Apple paid a $50,000 bounty to two bug bounty hunters for hacking its hosts

A duo of white hat hackers claims to have earned $50,000 from Apple for reporting serious flaws that allowed them to company’s servers.

The Indian white hat hackers Harsh Jaiswal and Rahul Maini claim to have discovered multiple flaws that allowed them to access Apple servers.

The duo started focusing on Apple’s infrastructure in an attempt to emulate the success of a team of researchers composed of Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes that reported a total of 55 flaws to Apple in October as part of the company bug bounty program and received for these issues 32 payrolls for a total of $288,500.

The two experts focus on critical findings such as PII exposure or getting access to Apple’s servers or internal network.

While conducting reconnaissance and fingerprinting the experts found three Apple hosts running a content management system (CMS) backed by Lucee, which is a dynamic, Java-based, tag and scripting language used for rapid web application development. The three hosts are:

• https://facilities.apple.com/ (Recent version)
• https://booktravel.apple.com/ (Older version)
• https://booktravel-uat.apple.com/ (Older version)

The hosts were exposing the Lucee admin panel, two of them were running an outdated version. The hosts with the outdated version were exposing travel portals implemented by Apple to its employees.

Even if the outdated versions were affected by security flaws, the experts pointed out that Apple was using WAF to mitigate the attacks against its applications.

The security duo discovered a misconfiguration in Lucee that could be exploited to access files without being authenticated, opening the door to the creation of a webshell on Apple servers and execute arbitrary code.

“While testing out Lucee locally, we came across a critical misconfiguration which allowed an attacker to access authenticated CFM (ColdFusion) files directly. This allowed us to perform a lot of authenticated actions while being completely unauthenticated. As soon as you hit the request.admintype variable/property in a CFM file, the execution flow will stop as we’re not authenticated as admin. However, any code before that check executes.” reads the post published by the bug bounty hackers. “So we had to find files that had some sort of bug before they hit request.admintype. We made use of these three files to gain a complete pre-auth/unauth RCE on a Lucee installation:

• imgProcess.cfm (not available in older versions)
• admin.search.index.cfm
• ext.applications.upload.cfm”

The experts provided technical details of their activity, they explained how they avoided triggering Apple’s web application firewall and got a shell on the 2 hosts.

Jaiswal and Maini shared their findings with Apple that awarded them a $50,000 bug bounty. The IT giant promptly addressed the issue, but requested the experts to not disclose the flaw before they make some other changes.

The development team behind Lucee also fixed the bug by restricting access to cfm files directly, here’s the commit link.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

[adrotate banner=”5″]

[adrotate banner=”13″]