Edit the URL to redirect to ATTACKSERVER/signinGET.html, where the spoof page is located:
User logs in:
Page sends credentials as parameters:
Attacker can view credentials:
Friday, July 19, 2019
Microsoft ID Open Redirect
Recently I submitted a Microsoft Bug Bounty report for an Open Redirect vulnerability in their Identity product. I found it by searching for keywords in intercepted traffic in Burpsuite like "redirect", "dest", "url", etc. The finding was rejected by their security team, and I have approval to post about it here. I can understand why this might be considered an acceptable risk; it happens during logout, so no credentials can automatically be passed onto an attack server in this way. It would definitely require social engineering effort to exploit it. I tried out setoolkit to spoof the sign-in page and redirect them there (by spoofing the page URL that ends with prompt=sign-in and not none or select_account, so that both username and password can be collected, otherwise it auto-populates the username). (However, there are already protections against changing a similar parameter for their sign-in process, so I'm not sure why that functionality wouldn’t be extended to sign-out as well...)
Edit the URL to redirect to ATTACKSERVER/signinGET.html, where the spoof page is located:
User logs in:
Page sends credentials as parameters:
Attacker can view credentials:
Edit the URL to redirect to ATTACKSERVER/signinGET.html, where the spoof page is located:
User logs in:
Page sends credentials as parameters:
Attacker can view credentials:
Wednesday, July 3, 2019
Location-based Mobile Game Workaround
Here is a way to obtain items on-the-go while playing a popular location-based mobile game. Frequently I find that as a car passenger, I can use the game for some things at high speeds, but the actual stops/locations that offer the monetized items don't allow me to keep the items even if I manage to select them while driving by. It's important to me to be able to do this, because I don't want to spend money on the game and I live in a rural area that doesn't have a lot of these stops. However, if I turn my location services off while passing one of these locations, I'm able to receive the items! On a few occasions, I've even been able to "sit" on it with the location off, “exit” the shop in-game, then once the timer renews, select it again to collect more items later, no matter where I physically am. In this way I can play the game for free and conveniently without having to park at specified locations. (Note that location spoofing has become more difficult without having to root your phone or download old sketchy versions of services, which could be a security hazard.)
I will edit this to include details if they end up patching it…
Saturday, June 1, 2019
ctrl + s to Escape Chrome Kiosk
Consider a tablet at a store kiosk where the owner wants to display one particular web page to users. They don't want the user to have access to any other programs or files on the tablet. In this case, they are running Chrome in a restricted mode, using this command:
chrome.exe --kiosk "keepuseronthispage.com"
In theory, this is a restricted mode doesn't allow right-click context menu, doesn't show the browser address bar or the task bar, and keeps the user out of the system. So... how do we access the rest of the system? Well, if it's a Windows machine, as in this case, kiosk mode can easily be bypassed if the user presses ctrl + s.
Use the "save as" file explorer window that pops up to run cmd.exe. Now you have access to all the local resources.
NOTE: This doesn't seem to work on Mac OS...which is probably for the best.
chrome.exe --kiosk "keepuseronthispage.com"
In theory, this is a restricted mode doesn't allow right-click context menu, doesn't show the browser address bar or the task bar, and keeps the user out of the system. So... how do we access the rest of the system? Well, if it's a Windows machine, as in this case, kiosk mode can easily be bypassed if the user presses ctrl + s.
Use the "save as" file explorer window that pops up to run cmd.exe. Now you have access to all the local resources.
NOTE: This doesn't seem to work on Mac OS...which is probably for the best.
Tuesday, May 28, 2019
Running Unicorn Payload Through Web Shell
This for escalating a low-privileged web shell to a Meterpreter shell. In this example, the Powershell execution policy was changed (using the web shell) to RemoteSigned using powershell Set-ExecutionPolicy. The normal method of storing a unicorn reverse-https payload wasn't working, since the file couldn't be written to the server (either through permissions restrictions or being picked up by antivirus).
Take the contents of the generated unicorn payload from the file, and run it as a Powershell command in the browser:
Take the contents of the generated unicorn payload from the file, and run it as a Powershell command in the browser:
Bypass Auth Lib
Recently I found a problem with an authentication library. The hyperlink the user clicks to access private content looks something like this:
https://www.authenticateme.com/auth.asp?url=http://www.privatecontent.com/1337
So normally, after the user enters their credentials on the auth.asp page, they are redirected to privatecontent.com/1337 ... or they could just go directly to that page, bypassing any security restrictions. They can then enumerate and access other content based on the formula of the URL.
Additionally, this qualifies as an open redirect, since an attacker could append their own attack server's address to "url=", then send the link to a victim, and then the attacker will receive the credentials passed through the authentication page.
Subscribe to:
Posts (Atom)