RCE in nokia.com

As I explained in my previous post I like to find and read various bug bounty so I love Pentester Land. So, I was just browsing through bug bounty writeup and found a report on nokia. I didn’t know Nokia also had bug bounty so I decided give it a try. I like to use https://yandex.com to search for subdomains before using https://google.com or https://duckduckgo.com because I think yandex provides more exotic subdomains than google or duckduckgo for a bug bounty hunter.

So, I decided to use yandex to search for subdomain using site operator. After some scrolling I discovered http://emop.ext.net.nokia.com . It had a login prompt and looked really old so I thought maybe there are some vulnerabilites here. I like to use nikto to discover vulnerabilites for such websites. So I always use https://suip.biz/?act=nikto to scan for vulnerabilites using nikto. I absolutely love https://suip.biz because there are various tools like nikto, whatweb, sqlmap which can be used online thanks to https://suip.biz. I decided to use nikto and whatweb on nokia subdomain and found that it was a Drupal site. I immediately decided to check the version of Drupal and turns out it was vulnerable to various vulnerabilites like Drupalgeddon. So, I decided to send report to 
security-alert@nokia.com and I received a message in two weeks to ask for my name to be featured in hall of fame . So, I decided to visit Nokia white hat page and it turned out it updates it’s page based on month. So, I will probably be featured in hall of fame after the end of this month.

The things I would like for you take away from this post are described below.

  1. Always, always read bug bounty writeups and completely stalk a researcher you love in every social media you can find on him/her to find every tips and knowledge s/he would provide.
  2. Use suip.biz because it provides great tools and as it’s completely free so more people should find and use it.
  3. Use Yandex before Google or DuckDuckGo because in my opinion it provides subdomains which can be more vulnerable and useful for bug bounty hunter.
  4. If you read more bug bounty then just like I automatically decided to check this subdomains you will understand which subdomain might be more vulnerable and which should be tested more than other subdomains. You will automatically decide to check for CSRF or IDOR after browsing a page because it would give you a feeling that it might be vulnerable to it and you would be more right about it than wrong.