Hola Chicos! Yeah i know my posts are delayed as i was flooded with other stuff. This is one of my effortless and cool hunting after Rockstar Games Angular Js Sandbox Bypass.
After few duplicates from big tech giant Microsoft i decided to hunt deep on their perimeter limits as most of internal servers are always left open with enormous bugs and patching stages are always delayed in internal applications.
Started with my favorite search engine Censys. What i’ve learned from my bug hunting experience is how better we utilize the existing technology. I’ve analysed censys search engine requests and results. Based on common results i’ve formed a nice dork in censys to fetch out all vulnerable jenkins instances only from Microsoft Corporation which are running on port 8080.
((jenkins) AND autonomous_system.description.raw: "MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation, US") AND protocols.raw: "8080/http"
Result was beautiful
Yes there are around 3.7k Microsoft instances which are running on Jenkins Automation Server. But yeah hold on every instance is highlighting “Microsoft Corporation” which means These all instances are under Microsoft Network fine. But how many of these are Microsoft’s own domains because so many other vendors/clients using same network to host their own stuff right. How to identify..???
To identify that i’ve only one option other than simply wasting time i.e., Make a sample report with any of vulnerable jenkins instance and wait for their reply.
Finally one day they replied.
This is the same what i’ve expected earlier. But i did it with some intention to identify real Microsoft Servers. If you read the email you can observe one thing “The list of Azure IP addresses can be found here”. It gave me an idea that maybe the list of IP’s are belongs to customer so what if i found any instance which is not listed in this range.
Yes it’s a huge list so identifying the vulnerable instance other than this big range is difficult task. But i did it. I’ve identified an instance which was not listed in this range.
After navigating to this instance it’s like an open door which is waiting for me.
Here i can put any groovy script to execute remote commands.
def sout = new StringBuffer(), serr = new StringBuffer() def proc = 'cat /etc/passwd'.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(1000) println "out> $sout err> $serr"
So after execution i can see content of /etc/passwd file
This is enough PoC to make a report to Microsoft. So i made a quick report and they responded like.
Finally they have provided Hall of Fame.
Hall of Fame link
Reported — 25-10-2017
Triaged — 15-11-2017
Fixed — 27-Feb-2018