Home > News content

See how I found Google vulnerability tracking management platform vulnerabilities get $15600 bounty

via:博客园     time:2017/11/10 23:48:25     readed:50

google-bugs.jpeg

Have you ever heard of Google's Google Issue Tracker? I think most people probably don't, unless you're an in-house employee of Google or a developer who recently reported Google related product vulnerabilities. I don't know about this, until recently, I found out that Google, in addition to the usual email notification, took Google's vulnerabilityThis new vulnerability tracking feedback processing mechanism(as shown below), so I decided to think of a way to do it.

01.jpeg

According to the relevant documents, the vulnerability in the Google internal feedback tracking platform called Buganizer, is Google internal system for tracking and feedback of vulnerability and demand within the product development cycle. It also provides external access interfaces to meet the needs of multi-party and specific project cooperation.

In other words, if Google products have been reported vulnerabilities, these problems will be displayed on the platform, there is some truth, right? As we can see the external users, a corner of the iceberg: show us the only pre approved classification information, or some internal users to add external accounts, including some bug reports whitecaps are reported. And in these surface information, there are many unknown deep vulnerability information? Let's try to find out.

02.png

Look at the recent ID ranking loopholes and problems, we can probably estimate the processing load of the platform, the peak hour can receive 2000 to the maximum of 30000 problem reports, Google publicly, only these problems or vulnerabilities 0.1%, if the platform information leak vulnerability, it is good fun. Let's take a look at it!

The first flaw: bypassing the Google identity authentication by changing the Buganizer platform associated mailbox address

The study found that the Buganizer platform in the tracking process of the problems and loopholes, to the following special mailbox format to send some journalists exploit vulnerabilities related to exchange information:

buganizer-system componentID issueID@google.com

Among them, componentID represents classification, and issueID represents specific vulnerability problem number.

It reminds me of what has recently been revealed by researchersTrick of helpdesk service console spoofingUsing this technology, the internal chat system of some companies can be successfully infiltrated with the above mailbox mode. Taking into account the email address is at the end of the @google.com, so I use an email address above Google account to try to login to Google's Slack service, although there is a login confirmation page, but no Slack return information, there may be internal Google team did not open or the use of Slack services.

03.jpeg

The next thing I can think of, think of ways to get a Google employee email @google.com, which could provide access to the Buganizer platform for such special permissions may, the internal employees through the Internet is not registered mail in general, only the internal staff or contractors to have.

04.png

So I try to use a way to bypass this mechanism: in the use of the Google Buganizer platform in the process of the Google account associated mailbox Buganizer platform can be changed, so I had to change it after buganizer-system 123123 67111111@google.com, Buganizer platform to me before the old Association mailbox to send a letter

On the current Buganizer platform Google account associated e-mail address change confirmation mail, which contains a confirmation link:

05.jpeg

This change, Buganizer platform has tacitly accepted that I am an internal employee of Google! When you click the return confirmation link, you go directly to Google's internal login system:

06.png

The answer is yes, then, the new registered mail buganizer-system 123123 67111111@google.com is of course not successfully logged into. But has been able to explain the problem: use this loophole, I can make a test on the safety of other Google services, may be able to enjoy itVehicle location service systemFree ride. This is still a security vulnerability. I finally reported the vulnerability to Google security team were adopted to repair after 11 hours, I also received a $3133.7 bounty, the vulnerability severity is critical.

Second vulnerabilities: access to Google internal credentials notification message

The Buganizer platform makes me feel another interesting place is the star entry, marked star entry said your personal concern for the vulnerability, and hope to receive some of the Buganizer platform for real-time comment on other people of this vulnerability.

07.png

What's interesting about this function is that when I use it to mark some vulnerability entries that don't have access rights, there is a lack of error hints. It seems that Buganizer platform without using some access control rules, so I use another account login into my Buganizer platform, and attempts by replacing in the request issueID to a main account in a vulnerability report star Mark, so I saw the following this message, said mark the behavior of success:

1 person has starred this issue.

Can you monitor the latest status of some Google vulnerabilities? So, I quickly commented on the star vulnerability entry and see if my fictional account could receive notification of its status. Unfortunately, there is no email feedback.

08.jpeg

For some reason, I decided to continue with some in-depth testing of the problem. So, I chose a recent vulnerability entry issueID, and it is inferred that the recent thousands of vulnerabilities to ID on the Buganizer platform, and then all of them marked as star entry. A few minutes later, this happened in my inbox:

09.jpeg

I think it's supposed to win! But after careful inspection, it is found that there is not much valuable information in these tips, and more of the comments and dialogues in different languages.

I hope I'll do some deep research on this loophole later and try to find out more serious problems, so it has been delayed for several hours in my hands. But after that, I think Google security team should be interested in this vulnerability, so I reported the vulnerability. Eventually, the Google security team confirmed the vulnerability 5 hours later in a high priority way, and so I got a $5000 bounty.

Third vulnerabilities: the Buganizer platform has no access authentication mechanism, which can check any reported vulnerabilities

When you as an external user access to the Buganizer platform (Issue Tracker), in fact, most of the functions is stripped, give your permission is very limited, according to the API server of JavaScript document can be found in the Google employees can be a lot of cool operation. Many of these operating functions are completely disabled for external users, and some are simply hidden in the interface.

In the design of the external user system function restrictions, developers reserved delete mail a copy of the list, that is to say, if we are not interested in a loophole problem without the need for attention to the state, then the state information of the vulnerability will not be sent to our mailbox. The CC list function can be implemented in the following POST manner:

POST /action/issues/bulk_edit HTTP/1.1{   "issueIds":[      67111111,      67111112   ],   "actions":[      {         "fieldName":"ccs",         "value":"test@example.com",         "actionType":"REMOVE"      }   ]}

However, the realization of this function has led to serious problems:

Improper access control rules: before attempting to perform a given operation, on whether the current user has permissions to access specific vulnerabilities in issueID without any clear inspection behavior;

Error free mechanism: if your email address is not in the mailing list of the current vulnerability state, the client will return a message that the mailbox address has been successfully deleted;

Return message contains a complete vulnerability information: if no errors occurred during the operation, the other part of the service system will assume that the user has the proper operation of the management authority, therefore, the details of the vulnerability specific information ID will appear in the HTTP content in response to return.

According to the above three problems, detailed information can be replaced by my issueid in the request to view each vulnerability Buganizer database platform now, awesome!

I just tried to look at several successive bug ID, and then checked it with an unrelated account, confirming the seriousness of the problem. Yes, I can see all the details of the bug report, including other things hosted on the Buganizer platform. More seriously, I can see the relevant data of a plurality of user credentials in a single request, therefore, it can even unlimited real-time monitoring all activities within the Buganizer platform!

I put the vulnerability of timely reporting to Google security team, they were the emergency repair in one hour, and disable the service terminal related vulnerabilities, fast response speed! And so I got a $7500 bounty.

Postscript

When I first dug up information leaks on the Buganizer platform, I thought it would be

Reference sources:MediumFreebuf small edition clouds compiler, reprinted, please note from FreeBuf.COM

China IT News APP

Download China IT News APP

Please rate this news

The average score will be displayed after you score.

Post comment

Do not see clearly? Click for a new code.

User comments