Exploiting File Upload Functionality in Unique Way.

Observe the behavior of your target. You may end up with a unique and cool findings.

Hey everyone! I hope you all are doing well!

Rohit soni is back with another write-up and this time it’s about a bug that I found few months back while working on internal pentesting project. The vulnerability could allow an attacker to change any user’s profile picture. Let’s dive into it without wasting time.

Note: I am strictly not allowed to disclose anything about the target. So, Let’s call it target.com

While roaming around the application I saw an upload functionality on careers page where a user can upload cv in pdf or doc format.

Careers page.

You already know the next step. I uploaded the file with .html extension containing a simple XSS payload (<script>alert(1)</script>) and It was uploaded. But things are not as easy as they appears. I located the URL where it was uploaded and as soon as I visited the URL, Instead of triggering my XSS payload it downloaded the html file I’ve uploaded. and one more thing I’ve noticed that, files uploaded through careers page are stored in cloudfront.

Additional Knowledge:

What is Amazon CloudFront:
Amazon CloudFront is a web service that speed up distribution of your static and dynamic web content, such as .html, .css, .js and image files to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you’re serving with CloudFront, the request is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance.
In short, It is a content distribution system that used to give high performance on sharing web contents.

Read more about CloudFront: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html

Getting back to the vulnerability, my payload was uploaded on https://something.cloudfront.net/payload.html. After several fail attempts to execute my XSS payload I left the upload functionality.

I logged in and visited any random user’s profile. This time I wanted to find directory listing (Though it is a low hanging fruit. sometimes, you can find juicy information through directory listing). To do that I right clicked on profile picture of that random user and copied the image location and opened that location in a new tab.

Copied image location was something like this: https://something.cloudfront.net/randomnumber_IMG_randomnumber.jpeg As you can observe that profile pictures of users are also stored in the root folder of the same cloudfront storage.

Here is the brief of my observations:

• Upload functionality at careers page should accept only pdf and doc file but it is accepting any type of file.
• Profile pictures of users and CVs uploaded through careers pages are stores in root folder of same cloudfront storage.
• File name of the file uploaded through careers page is not renamed before uploading it. and name of the file remains same.

Game begins from here:

I downloaded a random picture from google and changed the name of that picture to “randomnumber_IMG_randomnumber.jpeg” (randomnumber_IMG_randomnumber.jpeg is the image name of profile picture of that random user mentioned above.) and simply uploaded randomnumber_IMG_randomnumber.jpeg using the upload functionality available at careers page.

Uploaded picture with the same name as profile picture name.
Profile of random user before uploading picture.

Visited the profile of that random user but still profile picture not changed 😑, But then I realized the web page was cached in the browser😅. I quickly opened the website in incognito mode and visited that random user’s profile.

Guess what, Profile picture was changed with my uploaded picture.😁

Profile picture of random user changed after uploading picture.😎

Wait…It’s not over yet.

The web application also has a functionality where users can shop.
Picture of all products were also stored in the root folder of same cloudfront and by repeating above steps I was also able to change the picture of any product available in shop.

Before.
Uploading a picture with same name as product image name.
After.

Revision Time:

Steps to Reproduce:
1. Visit any user’s profile and copy profile picture location.
2. Paste it on any text editor and copy image name.
3. Rename picture you want to change with target user’s profile picture to the copied image name.
4. Go to https://target.com/careers and upload the picture.
5. Refresh the target user’s profile or open target user’s profile in incognito mode and observe that profile picture of target user is change with picture of your choosing.

Root cause:
Application does not check for valid file type and it does not check if file with same name is already in cloudfront storage and simply overwrite it.

Hope you enjoyed the story. If you have any questions of suggestions reach me through instagram, twitter or linkedin.

Happy Hunting. :-)

Instagram: @street_of_hacker

Twitter: @streetofhacker

LinkedIn: Rohit Soni

I am just a random bug bounty hunter who is Passionate about learning more and more….🔥