The Samaritan Bug
Hello Reader, Hope you are doing well. Today we will be going through my first report on a VDP.
It was another fine day when i recieved an invitation to a vdp program on hackerone that allowed hacking all their inscope assets like *.xboy.me
I went on google and used the google dork
site:xboy.me filetype:aspx. I got one subdomain that had https://stats.home.xboy.me/aboutus.aspx, i visted the subdomain and started polking around, i forced an application 404 error not found, then i did a view source and started poking around at the site clientside source. Thats when i saw the url
referenced at a certain line,
The _vti_bin is the built-in SharePoint Web services directory, i remembered having learned about an informational disclosure that could result in this folder being accessible without authentication.
Domain = *.xboy.me
subdomain = stat.home.xboy.me
Vulnerable endpoint = <https://stat.home.xboy.me/TL/_vti_bin/spsdisco.aspx>
I also found exposed audit logs of the same subdomain using the google dork
The issue can be reproduced by; Visiting the following urls
I made a report and sent it to the program and it got accepted as a medium.
There is a exploitation research paper on the same services from the blackhat and they also developed a tool called sparty to further exploit it. You can automate the exploitation via using the smarty tool from github.
python Sparty-2.0 -u https://example.com -enum -exploit
An attacker can leverage this information to gain foothold in the webapp and craft attacks accordingly. You can see all the webservice endpoints which contain some sensitive information.
Place access control list to the dll’s of the sharepoint. Forbid all the folder /_vti_bin/_vti_adm/admin.dll via a WAF/Server-403 or remove it completely
Thank You For reading my wite up. Hope you enjoyed it or learned something from it. GoodLuck in Your Bug Hunting.