Finding Weird and Wacky Vulnerabilities

give him a big round of applause

hello welcome everyone and welcome to my talk about finding some weird and liking vulnerabilities during my relatively short career but before I get into that um I've just got to do a few disclaimers so this is a highly informal presentation so I am not going to follow any rules and Upstream presentations well I expect types all over the place and yeah but this is not going to reflect how it worked professionally it's really just for fun so I've been about myself so I've been passionate about like offensive security since 2019 I've been quite involved with like different ctfs with like India exclude or down under the seat here I'm currently working as a security consultant for Elton and previously

worked at the wa office in digital government as a penetration tester and I have a crippling addiction I couldn't think so to help so yeah so why am I doing this talk well I missed out on buying b-sized curved tickets foreign

but that's committee a crime which I'm not too fond of doing so the next time was submitting a good talk and I was like oh I've always wanted to do a talk and especially this talk which is awesome because I was getting a bit desperate for my next class anyway um you know the real reason why I wanted to do this talk was like I really enjoy sort of teaching others about security and discussing core vulnerabilities and I also want to sort of show what my methodology is or trying to and sort of doing deep diabetes of different like vulnerabilities so I did a guest lecture at uwa about a year ago and earlier on

this year did a sword set talks presentation and I've just sort of merged them together into this talk so let's begin I'm gonna if you've seen one of my previous talks I've sort of rambled on about this methodology called import space on petitioning and basically it's a process for identifying what's called a characteristic of an input and you can sort of think of a characteristic as some attribute of an input which could manipulate the behavior and the really important thing of this methodology is that it helps you identify like test cases or more specifically negative test cases which a lot of software engineers and testers sort of miss out on so in a nutshell just ball warning I'm really

simplifying the actual process um what you do is let's say you pick whatever function method thing that runs and you identify all the inputs going into it so that it can also include like function parameters or like System state and then for each of those different inputs you keep on sort of petitioning that input domain I'm going to explain the script features a little bit and so you get smaller smaller petitions which sort of make sense with the intended behavior and then from there you just want to choose values for each of these petitions and then you can you have your test cases so I'm going to do an example here with a super secure rest API that a rope

using the Express framework um it's four storing notes on a mySQL database where you write your message and then you put in the key and the idea of this rest API is that you can't read that message on your let's have that key unless you have a key and so I wrote this in node.js using this first web frame mode and I'm using the next JS Library which is an SQL query Builder slash client Library form querying that mySQL database and we're just going to do input space teaching on that where method there so just a full warning there is a lot of different types of syntaxes for that way of function I'm just going to

specifically at how it's used here where the key is the only user import going in here um so yeah and a good place to sort of start off is actually sort of questioning what should be the actual type of that input going in and because JavaScript is like a dynamically typed language you can do a lot of funky stuff with it because everything's an object the first thing you probably want to check for is it is it actually a string and then you sort of keep on asking these questions and breaking down the problem for example if it isn't a string we could say ask or is it a number of Boolean and if it is what should happen

but if it isn't like is it an object or an array what is the behavior there we also need to consider as well what the threats are for these inputs so for example I sort of break down like is it a non-alphanumeric characters in there thinking of like SQL injection because those inputs are going to go to an escrow query we should probably test for that and then for the intended Behavior I just sort of made up some things I can't read the developers minds but we could say like going from the top like let's say if it's an objection array input uh let's see if it gets passed to a string and make sure that there's no

errors and then for the other inputs with the intended Behavior could be we just accept it and make sure that there's no SQL errors cool all right let's do some testing and we'll try out this first object input and here we've got bit Suite just sort of whacking in there see what happens looks all good um we we've got an escrow error all right now we've got a cool book because if we have an escrow error that means that we might have something interesting going on here especially dealing with queries so let's dig a bit deeper so looking at the query of what's actually happening here that where Clause looks really wack because now it's like he's into X which is equal to

something and we should probably look into what's happening here so when I was sort of looking into this the first thing I looked into was what was those back to characters and they record something quote it identifies which basically in MySQL of being you're just trying to quote a specific thing so oh like some identifier and in this case it was trying to quote a column but the problem here was that in that notes table which I'm trying to query there is no column name X which gives you the pretty self-explanatory error of saying there is no call of the index in this course but what if we try and query by a column that is in that table what

happens then we've done the database or that table um does that make sense no so we need to dig even deeper um and this is where you go to the documentation and I sort of found that with these um operators um you've got to look at like the Precedence and with these ones these comparison operators they all treated with the same precedence which is the order of processing things which means that it gets evaluated from left to right so the key equals message bit is equal to first and if we check what that's equal to it returns zero which is basically meaning false which is Zero's false one is true for MySQL which makes sense because key is not equal to

message but then if we dig further into that documentation and we see that MySQL tries to be a bit smarter when it does a comparison with some number with a string it will try and convert that stream into a number format first and there's the documentation proof so what happens if you try and convert a non-numeric string to a number well it tries to return false so like that's obviously not a number and returns zero which is false but you see we've got a bit of a problem here because that is equal to zero that kid who quote is then doing a comparison a string comparison with an internship so it's going to try and

convert it to a number that means false as well which he leaves you with zero is equal to zero which is true which means that we've just dumped that table Yeah so cool let's hack xjs now um so yeah so here we are just reminded that was the vulnerable code as well um throw that in and now we just dump that table with that message without even knowing the key cool bug someone else thought it was a cool book six years ago and it was only fixed because um I didn't find this done but um this guy Outlook he made a CTF challenge about this last year and it just sort of weirded me out I was like is this a no

date and he was like no mate it's a 2460 day foreign I have a lot to say about xjs but I've gone down a bit of a rabbit hole so I'm going to bed um so you see why like that input space petitioning methodology is quite important it helps you sort of identifying those bugs um in a quite a methodical way because in reality all security vulnerabilities are bugs or features um that we're just trying to exploit and the input space petitioning is a good way of pioning those test cases or testing things which are completely unintended and then investigating those parts and I actually learned about this while I was studying here at uwa

um and I was taught by a professor named Aaron Stewart who taught a software testing and quality assurance unit and the awesome thing is done if you want to look into this further all the unit content for that units available for free online there speaking of which I've got a story about Professor Aaron Stewart as well about a different weird vulnerability so he made a website quite quickly for validating your assignment so one of the components was we had to write some test code in Java and then he made this website saying hey you zipped up your code in a zip file upload it and then the website was sort of say yep I can

compile your code however the job of the client-side code on the website revealed that that terminal command the it was running the JavaScript command there and it's throwing what's the user supplied input which is the file name straight into that command so I was a bit worried about it so I messaged him saying hey I'm a bit concerning and Amanda I was like yeah go ahead and try and test it so I was quite excited actual video meter um but before job straight into that code I was like okay let's break down the actual process of what this web application is doing so the first step was it was uploading a zip file so I've

always got to check to see if there's like a file upload from the bill see so examples like directory traversal where you try and like save it to a different location but that didn't work so next thing as well you can sometimes do funky things with extracting files and you extract them into different locations by naming them weirdly or not with zip but like archives you could do like symbolic links I'm not going to bother explaining it that didn't work so I was like okay let's dig into the Java C command a bit further because it just seems a bit suspicious um and then the first idea had sort of breaking this down further is like okay

I could probably do inject an additional command there and within the file name but how Aaron programmed his website he was directly called calling the Java C program so there was no like shell program to interpret those additional commands being injected so the next option I thought okay there could be some vulnerability in Java C compiling those files however I'm a monkey so I skipped that and I went to ever meet if I can do command I commit injection and I confirmed that um unfortunately no screenshots but I did it just by like printing out the version of java that he was using so let's dig even even further now so going to the documentation I found this J

option for the Java C command which quote says it allows changing options for the runtime environment and when you hear about changing something that of the runtime environment could have maybe like change it to run my own thing instead and digging even further the screen I found this Java agent option which is a pretty cool feature it's used for quote intercepting applications running on the jvn which means that it's going to InStep and run before the actual Java C command for pass things which means that I can probably throw in my own malicious code into there and sort of just run whatever so tested it out compiled my own name to that next file that's sort of exploiting that command

argument injection so it's going to load it in as a driver agent and then nice reverse share on my professor's website so cool so um I also thought it was good sort of showing that and going down that tangent a bit because it sort of shows that breaking down of the actual process and sort of testing each of the different points and also especially dig really deep into documentation and code because there are a lot of weird features in like applications and software that everyone's using which is there under documentation but just no one thinks about it say it now we're on to the final we studied and get some of you might guess what this is

[Music]

if I can't help myself some of you probably have heard my talks in the past about this or seen my ramblings on a blog post somewhere um but if it's just not aware so strappy is what's called a headless content management system so more traditional content Management Systems sort of coupled together the front end and like the back end web compilers into like a single product where headless content Management Systems more just focus on the back-end functionality so it leaves like developers free to build their own website which then sort of calls back to the endless CMS to get content and strapping is one of the biggest ones and so yeah why did I start testing it well

I just got bored during Years and Christmas there were no capture the flag events on that don't really have a social life so yeah I've Googled node.js CMS click the top resolve and yeah it was strappy and after a few weeks um yeah had some pretty bad vulnerabilities there um I'm going to go through and sort of dig into each one and just sort of explain how they work except for that one um long story short um basically it was like a community contribution where the Developers it's in just forgot to verify like a JWT for a walk token for AWS company to login provider and then the strapping developers were like distracted by like

the rest of the pull requests and then they were like oh merge is fine um not that interesting but yeah let's get into the cool stuff for server side template injection to remote code execution so here so when you're doing sort of like the source code analysis um there's sort of two different approaches oh well there's a lot more but there's two main where you do like a top-down approach where you try and find your sources and you see if they end up into different sort of dangerous constructs here I sort of did a more bottom up approach where I saw them using this low Dash template engine and if you read the documentation for this

that template engine evaluates the text between delimiters as JavaScript code which sounds awesome to me because if I can put my own JavaScript code in there then is that an easy remote code execution vulnerability and sort of looked for where I can put it in and I notice as a super administrator you can modify these email templates so it'll say oh this is an easy win so I still payload from Twitter um and threw it in there and I've got some error and I was like okay let's look into what Sarah Oh validation error something's going wrong here and here's the code um yeah it sort of felt like this was happening to me

and I was like okay I saw you using that dangerous gun shop here let me see what's actually the validation occurring so oh no Regis patterns put your hand up if you can read that it's also me me neither I had to cheat a bit but I'll try to explain what's happening um so those regex patterns on the left there what they were doing you can think of them as like a deny list where what they were trying to do was only allow one type of template delivered to it to be used so there was quite a few you could use with low Dash um that one in the middle was the only one they wanted

to use that's easy to bypass the hard one was the allow this where what they were doing without only allowed template to deliver to it was grabbing all the text in between it and then comparing it with an allow this and if there was anything that didn't match it was completely rejected however they all made one mistake in each one of those three regex patterns and I've got to try my best to explain it um yeah so pulling apart that example there what that character list is actually saying is it's going to match any character except for the characters which are the curly brackets and then when you combine that with the asterisk it's you're basically saying match their

token so which is the match any character um zero or more time so you're basically saying they've matched any set of characters except for the curly brackets and then it's matching it between the dollar curling brackets um theme so if you put in one of those curly brackets which are excluded you just suddenly break the grouping and then just nothing ever matches so here we go just to explain so on the top layer clearly there's no curly brackets in between these characters and it correctly matches but as soon as I throw it in there the regex patterns suddenly just does not because it's breaking the group even it doesn't spot anything and all those regex checks have the same

issue so yeah cool thing so we can now manipulate the payload um I fully don't expect anyone to read that in these slides so roses are red violets are blue I have a proof of concept for you

yeah now before I continue um in as a security tester we normally sort of quantify like how bad abundability is with like Risk ratings or CVSs scores and stuff but let me introduce you to a new one spicy level so this is a certified High um you'll feel it the next day but it's not that bad because at least you need to be a super admin to exploit it I wonder if there was a way to become a super admin um long title I'll go ahead and explain this so how about this one was I was just sort of mucking around on the admin sort of portal and I noticed they had this oh it's a bit hard to read but they had

this cool feature where you can filter by users from password reset token which is the token for resetting the account password which I was like oh that's a good feature I wonder if I can exploit this and um it didn't actually sort of show the actual value just for some reason you were allowed to filter fire and I was thinking ah I can probably filter not just buy that token but any private field for those user accounts so let's step into it so a bit of context as well about strappy so strappy has sort of two sort of apis you can use so there was a graphql one which was in front of all of this but the rest API

one was how you would sort of call that resale apis you give like a URL half of what you want to query so that one upstairs for querying the admin sort of rest API and what you do is then you add filters as like get parameters at the end of the URL so this filter here is basically saying hey filter by a user's password that starts with the character a and then we can sort of check and see okay the response length is zero so we know that the user's password doesn't start for the character a but it means that we can just brute force that character until we finally see a response length change

and we do that eventually when we hit that dollar sign where suddenly it now blows up and we get a different response so we know that the password starts with the dollar sign and we can just keep on doing it character by character to eventually leak out the full sort of password hash so this was the initial proof of concept which I sent to them um originally I thought you can only export this as an admin and you can see that it just sort of dumps out the user's password hash but um yeah so I reported the vulnerability of them I was about to go back to work and I was like okay this should be told about this as soon as

possible but at least it's only admin's able to exploit this but I was a little bit worried and I just had like a nagging feeling that it was a little bit worse so later on I decided to sort of dig into other things within strappy such as plugins and I noticed they had this interesting like offer user relation in this comment plugin and I thought what if you can just filter by relational Fields as well to get to the app like whatever user account and so this is how I confirm the vulnerability is I'm now sort of adding in filter by that author user and then we're going to filter the password hash again and I'm

just going to just to confirm the issue I'm just going to see if the password hash starts with those characters because all password hashes on strappy start with the dollar two way and if we have a response length which is not zero then it's confirmed oh we have a response like which is not zero which means that we could do this on all away because strategy automatically populates these fields so when you're on the sort of CMS you can sort of add content and these created by an updated by Fields were automatically being populated with the sort of corresponding admin user that did that action so I was like could I just filter by those fields instead

because if I could do that then nearly every strappy server in the world would be motherboard to this because the whole point of strap is to serve content but then you're exploiting the thing that's serving that confidence to dump out the data so once again just a bit of short proof of concept I'll change that relational Fields created by changed to some I just made a collection called articles and yep we conduct that so getting pretty bad now let's make it worse let's change the two together to get unauthenticated rce so the general process is you've got to First find one of those API collection endpoints which is like open on the internet and then

once you can do that you can just exploit that lead vulnerability to find an entry that was created by a super administrator user then once you've got that you just dump that email do the forgot my password process and then just dump their reset token and then you're free to just to change the password log in and then there's that remote code execution fundability from earlier cool and this was the final proof of concept we've just sent we're on the top there sort of find an entry that was created about that super admin dump the reset token and that's on the bottom getting a reverse shell there so yeah it's really bad um I did make a short video sort of that

summarized the whole story quite well I hope that loads [Music] oh [Music] right here [Applause] oh let's go to the next slide

but wait there's more so um after I did the disclosure um it's inspired one of the um this guy Boogie who was a big Community developer within strategy to actually sort of go through and look through it and the cool thing was he figured out that although strappy was sort of preventing filtering directly in those private Fields you could still filter by non-existent Fields within the table and he then sort of researched a bit further and found a pretty cool bypass similar possibility so we're going to dig into it now so here for example I sort of query by like some non-existent colony and we get a 500 response which gives us another Eskimo error so

let's dig into this further and see what's actually happening here so looking at the query that what um that occurs we can see that um even though that Colony doesn't exist still being whacked into the query but then strappy is also putting in these table aliases into the query as well which means that adobe couldn't lie let's say query by like a user's password we can then sort of query by that table Alias dot password and that was a pretty it was a really cool bypass and um yeah um so Boogie sort of informed me about I was like okay let's dig into and see how bad this is and we sort of found these

different scenarios where it could be exploited and yeah fortunately not as bad as the original vulnerability but I was thinking that it could be impact other object relational mappers out there because it seems like a fairly common to say to occur but um that's a project for another time I just sort of thought I would share that idea out to the world because the reason why is it's important that we sort of share what we know sort of do these ramblings because security is an iterative process and I also like sort of like sharing with them as what I've known what I've worked on and stuff so that we all improve and also Inspire not

only like security testers but software Engineers as well so strapping and also the Boogie are like a brilliant sort of like case study of this where um I've been talking with Derek who was like the main person I was recording these vulnerabilities to at strappy um and he was telling me about how the culture bring around the security with their strategies completely changed where beforehand I would get reports and it's like oh it's another report to actually viewing with Intrigue and doing those deep dives into understanding exactly what's the issue and with the community developers as well it was actually really cool seeing Boogie finding a bug and then going through and digging further and seeing how bad it

was because um some of those I didn't mention in the slides that filter link one that was reported in about seven different GitHub issues on the strategy repository but no one connected the dots that you could do that so it was great seeing the developers themselves actually finding these bugs and then digging into it further so yeah so what do we learn from this talk um hopefully something um folks are cool um hope some of you remember that input space petitioning methodology earlier because it's a quite a helpful sort of tool to identify test cases and especially find those like weird bugs um I thought it hopes some of you sort of learned about sort of like breaking

down and understanding processes and yeah share your knowledge without others but the most important thing is always throwing monkey gifts very good

question or two uh yeah um any questions

um probably the email template one was a pretty cool one just to sort of stumble across because I was like oh that so that code's being was sitting in the repository for like years it's been open source and then it was just sort of a nice little trip to bypass okay

um which ones the Christmas one the Christmas one okay so the first two the all bypass and the um sort of code execution that took fairly quick so that was like two weeks the filter like one um it was such a universal problem within the CMS like that whole feature was the whole point of strappy so it took about two months to fix um so it was a pretty massive fix for them

[Music]

[Music] and it was amazing where me being in no life doing this on New Year's Eve getting responses from another low life but [Music] um yeah no it was pretty insane how fast they were responding to each of the reports um yeah yes foreign

that's my job yeah so this is like the open source stuff is more just for fun um or when I get bored or there's no CTF events on um and yeah and now we've got a full story from it yeah any other questions you can see her reporting it as a cve uh yes I did well what I did first was report it to the vendor so I always sort of check what the security disclosure policy is but then I did sort of send an email saying look we should do a coordinator disclosure of this because that way we can inform others about it with the CBE and also I was because I was doing this for fun and stuff and a

big part of it is me sort of showing of it and sort of explaining about it I did say I will be releasing a write-up about it but I sort of focus on more of the technical details and not just be like here's a proof of concept um go and hack all the other serves it was more like the natural technical details so um the people that knew and could understand it could sort of figure it out um saying that it was a bit funny one of my friends was using strappy and he was going through I gave him some indicators of compromise which I wrote and it was funny seeing all the Bots which pretty

much thought my example of the Articles was a proof of Concepts and was scanning through and trying to exploit it without actually reading the article and reading and realizing there was a lot more viewers to it

uh which one the RCA one yeah so the RTE one took about a few hours also um the links one probably took a bit longer but it was more like I was just going back to work and it was sort of more going like every now and then after work I was just sort of looking at a little bit and then sort of something I just sort of connected the dots that you couldn't do it by those relational mappings and then that's when it went down that rabbit hole so I'll probably say a bit longer for that one

[Applause] coming up first of September um join along I've put some web challenges in which should be fun