Hii Hunters ! Hope you all are hunting good. Back again with another write-up. I submitted this report to Razer and they rewarded me $500 for this report. So I have mentioned all the details from the beginning. If you already have good knowledge about AWS then you can skip up to “How Developers leave buckets vulnerable ?”. Let’s begin the show ..
So what is AWS s3 bucket ?
How Developers leave buckets vulnerable ?
There is mainly three access control configuration of s3 bucket.
(1). Bucket can’t be accessed publicly.
(2) People can only show the bucket contains (key). You should always look for sensitive files in this type of bucket.
(3) All access is given publicly. Where you can upload, delete anything from the bucket. I use AWS CLI to see how the bucket is configured.
How I find open bucket in Razer..
I was playing with this domain : https://api.razer.com . There is a file upload functionality. First I started uploading malicious files if I get any RCE . But That was implemented properly. But when I’m uploading something, in the response showing the picture’s location, where the picture uploaded. And that was a s3 bucket. Immediately I opened the terminal and run this command to upload a txt file:
$aws s3 cp test.txt s3://rzimageupload
And BaaM !! I can upload and delete files from the bucket. I reported it.
The next day I was testing the Razer Android app. Almost all the programs don’t accept issues that required root access and the physical device. That’s why many hunters don’t check internal files. But I found this bucket: kaizo-s3-public.s3-ap-southeast-1.amazonaws.com in share_prefs directory. And again this was also an open bucket. So I mentioned this in the previous report.
HackerOne report: https://hackerone.com/reports/700051
My report had triaged and I got bounty $500 .
Thank you.. Hope you have enjoyed this. Stay tuned with me because I have more web and android reports to share.