Bug In UFC

UFC, the ultimate fighting championship, is a well-known and most famous MMA organizer in the world. I also love them and have many times been inspired by the stories of UFC fighters. But now let’s deep dive into an Information Disclosure bug which leads to the disclosure of some UFC key employees’ data.

I started with the exploration of the UFC website, and a good thing for me as a hacker on this site is that UFC does not have any Cloudflare protection or a strong WAF to block me again and again. So I continued with subdomain bruteforcing, then asset directory bruteforcing, then asset discovery, followed by subdomain bruteforcing, and then attack surface filtering. Now it took me a whole 1 day to reach this point, and now it’s time for some automated scans like nuclei.

I ran many combinations of templates but got no valid results. But wait! Am I dumb? I have Wappalyzer, so why not see what services/CMS/DBs/technologies are being used and run a targeted nuclei scan? So I stuck with this idea and invested another 2-3 hours to find this type of template and information about the technologies.

As you and I can both see, the website is made with Drupal CMS, so why not try Drupal templates in nuclei? I switched my gears to Drupal CMS and kept going, and after some time I discovered this:

<SNIP>

[aws-detect:aws-cloudfront] [http] [info] https://images.e.ufc.com
[aws-detect:aws-kms] [http] [info] https://images.e.ufc.com
[drupal-jsonapi-user-listing] [http] [medium] https://live.jp.ufc.com/jsonapi/user/user ["Jessica","Helder","vladimir.zdravkovic","agarrett","ufcpreview","admin","Legacy migration","Anton","ctashima","Travis","Bogdan","gporter","Hub import","content-admin","Steve","Zac","jcardenas","kgagnon","abawany","mjthomas","jko","tsantypal","denis.semerikov","rortuno","ckamerschak","bruce.clingan","mroth","andrei.colesnic","ufc","bjackson","ufctest","victor.ursu","McKenzie","Yext","kschuster","Brand","bbesabe","jgagnon@ufc.com","cvillegas","Christian","Anonymous","sean.monahan","andrew.chernous","Davi","rswire","Vinicius","sergiu.rosca","danielle.barthelemy@ffwagency.com","andriy.malyeyev","Aziz"]
[drupal-jsonapi-user-listing] [http] [medium] https://jp.ufc.com/jsonapi/user/user ["Legacy migration","Anton","rswire","denis.semerikov","Yext","kschuster","Brand","ctashima","jcardenas","Christian","Vinicius","ckamerschak","andrew.chernous","Bogdan","bruce.clingan","admin","jko","bbesabe","victor.ursu","danielle.barthelemy@ffwagency.com","mroth","sean.monahan","andriy.malyeyev","Anonymous","content-admin","Davi","jgagnon@ufc.com","kgagnon","Jessica","rortuno","andrei.colesnic","ufc","Travis","Steve","Zac","cvillegas","bjackson","ufcpreview","tsantypal","Aziz","ufctest","abawany","McKenzie","mjthomas","sergiu.rosca","Helder","vladimir.zdravkovic","Hub import","gporter","agarrett"]
[drupal-jsonapi-user-listing] [http] [medium] https://www.ufc.com/jsonapi/user/user ["Vinicius","denis.semerikov","ckamerschak","Aziz","Travis","jko","Jessica","ufctest","mjthomas","sean.monahan","kschuster","bjackson","bbesabe","ufcpreview","sergiu.rosca","mroth","andrei.colesnic","andrew.chernous","agarrett","admin","Hub import","ctashima","cvillegas","victor.ursu","rortuno","danielle.barthelemy@ffwagency.com","vladimir.zdravkovic","gporter","jgagnon@ufc.com","jcardenas","rswire","McKenzie","Brand","content-admin","Anton","andriy.malyeyev","Legacy migration","Davi","Bogdan","Zac","Christian","abawany","Helder","Yext","Steve","Anonymous","ufc","tsantypal","bruce.clingan","kgagnon"]
[drupal-jsonapi-user-listing] [http] [medium] https://kr.ufc.com/jsonapi/user/user ["ctashima","kgagnon","Jessica","Bogdan","tsantypal","bruce.clingan","vladimir.zdravkovic","Anonymous","ufc","cvillegas","Christian","Vinicius","ckamerschak","sergiu.rosca","rswire","admin","content-admin","gporter","jko","ufctest","victor.ursu","McKenzie","Legacy migration","Davi","Zac","jgagnon@ufc.com","bjackson","mroth","sean.monahan","Yext","Hub import","ufcpreview","abawany","denis.semerikov","Helder","danielle.barthelemy@ffwagency.com","andrei.colesnic","kschuster","Travis","Aziz","Steve","mjthomas","rortuno","andrew.chernous","agarrett","Anton","jcardenas","bbesabe","andriy.malyeyev","Brand"]
[s3-detect] [http] [info] https://images.e.ufc.com/%c0

<SNIP>

And this is where the game changes….. Now I have some usernames to do crazy stuff with!

Let’s navigate to https://access.ufc.com/ and test whether these usernames are valid or not…. So I navigated to one of the crazy subdomains I found during subdomain enumeration.

After fuzzing and testing just 2-3 usernames from the above list, guess what? Most of them were still working, because when you click on Forgot Password, I was navigated to a new page.

From there, the user can use this feature and send a forgotten password link to the registered email. First I tried with the DoNotExistUsernames to check the application behavior. The application gives this error when any user tries to send a forgot password request with any username whose account was not registered:

And it gives this successful message when we use any username with prior registration and a valid active account.

It confirms which username is valid and which is invalid.

Moving forward to the further exploitation path, having valid usernames is of course not enough to prove any impact on the organization. So why not try to chain this thing with OSINT?

I shifted my pace to my mirror tool, basically a Telegram bot named @ShuklaLegacy_bot, used to find any leaks of usernames, emails, phone numbers, etc. At first, I used the jgagnon@ufc.com email, which is the only email included in the usernames. So I searched for the email jgagnon@ufc.com in the bot and found this data for that email:

But wait, what if I can append more @ufc.com to all the usernames and then try to research all of them in my bot? Because now I know the naming convention, I predicted this and appended @ufc.com to all the found usernames and found two more high-value valid employee emails. Then I re-sent those in my OSINT bot, and those are: aadeyanju@ufc.com and tsantypal@ufc.com.

Moreover, you can also see that the passwords and encrypted passwords are also leaked in some data leaks, which can be used against many platforms and bruteforced to check whether any of them are still working.

From here, I found many more data points of the employees with different emails, but these three are the most exposed ones.

Final words

The whole attack flow was something like this:

ENUMERATION --> USERNAME DISCLOSURE --> ONE EMAIL LEADS TO OSINT DATA SCRAPING --> PREDICTING MORE NAMING CONVENTIONS --> FOUND MORE LEAKS OF EMPLOYEES DATA --> FOUND HISTORICAL PASSWORDS OF EMPLOYEES DATA

I tried to use those leaked passwords to log in, but no luck with them because they were already changed or terminated. Still, it is very possible that these leaks work on other platforms.

This attack was not possible if:

1. I did not run the nuclei scan
2. That one email jgagnon@ufc.com was never used by the employee instead of the username
3. I never tried OSINT

It reminds us that even a small, harmless-looking mistake like using the real email in the username leads to email naming conventions and then to more and more chaining of other vulnerabilities to get more things done! Just think of it: what if any of the leaked credentials could allow me into the website?

Now you found that whole PoC document, including employees’ data dump here