Jive is software created by Jive Software which allows companies to roll out communities for either collaboration between partners and employees or customer service for customers. Many companies such as Google, Apple and Oracle have installations of Jive so the potential impact of finding a vulnerability in Jive is quite large.
I started the vulnerability discovery journey by looking for vulnerabilities in Google's web applications. I was made aware of the domain googleforwork.com after reading the following article by @soaj1664ashar. This article peaked my curiosity so I went looking. The web application on the domain I was looking at is located on connect.googleforwork.com which is Google's installation of Jive which is something I did not realise until I actually found the vulnerability.
Following my penetration testing procedure I started off by looking at webpages that unauthenticated users can see and it wasn't long until I landed on the following webpage -
This page immediately stood out since the parameter "tags" was passing it's value directly into the source without any santisation so we had our first reflection. Identifying this reflection usually involves checking the source code and seeing how it handles special characters but thanks to an innovative tool created by @brutelogic for @brutalsecrets subscribers I could confirm the reflection in a matter of seconds.
I began with some basic vectors but had no luck, the vectors were just reflected as a normal tag would be so I tried some more abnormal tags and with the following "></option></select>< I got -
Well, that's odd isn't it?! Some of the source was now being reflected back in the tag so I just knew I was a step closer. Simply adding a vector that renders a prompt box after the current "></option></select>< did not work but while trying to get it to work I discovered the addition of <body/onpageshow=prompt()> broke me right out of the tag box.
Seeing this obviously made me grin ear to ear and adding one of my favourite vectors to the end of this gave us the one and only prompt box!
After getting super excited and sending a report to Google's security team I soon learnt that this web application was third party (Google's security report form actually tells you) but reports are obviously still of interest to Google so I sent the report and it was triaged shortly after. After the initial disappointment wore off I thought to myself that if it's third party and used by Google lots of other companies must use it. I was right. Using Google hacking I soon found many other popular companies that were vulnerable to the same bug, even Jive Software themselves! Here was just some of the vulnerable domains -
After identifying the company responsible for the software was Jive Software I immediately contacted them as well as each individual company in case they wanted to patch much sooner which a lot did. Some patched so quick in fact they weren't vulnerable at the time I created this post but I did manage to submit them to Open Bug Bounty beforehand. Some of the domains that were quickly patched (click on them to see OBB reports) include T-Mobile, Oracle, American Express, Activision, AMD, Shaw, RSA, HPE and Checkpoint.
11th of April 2016 - Vulnerability Discovered
11th of April 2016 - Vulnerability report sent to Jive Software
11th of April 2016 - Vulnerability report sent to affected companies
13th of April 2016 - Vulnerability acknowledged by Jive Software
19th of April 2016 - Patch released by Jive Software
I'd like to thank @soaj1664ashar for the blog post he created which enabled me to discover Google's installation of Jive and @brutelogic for his tool available to @brutalsecrets subscribers which allowed me to confirm the parameter reflection and encouraged me to dig deeper into that specific parameter.
Cameron Dawe, Spam404 Founder