Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Apache Allura is used by many popular products. It is a site that managers source code, bug reports, discussions and many other things. SourceForge uses this under the hood.

Within the discussion area, users can import/export arbitrary files. Even though it should only ever be a URL, the file:// URI can be used. The file is added to the file locally, giving both an arbitrary file read and SSRF in one bug.

Using this, it's possible to read /etc/passwd. However, we can do better than that! Allura contains a global session key used to sign the sessions, which are pickle serialized. By reading the configuration file, it's possible to steal the key! Since we can now sign the pickle serialized files, we get trivial code execution.

I think the remediation is interesting. First (and most obvious) the URL is checked to be either http/https. Additionally, there are SSRF checks to ensure that it's not a local IP. Second, the pickle session storage was replaced with a JWT implementation to prevent RCE via this ever again. Overall, a simple bug leads to RCE in a popular thing.