Full Report
Not every security vulnerability is high risk on its own - but in the hands of an advanced attacker, even small weaknesses can escalate into major breaches. These five real vulnerabilities, uncovered by Intruder’s bug-hunting team, reveal how attackers turn overlooked flaws into serious security incidents. 1. Stealing AWS Credentials with a Redirect Server-Side Request Forgery (SSRF) is a
Analysis Summary
# Vulnerability: Multiple Vulnerabilities Disclosed by Intruder's Research Team
## CVE Details
- CVE ID: **CVE-2021-22204** (One specific CVE mentioned in relation to ExifTool)
- CVSS Score: Not explicitly provided for all findings, but **CVE-2021-22204** relating to ExifTool RCE generally carries a high score. The other findings are described by impact rather than formal CVSS scores.
- CWE: SSRF, Exposed Git Repository leading to Access Control Bypass/SQLi, RCE (via file processing library), Cache Poisoning leading to XSS, IDOR/Broken Access Control.
## Affected Systems
- **Products:** A home-moving application running in AWS, a university web application, a document signing application (using ExifTool), an auction application, and various proprietary APIs (involving user management, document access, and order processing).
- **Versions:** Not specified for most applications, but the application using ExifTool was vulnerable to **CVE-2021-22204**, implying a version predating the fix for that specific flaw.
- **Configurations:**
* Failure to enforce IMDSv2 in AWS environment.
* Unintentionally exposed `.git` repository.
* Application followed HTTP 302 redirects to internal metadata services.
* Use of vulnerable third-party library (ExifTool).
* Chaining of Self-XSS with a cache-poisoning vulnerability.
* APIs exhibiting IDOR (e.g., exposed user profile IDs, PDF assets, and order numbers via sequential numbering/guessable IDs).
## Vulnerability Description
The research identified five distinct attack chains involving overlooked or chained vulnerabilities:
1. **SSRF leading to AWS Credential Theft:** A web application made webhook requests which followed a 302 redirect pointing to the AWS Metadata Service, exposing credentials, preventable by enforcing IMDSv2.
2. **Escalation via Exposed Repository:** An exposed `.git` repository provided source code, leading to the discovery of a hidden authentication bypass parameter, which further led to a blind SQL Injection in an authenticated page, granting database access.
3. **Remote Code Execution (RCE):** A document signing application utilizing an outdated version of `ExifTool` was vulnerable to **CVE-2021-22204**. Uploading a specially crafted PDF resulted in RCE as the `www-data` user.
4. **Site-Wide Persistent XSS:** A low-risk Self-XSS vulnerability in an auction app was escalated to a severe, site-wide XSS attack by chaining it with a cache-poisoning vulnerability, leading to session hijacking for all users.
5. **IDOR/Broken Access Control:** APIs exhibited insecure direct object references (IDOR) where modification of single numeric identifiers (`user_id`, document numbers, `OrderNo`) in GET/POST requests exposed sensitive data belonging to other users, employers, or administrators.
## Exploitation
- Status: **PoC available** (The research team successfully demonstrated proof-of-concept exploitation for all five scenarios).
- Complexity: Varied, ranging from **Low** (IDOR) to **Medium/High** (Chaining SSRF/Redirects, Chaining XSS/Cache Poisoning).
- Attack Vector: Primarily **Network** (for SSRF, SQLi, XSS, IDOR). RCE exploit would require HTTP interaction followed by file handling.
## Impact
- Confidentiality: **High** (Exposure of AWS credentials, sensitive university database content, job seeker CVs, order data).
- Integrity: **High** (Ability to modify user profiles, execute arbitrary SQL, RCE leading to system takeover).
- Availability: **Medium** (SQLi or RCE could lead to service disruption, though this was not the primary goal).
## Remediation
### Patches
- **CVE-2021-22204:** Update **ExifTool** to a version mitigating this RCE vulnerability.
- **SSRF/AWS:** Enforce **IMDSv2** (IMDSv1 disabled) on all instances fetching metadata.
- **SQLi/Bypass:** Remediation of authentication bypass parameters and sanitization/parameterization to prevent SQL Injection.
- **XSS/Cache Poisoning:** Implement robust cache-control headers and strict input validation to prevent caching of user-supplied data in sensitive responses.
- **IDOR/API Access:** Implement rigorous **authentication and authorization checks** on all resource identifiers (e.g., verify `user_id` in the request matches the logged-in user's permissions).
### Workarounds
- For SSRF: Disable HTTP redirects when fetching metadata services.
- For Exposed Code: Immediately restrict access to the `.git` repository or application source code via server configuration (e.g., `.gitignore` exclusion or directory protection).
- For API Access: Implement rate limiting and strict access control list (ACL) checks on all endpoints handling resource IDs.
## Detection
- **Indicators of compromise:**
* Unusual GET requests to internal IPs (`169.254.169.254`) followed by non-standard application responses (for SSRF).
* Application logs showing sequential numeric alterations in resource IDs (for IDOR enumeration).
* Successful execution of unexpected commands in web server process contexts (for RCE).
* **Detection methods and tools:**
* Cloud security posture management (CSPM) tools should flag configurations lacking IMDSv2 enforcement.
* Static Application Security Testing (SAST) or manual code review should identify accessible source code repositories.
* Dynamic Application Security Testing (DAST) scanning should focus on testing array/numeric ID manipulation and HTTP header reflection points.
## References
- Vendor advisories regarding [CVE-2021-22204] (Search for ExifTool vulnerability details).
- The source article discusses findings from **Intruder's bug-hunting team**.
- Relevant links (Defanged):
* *Search for security advisories related to IMDSv2 best practices.*
* *Review database security guidance on parameterized queries to mitigate SQLi.*