From Hunting for a Laptop to Hunting down Remote Code Execution







Write-Up By Anil Tom
It was another ordinary day that I came home from office and was chatting with my roommates, when one of my friends called up and told he wanted to buy a new laptop and needed some suggestions. So I went online and began hunting for laptops that met his requirements. I was reading about one of the Asus RoG models, when suddenly the Bug Hunter in me woke up and I asked myself why I shouldn’t Recon the Asus website.




So I began my recon of the website, and spent a whole night looking for a bug on their main domain and did not find anything…




The next day morning I went to my office, but my mind was still on the Asus bug hunt. That evening I got a notification on my mobile that there was an update for the Termux app. And suddenly my Bug Hunter senses tingled, and I thought, “Why don’t you run a sublister against asus.com on the mobile?”




I randomly selected one of Asus’ sub-domains, specifically http://stw.asus.com/ and was greeted by this page




After seeing this page I felt confident that they were running Microsoft server. It was 5.30 then, so I shutdown my PC and went back to home. Once there, I took my laptop and opened the website. Recalling that a few days prior one of my 1337 friend Rahul had told me about the WEBDAV REMOTE CODE EXECUTION Bug, I decided to check for it.
Aside, What is WEBDAV?
Web Distributed Authoring and Versioning ( WebDAV ) is an extension of the Hypertext Transfer Protocol (HTTP) that allows clients to perform remote Web content authoring operations. WebDAV is defined in RFC 4918 by one of the Internet Engineering Task Force group
I began to check whether WebDAV was enabled. and tried to Add a network location from my laptop to the website




Now usually when I trying connecting to something that I don’t have access to, it always shows an irritating pop-up, like this one:




But when I tried it with http://stw.asus.com/ it proceeded to the next step:




Yes! It connected, and at that time I was like




I completed the addition of the network location, opened the folder, created a new file and saved it:




Then I opened that file in the web browser and saw this:




At that time I was like:




Following this, I made a PoC video and reported it to the Asus team.
Timeline
May 02 Reported the Issue
May 03 Initial Reply
May 07 Fixed and HOF approved for May 2018
Jun 02 Listed in HOF

Comments

Post a Comment

Popular posts from this blog

Security Bugs in Practice: SSRF via Request Splitting

One of the most interesting (and sometimes scary!) parts of my job at Mozilla is dealing with security bugs. We don't always ship perfect code – nobody does – but I'm privileged to work with a great team of engineers and security folks who know how to deal effectively with security issues when they arise. I'm also privileged to be able to work in the open, and I want to start taking more advantage of that to share some of my experiences. One of the best ways to learn how to write more secure code is to get experience watching code fail in practice. With that in mind, I'm planning to write about some of the security-bug stories that I've been involved in during my time at Mozilla. Let's start with a recent one:  Bug 1447452 , in which some mishandling of unicode characters by the Firefox Accounts API server could have allowed an attacker to make arbitrary requests to its backend data store. The bug: corruption of unicode characters in HTTP request path It
Read more

Object name Exposure — ING Bank Responsible Disclosure Program

Image
Heading: Object name Or Internal Architecture Getting Exposed because Of Deserialisation Error NOTE: Usually i only copy/paste my conversation in medium am not having enough time to write these blog posts properly i am sharing this only for learning purpose not for earning my followers. 😐 👊 Hi, I am Rohit Kumar a Security Researcher and Bug Hunter from India. Vulnerability:  Information Disclosure &   Internal Architecture Disclosure — — — — — — — — — — — — — — — - Reproduction Steps — — — — — — — — — — — — — — — - 1. Login into =>  https://developer.ing.com 2. Now go to your Profile for Updating it 3. Edit your name and save it (At this step intercept your request using burp suite) 4. Now, At this endpoint PATCH  /individuals/791345bc-9444–4edc-9955–1b78e86fddfd/individualNames/EifQPFiEYfMiU- 3FODj3sT736QkPuGe4nigpckH2fEqkaitoTfuLjGG3Lu9UDN84DDCkrGf0y8Lx89HLHcUrFfcb HTTP/1.1 Host:  api.developer.ing.com You will notice a json text in request body
Read more

User Account Takeover [Password Change]— Nice Catch!

Image
Writeup By Rohit Kumar Image Credits: Record Future Ever thought how you are implementing and passing data from the form to your queries? You are doing it dynamically? Summary : In this writeup, I will explain how I was able to change the user account password without providing the old password. This writeup will be short. I will not take much time. About Target:  Target was From a private program. So, let’s assume the target is site.com Reproduction steps: Login into your site.com account. Navigate to  https://www.site.com/users/[user_id]/edit Now, you will see a form which allows you to edit your account details and there is also another option to change your current password which requires your old password but this can be bypassed easily. Now, for bypassing this change password feature. Just edit your account details and then submit this request and meanwhile intercept it. Now you will notice some $_POST fields which will be like user[first_name] // For c
Read more