Hello, luvs,
I haven't blog for a while, we are facing a sad pandemic 😷so I've decided to create this to make an important announcement, and also entertain you with an interesting vulnerability I've found. please read the short intro.
Table of Contents
This post is gonna be short; it shows you the worlds shortest P1 which only means one thing, the bugs you are not finding are the bugs you are not looking for ! you hear this on twitter these days well here is the proof how right is it. Also, I want to announce we've made SMFD free for the current sad #COVID2019 situation. Please you can read the whole announcement here.
When I was a teenager, I had this cool razer mousepad and mouse and used it for playing pro-counter-strike :D, so I saw they have a bug bounty program on HackerOne, and for the sake of good past memory I gave it a shot, I found some interesting subdomains, and I've spent some time on the main app.
This issue is patched now so the links aren't going to work. While poking around I've found an interesting page,
https://mysupport.razer.com/app/account
, it contains some interesting Javascript code:
var razerId = 'razer######';
if(razerId!==""){
$(".rn_DisplayName").text(razerId);
{
var loginContactID = Number('20#####');
if(loginContactID == 0)
{
window.RzSdk = function() {
rz.init({
client_id: '3acd8fd57cc5de89d69237a9726abd#######',
scope: '',
});
rz.verify();
};
window.setInfo = function(info) {
console.log(info)
if(info.hasOwnProperty("error")){
console.log("has error");
}else{
console.log(window.location.href);
href="https://razer--tst1.custhelp.com/cc/Integration/RazerIDAuth/loginUserFromCP?"
href+="account="+info["account"];
href+="&firstname="+info["firstname"];
href+="&lasttname="+info["lastname"];
href+="&url="+window.location.href;
window.location.href=href;
}
};
most notable is the endpoint:
https://razer--tst1.custhelp.com/cc/Integration/RazerIDAuth/loginUserFromCP
With the exciting name of "login User From CP," it seems to take few parameters, so I tried with an invalid parameter, and the application returned a regex error.
https://razer--tst1.custhelp.com/cc/Integration/RazerIDAuth/loginUserFromCP?account=h1
returns:
error:Pattern does not match: value 'h1' does not match pattern '^((([-_!#$%&'*+/=?^~{|}\w]+(.[.]?[-_!#$%&'+/=?^~`{|}\w]+))|("[^"]+"))@[0-9A-Za-z]+([-]+[0-9A-Za-z]+)(.[0-9A-Za-z]+([-]+[0-9A-Za-z]+))+[; ]*)$'; Contact.Emails[0].Address
`Interesting but this is just a partial code disclosure without security impact alone (rather than knowing how we can possibly bypass this)
so next I tried to enter my test username
https://razer--tst1.custhelp.com/cc/Integration/RazerIDAuth/loginUserFromCP?&account=0xsha%[email protected]
then I see a redirect to
https://mysupport.razer.com/app/account/account_overview
but if we visit
https://razer--tst1.custhelp.com
, it logs us in as the user who can create a case. During my current test, when you login using this link, we can not see support cases of the user (different DB ?), but you can trigger an email from the razer or open and view any cases created there without authentication.
https://razer--tst1.custhelp.com/app/account/questions/incident_details/i_id/2753808
(It should ask for authentication)https://razer--tst1.custhelp.com/cc/Integration/RazerIDAuth/loginUserFromCP?
&account=0xsha%[email protected]
(it should redirect you to razed-id but do not log in)https://razer--tst1.custhelp.com/app/account/questions/incident_details/i_id/2753###
, We can see the ticket.Finally, I checked the vulnerable path main domain
https://mysupport.razer.com/cc/Integration/RazerIDAuth/loginUserFromCP?account=a
https://mysupport.razer.com/cc/Integration/RazerIDAuth/loginUserFromCP?account=email
https://mysupport.razer.com/cc/Integration/RazerIDAuth/[email protected]
I this point, I knew its a severe bug, so I report it, but it turns out it was a duplicate, found by @p3rr0he, also took the future and recover the correct primary support email username (brute force and contact pages, support subdomains are at least to few places to find.)
Here is how the final panel looked like.
Feb 17th Reported Issue.
Feb 18th Nice find and good work on this; unfortunately, it's duplicate.
Mar 4th Issue Resolved.
Okay, that's it what a beautiful bug!
0xSha