Sourav Sahana

@pocdork

Sourav Sahana Uncategorized Cloud (AWS) Misconfiguration | $500 from Razer

Cloud (AWS) Misconfiguration | $500 from Razer

Hii Hunters ! Hope you all are hunting good. Back again with another write-up. I submitted this report to Razer and they rewarded me $500 for this report. So I have mentioned all the details from the beginning. If you already have good knowledge about AWS then you can skip up to “How Developers leave buckets vulnerable ?”. Let’s begin the show ..

…..

So what is AWS s3 bucket ?

An Amazon s3 bucket is a public cloud storage (Simple Storage Service or s3). Every bucket has an unique name. You probably heard about the AWS subdomain takeover. Where if any domain uses s3 bucket to host a website and if that bucket doesn’t exist in AWS. Then you can claim the bucket, means whatever you upload to the bucket it renders on the website. But this is not limited too. S3 bucket can be used many purposes, like anyone can store personal files, sometimes application store user’s profile pictures, javascript files, etc.

How Developers leave buckets vulnerable ?

There is mainly three access control configuration of s3 bucket.

(1). Bucket can’t be accessed publicly.

(2) People can only show the bucket contains (key). You should always look for sensitive files in this type of bucket.

(3) All access is given publicly. Where you can upload, delete anything from the bucket. I use AWS CLI to see how the bucket is configured.

How I find open bucket in Razer..

I was playing with this domain : https://api.razer.com . There is a file upload functionality. First I started uploading malicious files if I get any RCE . But That was implemented properly. But when I’m uploading something, in the response showing the picture’s location, where the picture uploaded. And that was a s3 bucket. Immediately I opened the terminal and run this command to upload a txt file:

$aws s3 cp test.txt s3://rzimageupload

And BaaM !! I can upload and delete files from the bucket. I reported it.

……

The next day I was testing the Razer Android app. Almost all the programs don’t accept issues that required root access and the physical device. That’s why many hunters don’t check internal files. But I found this bucket: kaizo-s3-public.s3-ap-southeast-1.amazonaws.com in share_prefs directory. And again this was also an open bucket. So I mentioned this in the previous report.

HackerOne report: https://hackerone.com/reports/700051

My report had triaged and I got bounty $500 .

Thank you.. Hope you have enjoyed this. Stay tuned with me because I have more web and android reports to share.

Leave a Reply

Your email address will not be published.

TopBack to Top