How I hacked redbus [An online bus-ticketing application]

Sangeetha Rajesh S
Sep 12 · 5 min read

[I drafted this writeup 2 years ago. As it took a long time for the patch, posting it now]

It was a usual fresh and sleepy monday morning . I reached my desk and checking mails.

😴few minutes passed..

☎️ My Phone rang..

I thought thats a usual call from customer care. No. It was my mom (The only two souls who calls me daily 😅). She called me to remind about ticket booking for the weekend. That’s how it all started.

I booked the tickets and finally reached the confirmation page and clicked on something that I’ve never did before. The “Print/Download” link.

Image for post
Image for post

On clicking the link , I got redirected to some other subdomain “pdf.redbus.com” which displayed the pdf version of my ticket.

Image for post
Image for post

One important thing that got my attention was the “PD4ML” . The name
(PD-4-ML) itself says its a library for something. The most obvious case is it should be pdf generation library. But wait. How come it shows the pdf without any ticket ID or any equivalent identifier as a parameter 🤔. So i just went back to the previous page and monitored all the requests triggered after clicking the “Download” Link.

Here’s what I got ,

Image for post
Image for post

So this is how they generate the pdf. From html content to pdf. First, to verify that the server makes a external call during the transformation, I tried the following tag,

<img src=”http://listener.myserver.com”>

Woot. 😃 I got a request from a java agent . Obviously that’s from redbus pdf server.

Image for post
Image for post

At the next moment I tried iframe tag to check if it load the local files on the frame. All I got was a blank response. 😐

Image for post
Image for post

Googled about pd4ml — whether it supports javascript(for dynamic pages). The answer is NO!
Without giving up, I started looking at the documentation of pd4ml. What I found was the iframe tag is not supported by pd4ml and some other tags like object, applet is also not supported.

Now what 😕. Scrolled down the documentation page. And found this interesting thing called “Proprietary tags”.

Started experimenting this <pd4ml:attachment> tag. As per the documentation it is used to embed attachments to the pdf. Now thats sounds interesting 😉. The tag expects a “src” attribute for the attachment link.

Simply modified the tag like this ,

<pd4ml:attachment src=”file:///etc/passwd”><pd4ml:attachment>

Voila 😲.

Image for post
Image for post

At this point I confirmed the arbitrary file ready vulnerability. But I wasn’t very much satisfied with the passwd file. Digged further.
Fortunately, I could see the directory names too. So it was easy to jump to the directories.

Image for post
Image for post
Image for post
Image for post
partially redacted private key file

Now that looks like some real stuff 👻 . SSH private keys , config files with database passwords and mysql_history having some juicy information😜.

And the other user’s pdf tickets should be here somewhere 🤔.

Having arbitrary file read in hand, I’ve checked the source of the of the index.jsp and found where exactly the pdf files are stored.

Went to the directory and finally got this. 😍

Image for post
Image for post

Its not about the pdfs. Its about the ticket IDs you got 😉

With the ticketID , any authenticated user can extract PIIs like email , Mobile number, Age , DOB (If available) etc.,

Image for post
Image for post
partially redacted response

Takeaways:

For Bug hunters,
Always look at the documentation once you deduce the backend library using your recon.

For developers ,

Here’s the config you need to add to whitelist the local directory or remote resource

 Map m = new HashMap(); 
m.put(PD4Constants.PD4ML_ALLOWED_RESOURCE_LOCATION, “http://server/webapp,file:/my/safe/file/folder");
pd4ml.setDynamicParams(m);

Timeline:

  • [October 15, 2018] Issue reported to redbus.

Throughout this journey, I noticed something that the guy who was handling this case got promoted to senior security engineer. Congrats Mate !😃. That was one looooong ride !

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sangeetha Rajesh S

Written by

In ❤ with InfoSec

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Sangeetha Rajesh S

Written by

In ❤ with InfoSec

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store