How I Got $1000 Bounty From X-Company? (RCE +Authentication Bypass)

How I Got $1000 Bounty From X-Company? (RCE +Authentication Bypass)
Hello all, Raj here! I’m back with some interesting findings.

I know it’s been a while since my last writeup—been busy with some good projects and learning new things. But without further delay, let’s dive right in.

Introduction:

Bug bounty programs provide a unique opportunity to explore the depths of cybersecurity, presenting challenges that often lead to intriguing discoveries. Recently, during my active engagement in testing, I uncovered a Remote Code Execution (RCE) + authentication bypass vulnerability in a top company (due to their policy, I won’t reveal the name, so let’s just call it X-company) (CVE-2023–46747).

Let’s go…

On May 16, 2024, I disclosed a vulnerability I identified on an internal IP owned by X-company. This was part of their Bug Bounty program, where rewards are given for finding security vulnerabilities. I discovered an authentication bypass vulnerability in X-company’s F5 BIG-IP. The vulnerability has a critical severity rating with a CVSS score of 9.8. Successful exploitation could allow an attacker to perform remote code execution on the target system.

My Methodology:

“Reconnaissance is the initial step in bug hunting.”

1. I started by gathering the in-scope domains.
2. Then I kicked off active and passive subdomain enumeration using various tools. For passive subdomain enumeration, I used Subfinder with API keys from different services like Shodan, Censys, Chaos, GitHub, Sublist3r, etc. For active subdomain enumeration, I used the Best DNS Wordlist from the Assetnote Wordlist.
3. I ended up identifying around 10,889 subdomains and IPs.
4. The next step was filtering out live domains based on their status codes.
5. I quickly identified the internal IP with the F5 BIG-IP and confirmed it using Wappalyzer.
6. Here’s where the actual journey begins.

Recently, I came across the F5 BIG-IP Unauthenticated Remote Code Execution Vulnerability (CVE-2023–46747).

CVE-2023–46747 is a critical vulnerability that allows undisclosed requests to bypass configuration utility authentication, enabling an attacker with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands.

Geared up, I discovered an endpoint (/mgmt/tm/util/bash) that was vulnerable to CVE-2023–46747.

This vulnerable endpoint (/mgmt/tm/util/bash) allows an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands.

Once I confirmed the vulnerability, the next task was to find a proper exploit. There are many exploit scripts available, but several give false positives. So, I opted for an exploit using a Nuclei template, and this approach worked effectively.

Exploit Process for Remote Code Execution (RCE) and Authentication Bypass:

=> First, I ran a Nuclei scan and waited for the results.

=> BOOM…! RCE is working—I got the system ID, username, and password.

=> Next, I decided to increase the impact by exploiting the authentication bypass.

=> So, I navigated to the $ip/mgmt/tm/util/bash site, entered the username and password, and BOOM! I was redirected to the F5 BIG-IP admin panel on the internal network.

After that, I reported this issue through their Bug Bounty Program.

X-company has since fixed the issue, and I want to commend them for their responsiveness. This is an excellent example of a company that takes security seriously and rewards those who help them identify and fix issues.

Timeline:

• May 2024—Submitted bug report.
• May 13, 2024—X-company marked it as triaged.
• May 14, 2024—They verified the vulnerability and began the fixing process.
• May 16, 2024—Marked as resolved, and the bounty 💸 was awarded.
  

I hope this inspires you.

Thanks for reading! 🙂