A zero day for the government’s “demo servers” and internal networks

Published in

Martian Defense Cybersecurity

4 min readFeb 6, 2023

Hey all, it’s been a long time since I last posted, and much has happened (multiple P1s on various programs :)). Yet here we are once again, with another 0day that will remain unpatched for eternity.

Let me introduce you to a wonderful piece of software called IMAGEhost by the Crowley Company. Now this is likely something none of you had heard of before, and we’re in the same boat because I hadn’t heard of this software either until it popped up on one of my routine gov cloud searches. (yes I’m kind enough to share this w you)

the aws gov cloud (pandora’s box of bug bounty)

The majority of all cloud providers want to host government services, because that means government contracts. These obviously have to follow more secure protocols as they will be handling classified information.
For an introduction, check out this article from amazon about their AWS gvt. cloud infrastructure.

This doesn’t mean the people/orgs hosting the content can’t be insecure, and this is where we enter the lovely dark realm of “Can this be reported to the DoD CISA?”

Well…

In the end, it really depends on whether or not you can find a concrete reference to that agency, its data, its employees, etc. You will most often find yourself on contractor servers, but be on the lookout for indicators such as references to .mil sites in JavaScript files, banners or even seals of agencies/branches of the armed forces. There are many instances where there was a good bit of back and forth between triage and myself in order to find concrete indicators of association. Be diligent, you will very often find something nifty.

“Now notnci, what does this have to do with a 0day?”, you may ask, and I will answer: everything.

what you actually came for

Seeing that we have a better understanding of what the gov cloud is and how to approach it, let’s figure out how we can even find the hosts on there. Once again, our handy dandy internet search engine Shodan will be our savior. Below are some of the prebuilt queries you can use to find web accessible hosts on the gov cloud.

https://www.shodan.io/search?query=cloud.region%3A%22us-gov-east-1%22+200
https://www.shodan.io/search?query=cloud.region%3A%22us-gov-west-1%22+200

Notice how short that query is? That’s because we have the lovely ability to use the cloud.region tag, which is a sub-filter of all hosts that are tagged as being cloud hosts. this can then also be further used to to regionally search for open buckets via shodan, but you know me, I will happily explain that some other time.

I assume the 200 is self-explanatory, as that just filters for the 200 status code in the response.

so what about this fancy schmancy 0day?

I'm glad you asked, another login page XSS, another error message based XSS, why are we still displaying error messages from query parameters in 2022. I don’t know, I don’t care, looks like just another XSS 0day for my collection.

here is what happened?

Easy: find yourself an IMAGEhost server, you can get the list of available ones from shodan via favicons; let’s pick the one on the gov cloud from my initial finding.

https://demo.govcloud.hostedarchives.com/imagehost/

I initially tried to login with basic admin/admin credentials since it was a demo, and then noticed that I get redirected to an interesting error page

Huh, it seems that error message is actually written out in html in the url. as any bug hunter would do, I placed a nice little XSS payload in there.

Cha-ching! (or not in this case), our XSS popped! The best thing here is that the site auto redirects after, making cookie stealing a breeze to hide.

disclosure timeline because i’m a responsible hacker

I emailed the vendor on September 26th as soon as I found a contact point. I sent a followup about a month after on October 20th still without response. I submitted it to VINCE/CERT on October 3rd, and they decided to not coordinate the case. There still is no response from the vendor on November 7th, and I doubt there ever will be after this is published.

VINCE supported public disclosure after the 90 day response period. As of 2/2/23, there has been no response from the vendor.

I hope you enjoyed this little article and my second 0day to date. Thanks to everyone who reads these! There’s for sure more to come in the future.