Yesterday while reading my Twitter stream I found this interesting article about downloading GitHub SSO bypass codes. Same as Yasin Soliman I was invited to a Github pre-release of the organisation SAML single sign-on (SSO) private program. And same as him I found an issue in the same endpoint. So I thought to write a quick blog post about it.
Github already published a tl;dr about this,
I will try to fill the blanks here.
As mentioned by Yasin, Github offers an endpoint where privileged users can recover bypass codes. These recovery codes were accessible for download as plaintext and had the content-type as text/plain , something like:
So I thought I could do something similar here. It did not take long until I found the right approach.
But without waiting any further HERE is the live POC. The nut of the trick is to define a valueOf function for the corresponding variable:
and enumerate them all!!
Caveat #2: We are talking about enumerating/brute-forcing 5 hex digit variables that requires a considerable effort, but is far from be unfeasible. A rough calculation tells us that we need to define about 16^5 variables that are about 1048576!
06-03-2017 - Reported the issue via Hackerone.
07-03-2017 - Github triaged the issue.
16-03-2017 - Bounty awarded
I would like to thank the Github security team, you guys rock, really!!