Posts

Exploiting Command Argument Injections With Openssl and Tar

Image
One of the more interesting bug bounties I have come across required chaining two “argument injection” vulnerabilities along with a number of smaller data validation vulnerabilities to achieve remote code execution. The target application was an enterprise server with an administrator feature for downloading a backup and later restoring from the downloaded file. Unsurprisingly this “restore from backup” feature involved uploading a file over HTTP, and as is often the case the file upload was being processed in an insecure way. I am breaking this post down into a vulnerabilities section that provides some pseudocode and analysis of the vulnerable component and an exploit section that contains details of the triple-upload exploit. The Vulnerabilities Here is some Java code that demonstrates how the “restore from backup” feature processed the uploaded file. I changed the real password to “ secret123 ” because humorously the hard-coded password that they chose actually would ident

De-Anonymizing User Accounts Through Password Correlation

Executive Summary We demonstrate that a large number of anonymous account users who are savvy enough to have complex passwords but still use their regular password with an anonymous account are vulnerable to being de-anonymized by even the limited credential leaks available to the public.  This is demonstrated against Tormail, a now defunct anonymous email service that provided a high degree of anonymity for its users. With an old but recently published email/password dump we were able to de-anonymize with a high degree of certainty more than 16% of the 1019 Tormail accounts found. This was done by finding Tormail accounts with sufficiently complex passwords and linking them to non-anonymous email accounts that used the same or similar passwords. Introduction If a password is rare enough, then it uniquely identifies the person who uses it. If a person uses the same unique password with multiple accounts then that password can be used as a digital fingerprint to link those acc