See how I found the Apple official website Apple. com Unrestricted File Upload vulnerability-vulnerability warning-the black bar safety net

2018-07-11T00:00:00
ID MYHACK58:62201890774
Type myhack58
Reporter 佚名
Modified 2018-07-11T00:00:00

Description

! Previous article, I shared the Amazon websiteXSSvulnerability and Bol. com open redirection vulnerability, today I and everyone talk about insecure server configuration problem, a lot of times, the server configuration errors will cause some columns to the directory or unrestricted file upload vulnerability. Take I before long encountered a security test, for example., the target site absolutely is cow big the big company Apple.com Yes, you read that right, Apple, I discovered its website a Unrestricted File Upload vulnerability. Finally, I also therefore tested for vulnerabilities to harvest the Apple official the money for the bounty, as well as vulnerabilities in the Hall of fame into the list of Acknowledgements. Well, we take a look at this Apple official website of the Unrestricted File Upload vulnerability. The target stepping point The first Cup of coffee, and then the promoter domain detection program Aquatone, the Aquatone regarded as a preliminary reconnaissance tool, which can through open source information and the dictionary mode maximum range to identify the target web presence is a subdomain of the site. ! Aquatone has four different commands to perform the functions of: 1. Aquatone-discover: from open source information to find the target site related to a different subdomain or common subdomain; 2. Aquatone-scan: for Aquatone-discover the results of the different sub-domain name of the website to port scan; 3. Aquatone-gather: for each sub-domain website created snapshot, and the formation of the final a copy of the HTML report. 4. Aquatone-takeover: try lookup from an external host or a service hosting some of the non-active, i.e., the target site has been abandoned is not with the subdomain. If you find such a sub-domain name, you can re-renew the registration once again take it over, to achieve indirectly the hijacking, reported after sitting and the like receiving the bounty. This has a number of EdOverflow big cow in such a way to achieve domain name hijacking case. Waiting for the recognition result Generally speaking, the Aquatone process of identifying the need for more than ten minutes of time, scan, detect, verify, report of the molding. In the end, here's Apple. com before and after Fear took almost half an hour, and finally to 1 million more than one host was scanned, generating up to 84 parts of the HTML report. Am I the first one with Aquatone scan Apple. com the official website of the people? Of course not. Estimation is also afraid of no one seriously reading this 84 parts of a HTML report. Then we went from the 50th report of the beginning of it, to carefully analyze the final 34 report. Looking for the exception With more than 50 minutes of time, I carefully looked at this 34 Report, want to try to find some clues. It just so happened, in which a part of domain name website report is found in the Apple company using multiple AWS S3 cloud storage service to host the file, if we can get one of these S3 bucket(bucket access, you can indirectly achieve which relates to the Apple.com subdomain of website hijacking. ! You want to carefully read all the Aquatone generated 84 parts of HTML reports can be quite of boring, that we take a little different way. All HTML reports are included in the one sent from the server to the header, and S3 bucket will also be sent to a named X-Amz-Bucket-Region of the head of the message, that we come to in the report, try to look at this message header field. ! Now, we will one by one manually to open these relates to the S3 bucket(bucket)subdomain and try to access the corresponding link, almost all of these subdomain sites will return a Access Denied Access denied-response. ! The test target Go through it again manually after the visit, only the subdomain website http://live-promotions.apple.com the content of the response is different, the response page contains the S3 bucket name and directory information. ! Now, with the S3 bucket name, we can try to connect it give it a try, the specific S3 bucket connection method can refer to here – aws. We need to install the AWS command line interface program, and then according to the response page in the S3 bucket name for remote connections. Install a good command line interface after the program, to know the S3 bucket name, then we try to see if I can upload something to the above, it is a phishing page go give it a try and see resolve the situation: aws s3 cp login.html s3://$bucketName –grants read=uri=http://acs. amazonaws. com/groups/global/AllUsers OK, turned out to be, but also the successful parsing, the GOD of: ! ! Vulnerability Can to vulnerable live-promotions.apple.com website upload of a phishing page; Can steal the user's sub-domain to share Cookie Information; Can from S3 bucket access to some sensitive file information, which contains the xcode project related stuff. Summary Now, we are on this Apple the subdomain site with full read and write control, with said that the perfect could to the real ones to the phishing page, the foot can be achieved for Apple user password or Cookie theft. For this vulnerability the solution, that is, to the S3 bucket for strict security reinforcement, concrete can refer to the AWS access control policy. Vulnerability reporting process 2018-6-19 found to the official Apple reported vulnerability 2018-6-19 Apple official confirmation of the vulnerability 2018-6-19 Apple security team to fix the vulnerability 2018-6-22 Apple will be I included in the vulnerability of thanks to the Hall of Fame of course, I also received a Money bounty