How I Hacked Samsung’s Tizen OS & LG Electronics Private Project Management Instances

Introduction

Months ago I discovered a flaw hackers can use to access Samsung’s and LG Electronics internal bug tracking and project management instances running on Jira. The flaw only takes a couple of commands to potentially access intranets, cause XSS and anything that SSRF can cause, including something such as,

https://public.example.com/proxy?url=admin-panel.example.com

The bug is still out there. I reported the vulnerability, and the usual BS followed which has led me to write this blog.

Usual Boring SSRF, Right?

Um, I guess you’re right, pinging google.com is not cool, neither is causing XSS. (right?)

But, when discovered on a cloud instance though, things get a little more interesting as attackers can access the metadata instance, available via a APIPA range IP address over HTTP — http://169.254.169.254/, and accessible only from the target.

Samsung’s Tizen OS Bug Tracking Dashboard

In the process of researching a performance bug of Tizen OS (tizen.org), I came to know about https://bugs.tizen.org. The dashboard over https://bugs.tizen.org/secure/Dashboard.jspa has severe SSRF vulnerability.

Proof of concept for XSS

Using an image metadata editor I altered EXIF metadata and crafted a malicious SVG which lead to XSS.

The payload was,

<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

Using Jiraffe — An one stop security tool for exploiting Jira instances, I was able to quickly find that the server is hosted over Amazon AWS (fucking Bezos!) and was able to … well, I immediately stopped all testing as I didn’t want to break any rules of engagement, quickly sending in a report about my findings.

Yeah.

You should check out Jiraffe over @0x48piraj/Jiraffe or install it using pip —

$ pip install jiraffe

LG CNS

Google it. I’m not gonna deep dive into how big LG actually is.

I actually am not going to disclose the domain or the bug exactly because they sent a email just recently,

Dear PIYUSH RAJ,As we said, LG CNS is a separate company from us.
Thus, we don't also have a contact point.
We'll contact the relevant department.
Thank you.
Best Regards,
LG PSRT.

I will update the blog once the issue is resolved.

Originally published at https://blog.0x48piraj.com on April 13, 2020.

--

--

--

Google Code-In C. Winner. GsOCer ‘19. Independent Security Researcher. Have hacked Medium, Mozilla, Opera & many more. Personal Website: https://0x48piraj.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

WordPress Security Tips to Stay Safe from Plugin Vulnerabilities

Sri Lanka Suffers from Economic and Political Crisis as Russian Hackers Target Ukrainian Companies

What’s the Dark Web & How to Access It in 2020 “ Incredible Tricks

{UPDATE} Futuristic Robot Cage Fighting Hack Free Resources Generator

{UPDATE} Crossword Solver Gold Hack Free Resources Generator

Divergence Joins as an InsureDAO Launch Partner to Protect User Funds Allocated to Option Pools

Understanding Data-Centric Security with Prakash Ranjan, Cybersecurity Expert from Airtel Payments…

Amazon’s relentless personal data foot-dragging

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Piyush Raj ~ Rex

Piyush Raj ~ Rex

Google Code-In C. Winner. GsOCer ‘19. Independent Security Researcher. Have hacked Medium, Mozilla, Opera & many more. Personal Website: https://0x48piraj.com

More from Medium

OWASP Zed Attack Proxy Primer

Update to Log4shell Detection With Falco

elasticpwn: how to collect and analyse data from exposed Elasticsearch and Kibana instances

Deploy the ELK Stack (Part 1)