NOAA's NNVL Earth Products Directory Traversal Vulnerability

While looking for a nice new wallpaper, I came across this page: Earth Daily Color It's very nice, so I hit the download button and noticed I got a path of this:

https://www.nnvl.noaa.gov/view/GetFile.php?Path=%2Fvar%2Fwww%2Fhtml%2Fnnvl%2FPortal%2FProducts%2FTRUE%2FImages%2FColor%2FDaily%2FTRUE.daily.20170325.color.png

Strange, There is a full path to the file I had requested. I wonder if there is any input checking at all.

/view/GetFile.php?Path=/etc/passwd

Nope! It downloaded the server's passwd! At this point I completely stopped and starting finding out a way to get ahold of NOAA, I found the webmaster [at] noaa.gov email address, wrote a little letter explaining the issue and waited…

Two months (April 2017) later after getting no reply, I checked the URL again, I could still access the the file! Tried looking up their IT team but after some searching gave up and promptly forgot about it.

I'm happy to report that after checking today, The issue has been resolved! I do kind of wish that there was more publicly published methods of getting in contact with the correct people in the US Government when a citizen finds a Vulnerability. I am glad they did get it fixed, I enjoy NOAA's Products and wish they got more press then they do. Check out their NNVL FTP Sometime, Amazing Images to be had of the earth.

2017/05/12 19:36 · jrwr

OVH vRack Security Issue

tl;dr: OVH had an issue where your second network card was connected to other servers in the datacenter. This allowed you to run a DHCP server and offer a gateway. This also allows you to MITM several machines outbound traffic, I had 35 machines responding back with DHCP Leases and about 4 routing outbound traffic to me as their router.

Discovery

I was messing around with ESXi and had an internal network with pfsense as a router VM. Attached the second NIC and noticed I got a dozen replies from servers I did not own.

Probing

Dumped ESXi and installed debian. ran a normal dnsmasq with some NATing IPTable rules. turned it on for about 10 minutes and noticed servers where starting to route outbound traffic over my machine. quickly turned off NAT and pushed down new leases without a gateway (To fix the remote machines so it would not be impacting)

Traffic was mostly API calls to remote servers, like twitter and a few outbound emails. Overall had about 4 machines sending traffic over my interface

Report

Overall I discovered this issue on April 23rd 2017. the only main method of reporting a issue like this was on their bountyfactory.io project. I submitted it at 04:00 CEST and they responded by 11:00 CEST with

Hi, We have reviewed your report and we are able to understand the vulnerability submitted.

We will keep you informed immediately after evaluation. As said in the rules, please do not disclose your find publicly until you have received our approval. Regards, OVH security department.

At 14:00 CEST They responded with

It appear that your server Vrack has been wrongly configured. We have fix your case along with other customers impacted by this bug. We also have put a special monitoring to ensure that this bug never occur again.

Thanks for your report but it appear that it is out of scope as per rules. This means that you will not be eligible to monetary rewards.

As we have fix and modify our system following your report , you have been awarded a 100€ credit to be spend on OVH.COM. Could you give me you ovh client name (like aa123456-ovh) that I could credit ? With this credit, you would be able test dedicated servers, cdn, vrack, vmware managed private cloud, VPS, license, ip, sms and “.ovh” domain name.

Not bad, 17 hours to fix. I did respond with my OVH Handle, but I never did get the credit :( Also only 100 Euros for finding a way to MITM other customers machines was a little disappointing.

I do admit they do not have a posted bug bounty for internal security issues and it was nice of them to offer the credit to services in the first place.

2017/04/29 13:46 · jrwr

Hatnas Update

HATNAS is pretty much done, but I want to release it as a single package, I'm going to start in a clean virtual machine and make install scripts from there. That should allow anyone to run HATNAS on a new Pi without any shitty image distros.

2017/04/22 16:47 · jrwr

Who knew?!

Man Doku wiki is powerful, Mediawiki is fine and all, but Dokuwiki is pretty much the bees knees when it comes to making a personal site.

2017/04/22 16:21 · jrwr

I/O Port Enabled

I/O Port has been enabled, MODESET 9600,8,n,1 ^M^M^M^M^M NO CARRIER

2017/04/22 16:00 · jrwr