How the invasion of the Pocket within the network-vulnerability warning-the black bar safety net

ID MYHACK58:62201566161
Type myhack58
Reporter 佚名
Modified 2015-08-25T00:00:00


Let's black IT security recently reported, the Pocket application's developers recently fixed a few leaked data a vulnerability, hackers may be from the server, obtain sensitive information. Here offer tutorials for everyone to learn and exchange. The Pocket is what I have many years did not put Firefox as my main browser, so before actually I have not heard of Pocket until I'm in the Bugzilla to see so post, is all about the Mozilla Foundation in all versions of Firefox pre-installed the Pocket plugin, and this plugin can't be uninstalled. Although this caused users the strong protest, the Foundation still stubbornly binding Pocket of. The Pocket feature is to let users save web pages to“read later”on. The Pocket may be you want to read or time does not finish reading the page marked down, and then sync to the server, then you can be on a different device to read. As information security practitioners, I found that this function will usually cause security issues, so I'm going to check the Pocket with no problem. In fact, these vulnerabilities, the most it can be exploited by attackers. The attacker wants to exploit these vulnerabilities are does not need any complex tools, and even scripting knowledge is not required. Try 1: Protocol handler The user can through the Pocket on the website of the queue management function to add the URL to the queue. Due to the application of the main purpose is to browse the online pages, so the URL should be limited, should only allow http and https links. So the first thing I try in the queue, add the following links: file:///etc/passwd ssh://localhost telnet://localhost:2 5 Unfortunately, after the test, these are not successful Try 2: Using the Pocket functions as an internal Web Proxy I before in the Apache server's status page to see an Apache error message. This error message usually is. htaccess or Apache configuration file to limit the localhost or some of the Trust's network to access the server-status when it appears: Forbidden

You don't have permission to access /server-status on this server. I have in my Pocket queue has added a new link: the. After the addition, the backend server will send an HTTP request to obtain content. Apache will trust from the localhost request? It turns out that this trick works very well, after I was in the Pocket of the queue see the following information: Apache Server Status for

Server Version: Apache/2.2.29 (Unix) DAV/2 Server Built: Mar 1 2 2 0 1 5 0 3:5 0:1 7 Current Time: Tuesday, 2 8-Jul-2 0 1 5 1 0:0 7:4 5 CDT Restart Time: Tuesday, 2 8-Jul-2 0 1 5 0 3:2 0:1 2 CDT Parent Server Generation: 1 2 Server uptime: 6 hours 4 7 minutes 3 2 seconds Total accesses: 2 4 1 9 1 3 - Total Traffic: 4.1 GB CPU Usage: u1209. 2 4 s110. 0 6 cu0 cs0 - 5.4% CPU load 9.89 requests/sec - 177.5 kB/second - 17.9 kB/request 4 0 requests currently being processed, 1 4 idle workers ... Server status all output is synchronized to my Android. Apache's mod_status can display a lot of useful information, including internal sources and the target IP address, sending the request in the URL parameters, and query parameters. For Pocket application, the request URL includes the Pocket of the user who is browsing the URL, because these requests are via HTTP GET. To hide the server information, we can turn off Apache in the ExtendedStatus on. Most of the Pocket of the back-end server are closed ExtendedStatus, but a very small part of the server is still open, so the attacker can get to these useful information. In addition, by modifying the server-status of the GET parameters, an attacker can force then Pocket re-download page, so hackers may be able to get to a different server. The Pocket set up on Amazon EC2 on Since the Pocket presence of a vulnerability allows the user to get to the Pocket after the end of the server-related information, we look at the use of this exploit we can get to what information. Simple to use the dig command, we can know the Pocket using a Amazon EC2 Server. Amazon EC2 with an instance metadata service. This service can only be from the internal access, without authentication, in all of the EC2 instances. We can try to use this services to obtain more information: In the Pocket in the queue to add the above link, I can see the full server response. EC2 meta-data includes a lot of the attacker useful information, including the IAM login information, as well as on the instance details, including availability zone, instance type, network type, MAC address, memory block information, etc. The attacker can also? The localhost HTTP service port scan, which can bypass the EC2 firewall rules For port scan result for analysis, to identify the open web application In the Pocket inside the environment to exploit Many large enterprise or a small company will have only through the internal access of the web application, these applications often need authentication, so it is easy to attacker to exploit. server-status of the internal IP address can be used? From the Amazon EC2 metadata as can be seen, the Pocket using the EC2 servers in us-east-1(US East-1 Region)region, the network type is a classic(EC2 there are two kinds of network type option: EC2-Classic and VPC. VPC better, some instance types are only VPC only. VPC in the creation of sub-networks and the Access Control List(ACL)when the more flexible the). Because Pocket with the EC2-Classic, to access the server-status of the internal IP address, only in the us-east-1 Region to rent a 2 cents/hour for t1. the micro instance. So an attacker can use the RFC-1 9 1 8 address to access these instance running on the service, such as ssh and http, you can even conduct port scanning. Using these internal IP addresses to access the back-end server has several advantages: You can bypass the front-end load balancer and front-end WAF firewall or anything like that, in a front-end load balancer case, the attacker can set the X-Forwarded-For modify the source IP address, a hacker can through this method to avoid ACL or falsified log. Input redirection Like a Pocket of this type of application in processing HTTP redirection link when it is likely to neglect certain issues, causing a safety hazard. Then in the URL queue added redirect link what happens? I entered the file:///etc/passwd, the consequences are serious:

[1] [2] next