1500$: CR/LF Injection

Hi Everyone, How you all doing. In this article, I’m going to talk about a CR/LF bug I discovered in an private program which i m going to represent as Exahub that allowed me to get paid 1500$ in bounty.

Understanding CR/LF (Carriage Return/Line Feed) Injection

CR/LF (Carriage Return/Line Feed) injection is a type of security vulnerability. CR/LF refers to a sequence of two ASCII control characters: Carriage Return (CR, ASCII code 13) and Line Feed (LF, ASCII code 10). These characters are used in text files to signify the end of a line and control the positioning of the cursor or print head when displaying or printing text. CR/LF injection vulnerabilities occur when attackers insert CR/LF characters into input fields, file extensions or file uploads to manipulate application behavior. This can lead to exploits such as altering headers, injecting malicious code, or manipulating file content.

Understanding the target: Exahub

ExaHub (Virtual name of private program) is a platform tailored for enthusiasts and professionals alike who work with the Exa programming language. Exa, a high-level programming language renowned for its speed and performance, has gained significant traction in fields like scientific computing, machine learning, and data science. ExaHub serves as a centralized hub where users can access a range of resources, collaborate on projects, and leverage tools tailored to the Julia ecosystem. From project management to data visualization, JuliaHub provides a suite of features designed to streamline development workflows and foster community engagement.

Understanding the Issue:

The vulnerability identified in ExaHub revolves around CR/LF injection during file uploads. This flaw allows malicious actors to manipulate headers, potentially leading to cookie manipulation and forced logout of other users. The root cause of this issue lies in inadequate input validation during the file upload process.

Access your ExaHub account.Navigate to the “Files” section.Upload a file and intercept the uploading request.Modify the Content-Disposition header by appending the payload %0AClear-Site-Data%3A%22cookies%22%0A after the filename.Send the modified request and attempt to download the uploaded file.When other user download the file they got locked out this is one of the multiple task which can be performed by cr/lf injection.

Potential Exploits:

Apart from forced logout and session manipulation, attackers can exploit this vulnerability to manipulate and set cookies of other users. By injecting payloads such as %0ASet-Cookie%3A+crlfinjection%3D+value+ , or for xss

• /%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E ``

they can hijack sessions, gain unauthorized access, or execute other malicious activities.

Response and Resolution:

Upon reporting the issue, the ExaHub security team promptly acknowledged its validity and initiated a fix. While the severity was initially classified as critical, further analysis revealed a high severity rating. As a token of appreciation for the responsible disclosure, EXAHub awarded a $1,500 bounty to the individual who identified the vulnerability.

Takeaway:

Always be thorough in your testing and try injecting various payloads, including special characters like CR/LF. You never know what vulnerabilities you might uncover, and by testing comprehensively, you can discover and address potential security risks before they can be exploited by malicious actors. Remember, thorough testing is key to ensuring the security and integrity of your systems and applications.

Leave some clap if you enjoyed this read, leave your feedback in comment and consider following me for more exciting findings.

buymeacoffee.com/a13h1

Find me on Twitter: @a13h1_

Keep Supporting, Keep Clapping, Keep Commenting.