hackerone-bcm_messenger-2020-04-m-764243

API - Amazon S3 bucket misconfiguration

보고서

안드로이드 어플리케이션을 분석했다. HTTPS가 아닌 HTTP로 요청을 보내고 있었다.

http://47.52.75.65:8080//v1/attachments/s3/upload_certification 로 프로필 이미지를 업로드했다.

이 API의 response로 다음과 같은 내용이 왔다.

{
    "downloadUrl":"https://d3v5qmgpw891au.cloudfront.net/profile/1CDfyqYQfPRs2m1a1VSMaD89GZ63Mwu78N/7a6998d3f4ab421e9619627b33f1ce6b",
    "fields":[
        {
            "key":"key",
            "value":"profile/1CDfyqYQfPRs2m1a1VSMaD89GZ63Mwu78N/7a6998d3f4ab421e9619627b33f1ce6b"
        },
        {
            "key":"X-Amz-Credential",
            "value":"AKIA3NG2JXZC3SY2WNXE/20191225/ap-east-1/s3/aws4_request"
        },
        {
            "key":"X-Amz-Date",
            "value":"20191225T002608Z"
        },
        {
            "key":"X-Amz-Algorithm",
            "value":"AWS4-HMAC-SHA256"
        },
        {
            "key":"Policy",
            "value":"eyAiZXhwaXJhdGlvbiI6ICIyMDE5LTEyLTI1VDAwOjU2OjA4LjAwMFoiLAogICJjb25kaXRpb25zIjogWwogICAgeyJidWNrZXQiOiAiYmNtLWhrIn0sCiAgICBbImVxIiwgIiRrZXkiLCAicHJvZmlsZS8xQ0RmeXFZUWZQUnMybTFhMVZTTWFEODlHWjYzTXd1NzhOLzdhNjk5OGQzZjRhYjQyMWU5NjE5NjI3YjMzZjFjZTZiIl0sCiAgICBbImNvbnRlbnQtbGVuZ3RoLXJhbmdlIiwgMSwgNjcxMDg4NjRdLAogICAgeyJ4LWFtei1jcmVkZW50aWFsIjogIkFLSUEzTkcySlhaQzNTWTJXTlhFLzIwMTkxMjI1L2FwLWVhc3QtMS9zMy9hd3M0X3JlcXVlc3QifSwKICAgIHsieC1hbXotYWxnb3JpdGhtIjogIkFXUzQtSE1BQy1TSEEyNTYifSwKICAgIHsieC1hbXotZGF0ZSI6ICIyMDE5MTIyNVQwMDI2MDhaIiB9CiAgXQp9"
        },
        {
            "key":"X-Amz-Signature",
            "value":"dc4f9003a5613f72ee7b13154deaa503dcc23eb233d6fb651e12b907926f86ce"
        }
    ],
    "postUrl":"https://bcm-hk.s3.ap-east-1.amazonaws.com/"
}

bcm-hk 버킷에 access-key-id는 AKIA3NG2JXZC3SY2WNXE 를 이용하면 직접 파일을 올릴 수 있었다. 파일을 올려 PoC 했다.

---

tags: bughunting, web hacking, bcm messenger, wstg-conf-11, s3 misconf, severity medium