Finding Weird and Wacky Vulnerabilities

give him a big round of applause hello welcome everyone and welcome to my talk about finding some weird and liking vulnerabilities during my relatively short career but before I get into that um I've just got to do a few disclaimers so this is a highly informal presentation so I am not going to follow any rules and Upstream presentations well I expect types all over the place and yeah but this is not going to reflect how it worked professionally it's really just for fun so I've been about myself so I've been passionate about like offensive security since 2019 I've been quite involved with like different ctfs with like India exclude or down under the seat here I'm currently working as a security consultant for Elton and previously worked at the wa office in digital government as a penetration tester and I have a crippling addiction I couldn't think so to help so yeah so why am I doing this talk well I missed out on buying b-sized curved tickets foreign but that's committee a crime which I'm not too fond of doing so the next time was submitting a good talk and I was like oh I've always wanted to do a talk and especially this talk which is awesome because I was getting a bit desperate for my next class anyway um you know the real reason why I wanted to do this talk was like I really enjoy sort of teaching others about security and discussing core vulnerabilities and I also want to sort of show what my methodology is or trying to and sort of doing deep diabetes of different like vulnerabilities so I did a guest lecture at uwa about a year ago and earlier on this year did a sword set talks presentation and I've just sort of merged them together into this talk so let's begin I'm gonna if you've seen one of my previous talks I've sort of rambled on about this methodology called import space on petitioning and basically it's a process for identifying what's called a characteristic of an input and you can sort of think of a characteristic as some attribute of an input which could manipulate the behavior and the really important thing of this methodology is that it helps you identify like test cases or more specifically negative test cases which a lot of software engineers and testers sort of miss out on so in a nutshell just ball warning I'm really simplifying the actual process um what you do is let's say you pick whatever function method thing that runs and you identify all the inputs going into it so that it can also include like function parameters or like System state and then for each of those different inputs you keep on sort of petitioning that input domain I'm going to explain the script features a little bit and so you get smaller smaller petitions which sort of make sense with the intended behavior and then from there you just want to choose values for each of these petitions and then you can you have your test cases so I'm going to do an example here with a super secure rest API that a rope using the Express framework um it's four storing notes on a mySQL database where you write your message and then you put in the key and the idea of this rest API is that you can't read that message on your let's have that key unless you have a key and so I wrote this in node.js using this first web frame mode and I'm using the next JS Library which is an SQL query Builder slash client Library form querying that mySQL database and we're just going to do input space teaching on that where method there so just a full warning there is a lot of different types of syntaxes for that way of function I'm just going to specifically at how it's used here where the key is the only user import going in here um so yeah and a good place to sort of start off is actually sort of questioning what should be the actual type of that input going in and because JavaScript is like a dynamically typed language you can do a lot of funky stuff with it because everything's an object the first thing you probably want to check for is it is it actually a string and then you sort of keep on asking these questions and breaking down the problem for example if it isn't a string we could say ask or is it a number of Boolean and if it is what should happen but if it isn't like is it an object or an array what is the behavior there we also need to consider as well what the threats are for these inputs so for example I sort of break down like is it a non-alphanumeric characters in there thinking of like SQL injection because those inputs are going to go to an escrow query we should probably test for that and then for the intended Behavior I just sort of made up some things I can't read the developers minds but we could say like going from the top like let's say if it's an objection array input uh let's see if it gets passed to a string and make sure that there's no errors and then for the other inputs with the intended Behavior could be we just accept it and make sure that there's no SQL errors cool all right let's do some testing and we'll try out this first object input and here we've got bit Suite just sort of whacking in there see what happens looks all good um we we've got an escrow error all right now we've got a cool book because if we have an escrow error that means that we might have something interesting going on here especially dealing with queries so let's dig a bit deeper so looking at the query of what's actually happening here that where Clause looks really wack because now it's like he's into X which is equal to something and we should probably look into what's happening here so when I was sort of looking into this the first thing I looked into was what was those back to characters and they record something quote it identifies which basically in MySQL of being you're just trying to quote a specific thing so oh like some identifier and in this case it was trying to quote a column but the problem here was that in that notes table which I'm trying to query there is no column name X which gives you the pretty self-explanatory error of saying there is no call of the index in this course but what if we try and query by a column that is in that table what happens then we've done the database or that table um does that make sense no so we need to dig even deeper um and this is where you go to the documentation and I sort of found that with these um operators um you've got to look at like the Precedence and with these ones these comparison operators they all treated with the same precedence which is the order of processing things which means that it gets evaluated from left to right so the key equals message bit is equal to first and if we check what that's equal to it returns zero which is basically meaning false which is Zero's false one is true for MySQL which makes sense because key is not equal to message but then if we dig further into that documentation and we see that MySQL tries to be a bit smarter when it does a comparison with some number with a string it will try and convert that stream into a number format first and there's the documentation proof so what happens if you try and convert a non-numeric string to a number well it tries to return false so like that's obviously not a number and returns zero which is false but you see we've got a bit of a problem here because that is equal to zero that kid who quote is then doing a comparison a string comparison with an internship so it's going to try and convert it to a number that means false as well which he leaves you with zero is equal to zero which is true which means that we've just dumped that table Yeah so cool let's hack xjs now um so yeah so here we are just reminded that was the vulnerable code as well um throw that in and now we just dump that table with that message without even knowing the key cool bug someone else thought it was a cool book six years ago and it was only fixed because um I didn't find this done but um this guy Outlook he made a CTF challenge about this last year and it just sort of weirded me out I was like is this a no date and he was like no mate it's a 2460 day foreign I have a lot to say about xjs but I've gone down a bit of a rabbit hole so I'm going to bed um so you see why like that input space petitioning methodology is quite important it helps you sort of identifying those bugs um in a quite a methodical way because in reality all security vulnerabilities are bugs or features um that we're just trying to exploit and the input space petitioning is a good way of pioning those test cases or testing things which are completely unintended and then investigating those parts and I actually learned about this while I was studying here at uwa um and I was taught by a professor named Aaron Stewart who taught a software testing and quality assurance unit and the awesome thing is done if you want to look into this further all the unit content for that units available for free online there speaking of which I've got a story about Professor Aaron Stewart as well about a different weird vulnerability so he made a website quite quickly for validating your assignment so one of the components was we had to write some test code in Java and then he made this website saying hey you zipped up your code in a zip file upload it and then the website was sort of say yep I can compile your code however the job of the client-side code on the website revealed that that terminal command the it was running the JavaScript command there and it's throwing what's the user supplied input which is the file name straight into that command so I was a bit worried about it so I messaged him saying hey I'm a bit concerning and Amanda I was like yeah go ahead and try and test it so I was quite excited actual video meter um but before job straight into that code I was like okay let's break down the actual process of what this web application is doing so the first step was it was uploading a zip file so I've always got to check to see if there's like a file upload from the bill see so examples like directory traversal where you try and like save it to a different location but that didn't work so next thing as well you can sometimes do funky things with extracting files and you extract them into different locations by naming them weirdly or not with zip but like archives you could do like symbolic links I'm not going to bother explaining it that didn't work so I was like okay let's dig into the Java C command a bit further because it just seems a bit suspicious um and then the first idea had sort of breaking this down further is like okay I could probably do inject an additional command there and within the file name but how Aaron programmed his website he was directly called calling the Java C program so there was no like shell program to interpret those additional commands being injected so the next option I thought okay there could be some vulnerability in Java C compiling those files however I'm a monkey so I skipped that and I went to ever meet if I can do command I commit injection and I confirmed that um unfortunately no screenshots but I did it just by like printing out the version of java that he was using so let's dig even even further now so going to the documentation I found this J option for the Java C command which quote says it allows changing options for the runtime environment and when you hear about changing something that of the runtime environment could have maybe like change it to run my own thing instead and digging even further the screen I found this Java agent option which is a pretty cool feature it's used for quote intercepting applications running on the jvn which means that it's going to InStep and run before the actual Java C command for pass things which means that I can probably throw in my own malicious code into there and sort of just run whatever so tested it out compiled my own name to that next file that's sort of exploiting that command argument injection so it's going to load it in as a driver agent and then nice reverse share on my professor's website so cool so um I also thought it was good sort of showing that and going down that tangent a bit because it sort of shows that breaking down of the actual process and sort of testing each of the different points and also especially dig really deep into documentation and code because there are a lot of weird features in like applications and software that everyone's using which is there under documentation but just no one thinks about it say it now we're on to the final we studied and get some of you might guess what this is [Music] if I can't help myself some of you probably have heard my talks in the past about this or seen my ramblings on a blog post somewhere um but if it's just not aware so strappy is what's called a headless content management system so more traditional content Management Systems sort of coupled together the front end and like the back end web compilers into like a single product where headless content Management Systems more just focus on the back-end functionality so it leaves like developers free to build their own website which then sort of calls back to the endless CMS to get content and strapping is one of the biggest ones and so yeah why did I start testing it well I just got bored during Years and Christmas there were no capture the flag events on that don't really have a social life so yeah I've Googled node.js CMS click the top resolve and yeah it was strappy and after a few weeks um yeah had some pretty bad vulnerabilities there um I'm going to go through and sort of dig into each one and just sort of explain how they work except for that one um long story short um basically it was like a community contribution where the Developers it's in just forgot to verify like a JWT for a walk token for AWS company to login provider and then the strapping developers were like distracted by like the rest of the pull requests and then they were like oh merge is fine um not that interesting but yeah let's get into the cool stuff for server side template injection to remote code execution so here so when you're doing sort of like the source code analysis um there's sort of two different approaches oh well there's a lot more but there's two main where you do like a top-down approach where you try and find your sources and you see if they end up into different sort of dangerous constructs here I sort of did a more bottom up approach where I saw them using this low Dash template engine and if you read the documentation for this that template engine evaluates the text between delimiters as JavaScript code which sounds awesome to me because if I can put my own JavaScript code in there then is that an easy remote code execution vulnerability and sort of looked for where I can put it in and I notice as a super administrator you can modify these email templates so it'll say oh this is an easy win so I still payload from Twitter um and threw it in there and I've got some error and I was like okay let's look into what Sarah Oh validation error something's going wrong here and here's the code um yeah it sort of felt like this was happening to me and I was like okay I saw you using that dangerous gun shop here let me see what's actually the validation occurring so oh no Regis patterns put your hand up if you can read that it's also me me neither I had to cheat a bit but I'll try to explain what's happening um so those regex patterns on the left there what they were doing you can think of them as like a deny list where what they were trying to do was only allow one type of template delivered to it to be used so there was quite a few you could use with low Dash um that one in the middle was the only one they wanted to use that's easy to bypass the hard one was the allow this where what they were doing without only allowed template to deliver to it was grabbing all the text in between it and then comparing it with an allow this and if there was anything that didn't match it was completely rejected however they all made one mistake in each one of those three regex patterns and I've got to try my best to explain it um yeah so pulling apart that example there what that character list is actually saying is it's going to match any character except for the characters which are the curly brackets and then when you combine that with the asterisk it's you're basically saying match their token so which is the match any character um zero or more time so you're basically saying they've matched any set of characters except for the curly brackets and then it's matching it between the dollar curling brackets um theme so if you put in one of those curly brackets which are excluded you just suddenly break the grouping and then just nothing ever matches so here we go just to explain so on the top layer clearly there's no curly brackets in between these characters and it correctly matches but as soon as I throw it in there the regex patterns suddenly just does not because it's breaking the group even it doesn't spot anything and all those regex checks have the same issue so yeah cool thing so we can now manipulate the payload um I fully don't expect anyone to read that in these slides so roses are red violets are blue I have a proof of concept for you yeah now before I continue um in as a security tester we normally sort of quantify like how bad abundability is with like Risk ratings or CVSs scores and stuff but let me introduce you to a new one spicy level so this is a certified High um you'll feel it the next day but it's not that bad because at least you need to be a super admin to exploit it I wonder if there was a way to become a super admin um long title I'll go ahead and explain this so how about this one was I was just sort of mucking around on the admin sort of portal and I noticed they had this oh it's a bit hard to read but they had this cool feature where you can filter by users from password reset token which is the token for resetting the account password which I was like oh that's a good feature I wonder if I can exploit this and um it didn't actually sort of show the actual value just for some reason you were allowed to filter fire and I was thinking ah I can probably filter not just buy that token but any private field for those user accounts so let's step into it so a bit of context as well about strappy so strappy has sort of two sort of apis you can use so there was a graphql one which was in front of all of this but the rest API one was how you would sort of call that resale apis you give like a URL half of what you want to query so that one upstairs for querying the admin sort of rest API and what you do is then you add filters as like get parameters at the end of the URL so this filter here is basically saying hey filter by a user's password that starts with the character a and then we can sort of check and see okay the response length is zero so we know that the user's password doesn't start for the character a but it means that we can just brute force that character until we finally see a response length change and we do that eventually when we hit that dollar sign where suddenly it now blows up and we get a different response so we know that the password starts with the dollar sign and we can just keep on doing it character by character to eventually leak out the full sort of password hash so this was the initial proof of concept which I sent to them um originally I thought you can only export this as an admin and you can see that it just sort of dumps out the user's password hash but um yeah so I reported the vulnerability of them I was about to go back to work and I was like okay this should be told about this as soon as possible but at least it's only admin's able to exploit this but I was a little bit worried and I just had like a nagging feeling that it was a little bit worse so later on I decided to sort of dig into other things within strappy such as plugins and I noticed they had this interesting like