Misleading HTTP Status codes and how I got my first CVEs
Many things can happen while working on a pentest, and some vulnerabilities might actually become CVEs. What is a CVE? short for Common Vulnerabilities and Exposures, and found in a list of publicly disclosed computer security flaws, these security flaws are reported by bug hunters or other IT specialists and then published by Mitre. In this article, Costi is sharing how he found 4 CVEs starting from a misleading HTTP response.
During one of our web application assessments, we got access to a confluence instance with admin privileges. After the initial Confluence Web Application pentest (this means looking for things such as missing authorization, idor, and bypass security features), I started looking for 3rd party plugins/applications installed. At that moment we saw that it was using Netic’s User Export plugin, so we started looking for the same test cases as mentioned above.
The functionality allowed an admin to export all the Confluence users in a CSV/JSON/XML format. However, the functionality was composed of 2 actions: generating the file locally on the server and then downloading a file. Soon we found out that there was an arbitrary file read when the admin generated the user’s list (in the fileName parameter) – there was no user input sanitization on the parameter.
Additionally, we tried to check whether we could weaponize this even more and discovered that access to the specific endpoint was not requiring authorization. Hence, an unauthenticated attacker could request almost any file from a vulnerable confluence server:
However this issue was a bit interesting as well since the webserver returned the HTTP 401 Not Authorized (as seen in the first line of the output), yet it still sent the content of the file requested.
At this moment, I got lucky with awesome colleagues who advised me to disclose it on Atlassian’s Bug Bounty program, and I did (even though this was not part of Atlassian’s defined scope, I just wanted to see how this could play out):
Not gonna lie, it felt great at this moment.
However, the 401 Not Authorized HTTP Response was pretty interesting, so I started looking for the same (missing authorization, file read/inclusion, functionality exploitation) on other applications developed by the same vendor (there were few of them so I took most of them apart).
This way I was able to find the other 2 applications that were implementing the same functionalities (exporting users/groups) — User Export for Jira, Group Export for Jira — and had kind of the same issues -> missing authorization on the export functionality. However, for these 2 applications, I was unable to abuse the file download:
Considering that the number of downloads for these 2 applications was lower and the impact was moderate, I decided to contact the vendor directly and I was relieved that the interaction was smooth and enjoyable (@Lasse). In a matter of 1-2 days, they were able to remediate both applications and I was able to retest them.
After remediating all issues, I contacted MITRE (https://cve.mitre.org/) and got assigned the following CVEs:
– CVE-2022-38367 – for User Export add-on for Jira
– CVE-2022-39960 – for Group Export add-on for Jira
– CVE-2022-42977, CVE-2022-42978 – for User Export add-on for Confluence (unauthenticated + arbitrary file read)
The lesson taught here for me was to never trust HTTP codes since they can be misleading, and to check the actual body of the HTTP response. Shortly after that, I saw that another security researcher found a similar bug on another application (https://www.linkedin.com/posts/cristivlad_first-time-i-see-this-in-a-pentest-must-activity-6968612911149662208-QMkL).
Timeline
1st Aug - Report unauthenticated arbitrary file read to Bugcrowd (CVE-2022-42977, CVE-2022-42978) 2nd Aug - Report acknowledged (CVE-2022-42977, CVE-2022-42978) 6th Aug - Report missing authorization on the export functionality to NETIC (CVE-2022-38367, CVE-2022-39960) 8th Aug - Applications patched (CVE-2022-38367, CVE-2022-39960) 8th Aug - Partial fix for the unauthenticated arbitrary file read. (CVE-2022-42977, CVE-2022-42978) 10th Aug - The User Export add-on for Confluence is patched. (CVE-2022-42977, CVE-2022-42978) 5th Sep - Mitre published CVE-2022-38367 17th Sep - Mitre published CVE-2022-39960 15th Nov - Mitre published CVE-2022-42978, CVE-2022-42977 25th Nov - Article Published by us
Cybersecurity Engineer @ Cyber Threat Defense