- Critical Thinking - Bug Bounty Podcast
- Posts
- Episode 27 Blogcast: Seven Esoteric Bugs Creeping Behind the Scenes
Episode 27 Blogcast: Seven Esoteric Bugs Creeping Behind the Scenes
What are the bugs we don't really hear about? Join us to learn of some outliers that you should absolutely add to your arsenal!
Jesse Rivera
July 18, 2023
Hey there Critical Thinkers! Didn’t mean to keep you waiting. After some much needed rest, I’m back to bring you your regularly scheduled programming. 🔥
- JXoaT
News and Opinions
Assetnote on ShareFile RCE
Assetnote discovered an exploit in Sharefile RCE, enabling a path traversal via an unsanitized parameter called "upload ID.” This bypassed authentication checks and allowed for arbitrary file access. A valid parent ID, any string that can successfully undergo AES decryption, was needed, and was attainable within 128-256 brute force attempts. The hosts highlighted the difference between validation and verification, using this exploit as an example, and emphasized the importance of Python for writing proof-of-concepts. They also warned about potential pitfalls of depending solely on libraries for validation and verification.
Appliance Hacking
Orange studying in the wild
If you don’t follow Orange Tsai by now, you need to. They discovered a vulnerability in the Google Search Appliance, an on-premise version of Google Search, which seems to be largely deprecated. Orange bought an old model on eBay and obtained firmware from an old, obscure Google group that had been left public. Using brute force methods and analyzing network services, they discovered two simple yet effective vulnerabilities – a Local File Inclusion (LFI) and a shell injection, both exploitable remotely. Despite the discovery, Google deemed the issue insufficiently severe to merit a reward, probably due to the limited user base of the affected product. Regardless, you still get points with us!
shortscan
Bitquark has launched shortscan, a tool designed to exploit the tilde enumeration method with Windows short names on IIS servers. This allows users to uncover the first six characters of any file or folder, as well as the first three characters of the file extension. Shortscan also uses new techniques to ascertain the full file name and path, providing comprehensive information that's crucial for effective recon. This tool is significant as many IIS servers are vulnerable by default, highlighting the need for effective tools to uncover potential security weaknesses. This innovation builds on previous tools while adding new efficiencies and methods.
Esoteric Bugs to Vibe and Bounty to 🎧️
Post on twitter to name our lil’ guy here