1 00:00:00,560 --> 00:00:03,290 Hello, everyone, and welcome to this video. 2 00:00:03,890 --> 00:00:09,080 So in this video, we are going to see common indication through broken link highjacking. 3 00:00:09,080 --> 00:00:13,340 So it is a very, very interesting report that we have come across. 4 00:00:13,640 --> 00:00:23,030 And you're the report was submitted to Facebook and Facebook rewarded with 500 dollars for this specific 5 00:00:23,030 --> 00:00:23,870 auditability. 6 00:00:24,380 --> 00:00:30,530 Now, you may be thinking that we have seen what is a broken link hijacking and now are we able to do 7 00:00:30,560 --> 00:00:32,980 common addiction through broken link hijacking? 8 00:00:32,990 --> 00:00:39,690 And it is yes, you're able to do it if you find the right test case scenario. 9 00:00:40,490 --> 00:00:41,020 All right. 10 00:00:41,030 --> 00:00:42,210 So let's see this. 11 00:00:42,920 --> 00:00:46,580 So this guy used the dock. 12 00:00:46,580 --> 00:00:54,550 As you can see, this is the Google dock, which is organization Facebook and S3 dot, Amazon, EWR, 13 00:00:54,560 --> 00:00:55,040 dot com. 14 00:00:55,220 --> 00:01:04,940 Now, we know that S3 is a service by Amazon NWS one, which we can create our bucket and we can host 15 00:01:04,940 --> 00:01:06,420 our content into it. 16 00:01:07,070 --> 00:01:14,390 We have already seen how to create bucket into our subdomain decoder videos in which we have successfully 17 00:01:14,720 --> 00:01:18,810 made a bucket and Tigo taken over many of the subdomains. 18 00:01:19,670 --> 00:01:20,140 All right. 19 00:01:20,420 --> 00:01:29,390 So now when this guy used this dog, he came across multiple bottles in one of the project was this. 20 00:01:29,390 --> 00:01:33,200 As you can see, this repository is owned by Facebook. 21 00:01:33,830 --> 00:01:42,020 And you you can see there is a Basche script with the name of setup underscore processed, Alesco, 22 00:01:42,020 --> 00:01:43,400 DataDot, S.H.. 23 00:01:43,850 --> 00:01:45,110 Now, this is a script. 24 00:01:45,290 --> 00:01:45,730 All right. 25 00:01:45,800 --> 00:01:47,600 So let's have a look over here. 26 00:01:48,800 --> 00:01:51,150 And you can see this bushcraft. 27 00:01:51,230 --> 00:01:51,950 Exactly. 28 00:01:51,950 --> 00:01:57,680 Does what you can see it sends a W8 command to a U-Haul. 29 00:01:57,860 --> 00:02:00,890 And what is the you that you are pointing to? 30 00:02:00,920 --> 00:02:02,090 A three bucket. 31 00:02:02,510 --> 00:02:04,880 The bucket name is Fair Data. 32 00:02:05,300 --> 00:02:07,880 And you can see there is a gun. 33 00:02:07,880 --> 00:02:13,340 The file, which is basically a zip file, which is data DataDot GZ. 34 00:02:14,600 --> 00:02:22,220 Now, any attacker can simply take over the bucket and place a malicious file in the same pot as shown 35 00:02:22,220 --> 00:02:23,370 in the above image. 36 00:02:23,690 --> 00:02:29,180 So if you have a closer look, you can see the part is after fair data, which is the bucket name, 37 00:02:29,180 --> 00:02:38,150 the party's m, e, m and N gave me M and then and the file, which is data not to desert, which is 38 00:02:38,150 --> 00:02:38,810 a zip file. 39 00:02:38,990 --> 00:02:39,460 All right. 40 00:02:39,680 --> 00:02:43,730 So let's quickly have a look at the steps to reproduce this vulnerability. 41 00:02:44,060 --> 00:02:50,420 Remember, this is a very, very simple vulnerability that was identified and can easily be reproduced. 42 00:02:51,440 --> 00:02:55,370 So the first step is to create a three bucket named affaires data. 43 00:02:55,610 --> 00:03:00,250 And we have already seen this, how to create buckets in the subdomain like our videos. 44 00:03:00,830 --> 00:03:09,210 Next, create a folder which is m m double N inside it again, create a folder with gave me M Plan and 45 00:03:09,210 --> 00:03:13,310 pleasure malicious file, which is Diprotodon GZ over there. 46 00:03:13,670 --> 00:03:17,010 And it should look something like this, as you can see over here. 47 00:03:17,310 --> 00:03:19,110 Now what is the impact. 48 00:03:19,460 --> 00:03:25,860 So when the attacker is able to control the file, which is this file. 49 00:03:26,210 --> 00:03:35,180 Now if the users download the bad script, which is the bad script setup process did not S.H. This script 50 00:03:35,180 --> 00:03:43,130 will get downloaded, which is controlled by the attacker and attacker can execute malicious and harmful 51 00:03:43,550 --> 00:03:46,320 commands onto the system of end users. 52 00:03:47,360 --> 00:03:51,980 So the victim trust the shell file, which is mentioned in the Facebook repository. 53 00:03:52,340 --> 00:03:57,630 So the victim will think as the Shell file is into the repository, which has been hosted by Facebook. 54 00:03:57,650 --> 00:04:04,670 So it should be something legitimate right now, but it is the attacker control repository and contains 55 00:04:04,670 --> 00:04:09,980 some harmful commands that may cause some disruption into the Linux system. 56 00:04:10,970 --> 00:04:18,050 As you can see, the reward that was given by Facebook was five hundred dollars on 16th January 2020 57 00:04:18,560 --> 00:04:20,510 and again into a message of what year. 58 00:04:20,900 --> 00:04:25,920 After reviewing the issue, we have decided to award you a bounty of $ 500. 59 00:04:26,390 --> 00:04:30,420 Below is an explanation of the bounty amount as Tribecca take over. 60 00:04:30,440 --> 00:04:36,080 Usually these submissions are low-impact are not eligible for a white hat program, but in this case, 61 00:04:36,080 --> 00:04:40,350 the bucket contains an executable shell script that could be written by other people. 62 00:04:40,820 --> 00:04:47,960 So this actually contains the severity and has been understood that it may portray a risk to all its 63 00:04:48,320 --> 00:04:48,940 customers. 64 00:04:49,610 --> 00:04:51,200 So I hope you guys understood this. 65 00:04:51,380 --> 00:04:58,730 How interesting scenario can be changed, which is command in action with broken link highjacking. 66 00:04:59,240 --> 00:05:00,040 So I hope you guys and. 67 00:05:00,600 --> 00:05:01,140 Thank you.