Chained exploit leads to shell access

Security researchers earned $50k after exposing critical flaw in Apple travel portal

Security researchers have earned a $50,000 bug bounty after uncovering a critical flaw in Apple’s travel portal.

Rahul Maini and Harsh Jaiswal were able to achieve remote code execution (RCE) by stringing together a string of vulnerabilities in order to exploit targeted domains.

The bug hunting exercise was inspired by earlier work by Sam Curry and his associates that uncovered no fewer than 55 vulnerabilities in Apple’s web infrastructure, earning a cumulative bug bounty of $288,000.

Curry is continuing his work and this week went public with vulnerabilities in Apple’s domain that created a means to get billing data from any Apple user.

Lucee in the sky with exploits

In a detailed technical write-up, Maini and Jaiswal explain how the early stage of their bug hunt narrowed their range of targets down to three hosts running on a content management system (CMS) which was back-ended by Lucee, a Java-based tag and scripting language used for web app development.

“We opted to focus on Lucee as it exposed an admin panel and had [a] history of vulnerabilities,” the researchers explain.


READ MORE Introducing Malvuln.com – the first website dedicated to revealing vulnerabilities in malware


Lucee’s admin panel was accessible on three different hosts on Apple, two of which were running an outdated version of the software.

Further investigation by the researchers uncovered Lucee misconfiguration issues that would have allowed an attacker to access authenticated ColdFusion (CFM) files directly, clearing the way for a skilled hacker to carry out admin actions without being authenticated.

WAF bypass

Initial attempts to exploit this find were blocked by Apple’s web application firewall (WAF).

But via imgProces.cfm and admin.search.index.cfm functions the researchers were able to overcome this obstacle and achieve RCE on the facilities.apple.com domain.

This attack worked without tripping up the WAF because it could be carried out without attempting a path traversal or other blocked action.

The problematic imgProcess.cfm function was not available on the outdated versions of Lucee present on two travel-related Apple domains.


Read more of the latest hacking news


The researchers overcame this hurdle by putting together an exploit based on .lex extensions, which had useful properties in the context of Lucee server exploitation.

“A .lex file is actually nothing but an archive or a zip file with [the] '.lex' extension which is actually a format of Lucee’s extensions which we could upload,” the researchers explained. “Also, there’s no check on the contents, so we can set it to anything.”

“From playing around [with] Lucee, we knew that it allows using protocol/schemes like zip://, file:// etc. (which we utilized in this exploit chain) so we could specify these schemes wherever a FileSystem function had our fully controlled input (luceeArchiveZipPath in this case).”

Poppin’ shells

By chaining together these various issues it was possible to upload exploit code onto the vulnerable systems and achieve shell access.

The researchers conclude: “Apple promptly fixed the issue but requested us to not disclose the issue before they make some other changes.”

The developers behind Lucee have also acted to address vulnerabilities in their technology.

“[The] Lucee team has also fixed the bug by restricting access to CFM files directly,” the researchers add.

The Daily Swig approached Maini and Jaiswal for comment on their Apple bug hunting project. We’ve not had any word back as yet, but we’ll update this story as and when more information comes to hand.


YOU MIGHT ALSO LIKE Cisco fixes clutch of high-impact bugs in latest patch cycle