00

Google Webchat | Cross Site Scripting Vulnerability

I find out that fiber.google.com was using a third party app at fiber-chat.com:8443/googlechat/ similar to FastPath Webchat that has multiple XSS

Turned out that the email parameter was vulnerable to XSS

test@gmail.com"><svg/onload=alert(1)>

When Login off the chat I got a positive XSS response.

I Report this to Google Security Team and the response was this:

Report: Tue, Jun 18, 2013 1:34PM
Fix: Wed, Jun 19, 2013 9:00AM
No Reward for this Bug

XSS at us7.admin.mailchimp.com and help.mailchimp.com

2013-07-06T22:08:00.003-07:00

XSS at us7.admin.mailchimp.com and help.mailchimp.com

I found XSS at us7.admin.mailchimp.com

And an other Flash XSS at help.mailchimp.com

Report:Mon, Jun 17, 2013 at 12:46 AM
Fix:Tue, Jun 18, 2013 at 9:00 AM