DrawElements (Google Acquisition) – LFI, XSS, CSRF, Shell Upload - Bounty Donated!

2:09 PM




Unlike other articles I publish, this is going to be a public complain against Google Security for their payment.

Update: I decide to donate the bounty (it doesn't look like it was meant for me) for a school project at Welkite, Ethiopia. Thanks to Nils Jünemann for the inspirational post where he donated his bounty, 2600$ USD, originally 1300$ USD (since Google doubles donations).

It is an interesting thing to donate, makes your life easier, somehow. Also the project was a great one, and I live in Ethiopia too ;-)

"At this school there is a lack of fundamental supply with water, toilets and electricity. Because there are barely any educational books, school materials and furniture (see photos), sufficient school education isn’t possible.

Welkite is 180 km away from capital city Addis Ababa. At this elementary school approximately 750 children go to grade one to eight. The classrooms have not enough room and benches to sit for the 80 children per grade. Often four to five children have to share a seating bench. Most of the children have to walk 45 minutes to one hour to get to school. At this school there is no access to water, electricity and enough adequate toilets.
"

Like every story, this happened a long time ago, actually ~3 weeks ago. Anyhow, this happened, trying to find a forgotten Google acquisition’s from Google acquisition list here.  I came across DraweElements

DraweElements’ technology lets developers test various GPUs across mobile devices. And since Google’s Android platform is used by lots of different hardware (each with its own set of GPU parameters), DraweElements should prove very useful for the company.

We’re excited to announce that we’re joining Google. Thanks to everyone who has helped us along the way; we’re grateful for your support,” DrawElements said in a statement. “Over the next few months, we’ll be working with our colleagues on the Android team to incorporate some of our technology into the compatibility test suite. Stay tuned!

So, I start enumerating http://drawelements.com and came across an interesting link, with no brute force protection, http://drawelement.scom/admin not a while later, I figured the site is using a CMS called “CMS Made Simple”. I was surprise to see the search engine giant, Google doesn’t have sufficient programmers to code a simple site instead of an open source CMS.

Clearly, my next move is searching for exploits for the CMS. For my surprise, DraweElements never updated their CMS from the 2009 version and I am also surprised other bounty hunters, nor Google never noticed (~5 Years).

Unlikely for Google, the CMS was screwed! Even in the most recent version, there are 0days, multiple XSS and upload bugs. Imagine the version that never got updated since 2009 (wow!). I myself uncovered a persistent XSS in the recent version’s admin panel (waiting for it to get patched)
At the time of writing, drawelements.com is offline (either applying for a fix or consulting migration), unlikely I didn’t capture PoC’s (shitty me), but you can confirm this using the web archive http://web.archive.org/web/20140802131540/http://www.drawelements.com/ That page was cached around Aug 17, 2014. In the source code, am sure you can notice the CMS made easy crap with version.

So a simple packetstorm search revealed multiple exploits for this CMS, namely LFI, XSS, CSRF at http://packetstormsecurity.com/search/?q=CMS+made+simple great! Let’s start testing, if Google patches ( I was so sure they did ), they didn’t! Everything worked!

Report time, I submitted this using their VRP program. I got the following mail

 
Oh, Great! "Nice catch!" this means, am gonna loot some time soon. Unfortunately, I did not loot like I expected I would,this is what I got


 wtf? an LFI on their acquisition and I am getting $100? this doesn't seem fair. and it isn't! because lets be reasonable, 


You can see, by minimum, per their payment table, I should get paid ~1,337$ By minimum and ~5,000$ at max (was hoping for max). the great thing is it got me a great spot in the Google security Hall of Fame.

Clearly, somethings aren't meant for you, so I decide to donate the net bounty (100$), Google will match the bounty doubled. So I soon should be able to donate 200$ for the school.

Update from Google Security:

"Hey,

Thanks for deciding to donate you bounty, we will match the contribution and I'll send you the receipt once I take care of that.

In regards to the scope question, the issue is not that the software being run is developed by a third-party, but about where it's hosted (not on Google infrastructure).  The laws around responsible disclosure and vulnerability research vary across jurisdictions, and this is a restriction based on the fact that we (Google) cannot authorize you to perform any security testing on a service or product that we don't completely own/control.  It's a bit of a gray area with colocated services and shared webhosts, and in those cases, we limit the scope to the parts of the application we can legally authorize researchers to test (in this case, the web-app only, as the hosting and lower layers don't belong to us)."

Now the world is clear, Google tries to find every reason why a vulnerability isn't sufficient enough for a reward (unlike Facebook, who does the reverse!).

There is another school project from Bessere Zukunft e.V. in East Africa. Do you want to donate too? Do it here.

Lesson: 

Facebook hunting shall continue! **** Google security! But hey, I am still thankful because this was mostly luck!

Conclusion:

Stay the **** away from CMS's, especially if you have a care for customer security. open source has never been so safe, 0days everywhere!

You Might Also Like

1 comments