From Multiple IDORs leading to Code Execution on a different Host Container
Here is a short write-up on an interesting bug that I found while testing a Site there won't be many screenshots of the bug as I can't disclose any detail about the target.
Let's talk about the target now the site is somewhat similar to any web hosting platform instead of providing a domain name and hosting web services like WordPress or Joomla. In this platform, we can host services such as Wordpress or Joomla and point that to our domain the backend uses docker as a medium to host the service which means that when we create a new service a docker container is created and the service is isolated within the docker container.
This is what I think of how the backend system creates a new service. So where is the vulnerability then in that platform I was able to find multiple IDORs such as stopping or starting any users hosted service and enabling and diabling security features but what made the application vulnerable to IDOR or Access Control Issues.The site uses a cookie called access_token to verify the session but there were no additional cookies that checked for Access Control Validations which made it vulnerable .This is how the IDOR request looked like.
Let's talk about the target now the site is somewhat similar to any web hosting platform instead of providing a domain name and hosting web services like WordPress or Joomla. In this platform, we can host services such as Wordpress or Joomla and point that to our domain the backend uses docker as a medium to host the service which means that when we create a new service a docker container is created and the service is isolated within the docker container.
GET /site/ID HTTP/1.1
Host: sub.redacted.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://sub.redacted.com/
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: access_token=random-access-token; user_time_zone=Asia%2FKolkata
By changing the ID to another user's ID I was able to get into their site dashboard. So I was sure that every end point is vulnerable but starting or stopping a service is not what I wanted but something more which was the api after fuzzing for sometime I was able to find an endpoint which I think was for debugging because of the information it displayed.
GET /sites/ID/container?access_token=some-random-access-token HTTP/1.1
Host: api.redacted.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://sub.redacted.com/
Connection: close
The response had a long json data with so much information such as their rancher cluster url the version of the service private ip of loadbalancer and docker container but the thing that caught my eye was MYSQL.
So the database is actually on a different instance as a container and it is using a proxy to establish a connection with the website.So for every website there is a MYSQL database container and we can only connect to that container only and now we need to escape out mysql container and here is IDOR to the rescue we can use phpmyadmin to login to the database when the request is processed the backend verifies the user with the site ID so if I could change the site ID to the victim's ID the backend server takes it as a valid request and logs me in.
GET /site/ID/pmalogin HTTP/1.1
Host: sub.redacted.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://sub.redacted.com/
Connection: close
Cookie:access_token=random-access-token; user_time_zone=Asia%2FKolkata;
Upgrade-Insecure-Requests: 1
Which results to
And I was able to take control of the whole site which also means code execution.The company was also generous enough to fix the issue and reward me $$$.
Nice Catch...keep Hunting
ReplyDeleteThanks
DeleteCool..Nice writeup.
ReplyDeleteThanks koya
DeleteAwesome write-up 👏🔥
ReplyDeleteThanks brende
DeleteKiduve
ReplyDeleteThenks kenge
DeleteNice one
ReplyDelete❤️
Deleteadipoli mone ...
Delete