Web Shell Upload via Race Condition

Поделиться
HTML-код
  • Опубликовано: 27 ноя 2024

Комментарии • 22

  • @gta-ks1mi
    @gta-ks1mi 9 месяцев назад +2

    Reported RCE in 2 public programs of intigiriti hoping for the smoother triage

    • @intigriti
      @intigriti  9 месяцев назад +1

      Awesome! Good luck 🤞🤞🤞

    • @gta-ks1mi
      @gta-ks1mi 9 месяцев назад

      @@intigriti really struggling hard to explain the new research to the team . Hoping they would understand

    • @intigriti
      @intigriti  9 месяцев назад +1

      Is it related to race condition?

    • @gta-ks1mi
      @gta-ks1mi 9 месяцев назад

      @@intigriti indeed yes
      Certainly! Here's a scenario illustrating a race condition leading to remote code execution in an Android app . I will disclose technical details when they understand the vulnerability
      ### Scenario: Race Condition Exploitation in an Android App
      **Background:**
      Imagine a messaging app where users can send and receive messages in real-time. This app is designed to display notifications whenever a new message arrives, using a background service to monitor incoming messages.
      **Vulnerability:**
      Within the app's codebase, there exists a critical race condition vulnerability. When a new message arrives, the app's background service updates a global variable to indicate the presence of unread messages and triggers a notification. However, due to improper synchronization, multiple threads can access and modify this global variable concurrently, leading to unpredictable behavior.
      **Exploitation Steps:**
      1. **Message Arrival:**
      - User A sends a message to User B.
      - The messaging server delivers the message to User B, triggering the notification process in the app.
      2. **Race Condition Triggered:**
      - As the background service processes the incoming message, it simultaneously checks and updates the global variable indicating unread messages.
      - At this moment, User B receives multiple messages in quick succession, causing multiple threads within the background service to access and modify the global variable concurrently.
      3. **Exploitation Opportunity:**
      - During the race condition, an attacker sends specially crafted messages to User B, exploiting the concurrency issue.
      - The attacker's messages contain carefully crafted payloads designed to manipulate the app's behavior.
      4. **Remote Code Execution:**
      - By exploiting the race condition, the attacker manages to modify the global variable in such a way that it points to malicious code injected within the message payload.
      - When the background service attempts to process the notification and execute the code associated with the unread messages, it inadvertently executes the attacker's malicious code.
      5. **Consequences:**
      - The attacker gains unauthorized access to the user's device, potentially compromising sensitive data or performing malicious actions.
      - Remote code execution allows the attacker to execute arbitrary commands, install additional malware, or perform other malicious activities without the user's knowledge.
      **Mitigation:**
      To prevent such vulnerabilities, developers should implement proper synchronization mechanisms, such as locks or semaphores, to ensure that critical sections of code are accessed and modified by only one thread at a time. Additionally, thorough security testing, including fuzz testing and code reviews

    • @gta-ks1mi
      @gta-ks1mi 9 месяцев назад +1

      ​​@@intigriti
      Indeed yes it's related to race condition. I will reveal a brief scenario without going into technical details illustrating a race condition leading to remote code execution in an Android app:
      ### Scenario: Race Condition Exploitation in an Android App
      **Background:**
      a messaging app where users can send and receive messages in real-time. This app is designed to display notifications whenever a new message arrives, using a background service to monitor incoming messages.
      **Vulnerability:**
      Within the app's codebase, there exists a critical race condition vulnerability. When a new message arrives, the app's background service updates a global variable to indicate the presence of unread messages and triggers a notification. However, due to improper synchronization, multiple threads can access and modify this global variable concurrently, leading to unpredictable behavior( i will reveal other technical details once vulnerability is fixed)
      **Exploitation Steps:**
      1. **Message Arrival:**
      - User A sends a message to User B.
      - The messaging server delivers the message to User B, triggering the notification process in the app.
      2. **Race Condition Triggered:**
      - As the background service processes the incoming message, it simultaneously checks and updates the global variable indicating unread messages.
      - At this moment, User B receives multiple messages in quick succession, causing multiple threads within the background service to access and modify the global variable concurrently.
      3. **Exploitation Opportunity:**
      - During the race condition, an attacker sends specially crafted messages to User B, exploiting the concurrency issue.
      - The attacker's messages contain carefully crafted payloads designed to manipulate the app's behavior.
      4. **Remote Code Execution:**
      - By exploiting the race condition, the attacker manages to modify the global variable in such a way that it points to malicious code injected within the message payload.
      - When the background service attempts to process the notification and execute the code associated with the unread messages, it inadvertently executes the attacker's malicious code.
      5. **Consequences:**
      - The attacker gains unauthorized access to the user's device, potentially compromising sensitive data or performing malicious actions.
      - Remote code execution allows the attacker to execute arbitrary commands, install additional malware, or perform other malicious activities without the user's knowledge.
      **Mitigation:**
      To prevent such vulnerabilities, developers should implement proper synchronization mechanisms, such as locks or semaphores, to ensure that critical sections of code are accessed and modified by only one thread at a time. Additionally, thorough security testing, including fuzz testing and code reviews, can help identify and address potential race conditions before they are exploited by attackers.

  • @r0adrunn3rH4cks
    @r0adrunn3rH4cks 9 месяцев назад +1

    You are amazing as always! Thank you for this video

  • @marco1337-PT
    @marco1337-PT 6 месяцев назад

    im new to bug hunting, never heard of intigti before. I will definitely try this one ✌️

  • @moncef3105
    @moncef3105 5 месяцев назад

    But how do you know actually that the server's logic is that it puts the file on the server for a very short amount of time ?

    • @intigriti
      @intigriti  5 месяцев назад +1

      Unless you have access to the source code, you don't! You just have to probe for race condition, similar to the other labs.

  • @mnageh-bo1mm
    @mnageh-bo1mm 8 месяцев назад

    but can't the server just decline the upload if the file type doesn't check ?
    also how is it that by accessing the file path the code get executed ....shouldn't be that only certain files allowed to run ? like you have to chmod execute them first ?

    • @intigriti
      @intigriti  8 месяцев назад +1

      Checking the file type is one type of protection, that you'll see in some of the other labs. In this case, the vulnerable target has chosen to use an anti-virus/anti-malware scanner to remove malicious files so probably thinks "why worry about file types, we remove all suspicious files", not considering the potential race condition. You're right on the chmod +x for executeable files, but this is a PHP script.

    • @mnageh-bo1mm
      @mnageh-bo1mm 8 месяцев назад

      @@intigriti chmod + x doesn't apply to php?

    • @intigriti
      @intigriti  8 месяцев назад +1

      Yeh, if the web server can execute PHP files it will. If you check the file upload vuln section, you'll see most labs feature PHP file uploads but the attacker isn't responsible for making the files executable (and wouldn't have a means of doing so since no code execution yet).

  • @shareb1t
    @shareb1t 9 месяцев назад

    recently i have found more than 6 websits with same vuln

    • @intigriti
      @intigriti  9 месяцев назад

      With this specific vuln? Race condition on shell upload?

    • @shareb1t
      @shareb1t 9 месяцев назад

      @@intigriti exactly, antivirus was deleting uploaded file also was not allowing any other type except jpg,png, so had to perform exact same steps as in video to exploit

    • @intigriti
      @intigriti  9 месяцев назад

      Very cool! Did you get a bounty?

    • @mnageh-bo1mm
      @mnageh-bo1mm 8 месяцев назад

      @@shareb1t show demo