Bug bounty research: hot or not - 13 Jul 2016
Scornhub - 26 May 2016
The meaning of life tastes like chicken - 24 Feb 2016
fucking astrology man - 09 Dec 2015
Freelance Consulting - 23 Nov 2015
The Wassenaar Effect - 09 Jun 2015
Scantastic! - 11 Feb 2015
It's all fucked - 05 Jan 2015
The tortured poet - 28 Dec 2014
Gone in 660 Seconds - 25 Nov 2014
College Graduation - 20 Nov 2014
Yahoo for the craic! - 21 Sep 2014
IRC what you did there... - 02 Aug 2014
Let me Bug you!? - 19 Jun 2014
Plesk 10 & 11 SSO XXE/XSS - 09 May 2014
Final Year Woes - 24 Apr 2014
SWMing in privilege, or drowning? - 10 Apr 2014
Lucid Surrealist Dreams and techno-lust. - 23 Mar 2014
New Raspberry piToy - 05 Feb 2014
Happy 2014! - 15 Jan 2014
Helpdesk Pilot Xss/CSRF Add an Admin - 30 Nov 2013
Squidoo.com $1,100 bug bounty - 02 Nov 2013
Yahoo Xss bug bounty - 01 Oct 2013
Moodle 2.0 Account Takeover - 04 Sep 2013
Xss Challenge Accepted - 17 Aug 2013
rpliy - rpi python web player - 25 Jul 2013
Busy times - 10 Jul 2013
Source Conference - 27 May 2013
Coinbase.com bug bounty - 04 May 2013
Xssive, Moodle and CSRF - 11 Apr 2013
Spoofing facebook content - 01 Apr 2013
Yahoo Pipes is Great! - 05 Mar 2013
Science Hack-day Dublin - 03 Mar 2013
Simple port scan - 26 Feb 2013
4chan-tool.py - 19 Feb 2013
Wix.com Xss - 11 Feb 2013
Crawl.py Url Crawling - 09 Feb 2013
Xssive Demo tool - 12 Jan 2013
Cyberbullying? - 27 Dec 2012
Merry XssMas - 24 Dec 2012
Watching BBC Streams - 10 Dec 2012
SWF Disassembly - 26 Nov 2012
C <3 - 16 Nov 2012
Greasemonkey XSS 2 - 21 Oct 2012
Work Logging App - 20 Oct 2012
Greasemonkey XSS - 30 Sep 2012
Guestbook XSS - 18 Sep 2012
OWASP Vicnum Project - 05 Sep 2012
August... - 05 Sep 2012
XSS Scenarios. - 30 Jul 2012
Imageroll - 06 Jul 2012
The Dangers of XSS - 14 Jun 2012
Facebook Canvas Graph - 08 Jun 2012
US Threat Gauge - 30 May 2012
Is this art? - 28 May 2012
Rss2Irc - 25 May 2012
Blackboard Xss Jungle - 14 May 2012
Url Info Scraper - 10 May 2012
pythonchallenge.com - 27 Apr 2012
Prime Generator - 15 Apr 2012
Sockso 1.51 Xss - 07 Apr 2012
Facebook Images - 03 Apr 2012
Google Hacking - 31 Mar 2012
Ubuntu 10.10 Hardening - 18 Mar 2012
2nd Year Revisited - 17 Mar 2012

Plesk 10 & 11 SSO XXE/XSS

This blog post is about complete failure that resulted in a win. In IRC I noticed people chatting about the offensive-security.com bugbounty. As they are the provider of what are meant to be some of the best security courses and certificates in the business. I looked fondly towards this as a great challenge. I decided to set aside 2 or 3 hours this evening to have a poke at their sites. I'm currently in the closing stages of my final year in college so I've been very busy of late, this few hours is all I could spare.

After some searching and fumbling around I came across the domain https://sun.backtrack-linux.org. This then redirected me to an ns******.ovh.net domain. I was greeted with the familiar page of a Parallels plesk panel. This if you are unfamiliar is used by many hosting and service providers as a way of managing multiple web services. It is an interesting bit of software. It allows some lower level administrative tasks be managed from a single web interface. This is perfect for anyone who may be into that sort of thing. It could also be seen as a web hosting package manager. The image you see below is a default placeholder page for a service that was just set up.

Since I was familiar with plesk, I Immediately appended port 8443 to my request. After some strange redirects I was sent to a login page. This page had "Parallels Plesk Panel 11.0.9" as the title. The url after the redirects looked like the following: https://ns******.ovh.net:8443/sso/ui. At this point I was sure there was something amiss here. I googled sso and discovered this was plesk Single sign on.

I then decided to poke at the redirect pages, After viewing the source of the pages I noticed some interesting parameters. The first one to catch my eye was response_url Playing around with this adding "javascript:prompt(/dicks/)" did nothing :( Next I noticed the SAMLRequest parameter...

This parameter was simply encoded with base64, I was delighted to see xml when I decoded it. What we have here is a samlp:AuthnRequest in the form of xml. In this was also parameters such as the URI and Destination, I knew one of these would allow me to redirect to get me javascript execution. So I replaced the parameters with javascript:prompt(document.domain); and created my own CSRF html page. I then submitted the page to https://ns******.ovh.net:8443/relay which resulted in a wondrous popup. Below you can see the XML that I base64 encoded

I knew offensive-security didn't accept reflective cross site scripting as part of their bounty but I reported it anyway, solely because at this point I was convinced I had just XSS'd one of their admin panel plesk domains. The proof of concept for the XSS is at the following location makthepla.net/pleskXSSpoc.php?url=

Next I tried playing around with some Xml External Entity injection. I simply took the format of the XMl and changed it to include /etc/passwd This can't work right? WRONG. I was greeted with the following... I can now read arbitrary files from your webserver bro. I sent this information onto offensive-security.com, still convinced I'd just made myself $500. Turns out it was an old domain and they didn't own the IP. Oops... Luckily there was nothing on it yet.

I created a proof of concept for this too, at the following location makthepla.net/pleskXXEpoc.php?url= The URl param is simply inserted into the form for you.

So, I don't have the time to set up an environment to test exactly what versions are vulnerable. The latest versions (12x) and the older (8x & 9x) varieties don't seem to be, nor do any Windows or Nginx versions. For this to work SSO needs to be enabled (which it seems to be by default) and you need to be redirected to /relay for this to work. I tested this bug on a few 11.0.9 and 10.4.4 varieties and it worked successfully. Through some google-fu there did seem to be a lot of sites using these versions. Don't shoot the messenger ;)

So I failed to get a bounty, but I did find a neat bug that I'm pretty sure wasn't publicly disclosed before. If it has been I certainly haven't found it. I'll eventually write this up more formally and submit it to full-disclosure or something... I love finding bugs in slightly older software that was somehow missed by many. Anyway! HAPPY HUNTING