All Projects

Description

A vulnerability has been discovered in the student management system, which allows a normal user account to bypass access controls. ANY registered low-level user, with no knowledge or involvement in a class, can globally detach any student involved just by manipulating the UID. Even without tutorship/academic privileges and regardless of tutor access control.

Impact

A malicious attacker could fuzz predictable UID values and remove multiple students, abusing the privesc as a nuisance.

Proof-of-Concept

1) First, we logged in to an actual tutor account where I've added a few students. Next, I take note of the IDs of each student involved.

2) Then, I logged out and just to validate this exploit, I would create a NEW account.

3) This is the vulnerable endpoint:

https://admin.alwaysdata.com/academic/release/<USER_ID>

I replaced the <USER_ID> param with the various IDs I recorded from the tutor account.

4) Visit these URLs on the new account and observe the results.

5) Then, log out and re-login to the tutor account. Visit https://admin.alwaysdata.com/academic/ and confirm poc validity.

Mitigation

Implement proper access controls and role-based permissions to restrict normal users from utilizing global admin/tutor privileges. Conduct a thorough review of the authentication and authorization processes to ensure that no other similar vulnerabilities exist.

POC video: https://file.io/DRmuH2Qk7wZk

Description

I identified a vulnerability in the SSH function of admin.alwaysdata.com, where the home directory setting is vulnerable to server path traversal.

Proof-of-Concept

1. Login to your account and visit https://admin.alwaysdata.com/ssh

2. Edit the home directory from '/' to '/../../../../../../'

3. Next, save the settings and login to your SSH shell. Type ls. You'll discover your path has been traversed.

4. Access the /alwaysdata/etc/passwd folder to view the admin superusers. More information of other users are also available throughout the server.

For example;

/var/lib/extrausers/passwd shows all the other registered users on the server.

/usr/lib/python3/dist-packages/fail2ban/tests/files/logs/postfix display failban logs.

Other interesting files;

/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd

/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd

Mitigation

Restrict access to any parent directory, other than the container being run.

Description

A vulnerability exists on the https://admin.alwaysdata.com/ permissions_delete endpoint which is intended for deleting sub-accounts' generated data or permissions. However due to unsecure design, it can also be used to remove critical permissions or access controls of the owner account, rendering the account useless.

Proof-of-Concept

1. Visit this URL: https://admin.alwaysdata.com/permissions/<owner-id>/delete/ (Replace owner-id with the the id of main account, that is, the one with 'impossible deletion')

2. This renders the account useless. But permissions can still be reinstated using the following request

POST /permissions/<account-id>/ HTTP/2
Host: admin.alwaysdata.com
Cookie: csrftoken=nHI6Qy3zJu9uxxxqNvXRuZlTuvgLJwbBI5jg4XRa; django_language=en; sessionid=tdcg6j9im2g31ga9tk7
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://admin.alwaysdata.com/permissions/
Content-Type: application/x-www-form-urlencoded
Content-Length: 314
Origin: https://admin.alwaysdata.com


csrfmiddlewaretoken=U0CcqjIPBxxxxxxxxxxxx2zGI69d7GFBI5AKORMPsTJlk1SfgDJZ5t&csrfmiddlewaretoken=U0CcqjIPBxxxxxxxxxxxxxxxx7GFBI5AKORMPsTJlk1SfgDJZ5t&email=<EMAIL>&customer_account=on&customer_contact_billing=on&customer_full_accounts=on&customer_full_servers=on&account=<USERID>

Mitigation

Ensure that only authorized admin can access and modify owner permissions through the delete endpoint. This can be achieved by implementing authentication and authorization mechanisms.

Description

I discovered that cAdvisor, a container monitoring and management tool, is exposed to the public internet. Using OSINT techniques, this endpoint was discovered on one of the company servers. This information disclosure could potentially be used by attackers for various malicious purposes, such as mapping vulnerable targets or launching further attacks.

Proof-of-Concept

To demonstrate this issue, we can access the cAdvisor web interface via the URLs;
http://185.31.41.177:8000/containers/ http://185.31.41.177:8000/metrics/ http://185.31.41.177:8000/api/v1.0/machine http://185.31.41.177:8000/containers/user.slice http://185.31.41.177:8000/containers/system.slice

Browse through the URIs for more information on processes running, users involved, resource usage, container names e.t.c.

Mitigation

Restrict access to cAdvisor. Limit access to the cAdvisor interface to trusted users or networks only.

Description

I discovered a potential vulnerability in api.alwaysdata.com that could allow an attacker to override URLs by manipulating the X-Forwarded-Host header. This issue could potentially lead to unintended redirections or access to restricted resources.

Proof-of-Concept

To demonstrate this vulnerability, we can use a simple HTTP request with a modified X-Forwarded-Host header. Replay the following request;

GET /v1/ssh/doc/ HTTP/1.1
Host: api.alwaysdata.com
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Connection: close
Cache-Control: max-age=0
X-Forwarded-Host: evil.com
Cookie: flyspray=ef2b9025azb8fd028bf6
Referer: https://api.alwaysdata.com/doc

Mitigation

Blocking or filtering out the X-Forwarded-Host header entirely and relying on other methods to determine the original domain (e.g., using the Host header or server logs).