Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

cdnjs is a JavaScript/CSS library CDN that is owned by Cloudflare, which is used by 12.7% of all websites on the internet as of 15 July 2021. So, an extremely popular library. The author of this post was interested in cdnjs/bot-ansible and cdnjs/tools because the library automates the update process.

The autoupdate command works by downloading the user-managed Git repository and copying the files from it. When downloading the NPM version of the repository (for updating globally), it downloads a tgz compressed file. With library unzipping, there is the potential for directory traversal (../)!

Most CLI programs unpack things securely. However, the library functions to do the same thing in multiple languages are years behind in this. As a result, adding a crafted name would download the repo and extract the files to whenever we wanted on the server. By overwriting a bash script, library or something else, this could be used to get code execution quickly.

The above vulnerability was in the npm functionality. When playing around with the git repo functionality, the author of post noticed that symbolic links were NOT being handled. By using the symbolic links, an arbitrary file read primitive could be gained. They used this to read Github automation secrets and many other things on the server.

This is a really crazy find! When publishing arbitrary files to Cloudflare, they did not sanitize the input files in properly. If this was exploited, it could have resulted in the compromise of a significant amount of websites on the internet. Symlinks and directory traversal are just attacks that never get old :)