Full Disclosure mailing list archives
Re: Apple Safari ... DoS Vulnerability
From: bobby.mugabe () hushmail com
Date: Wed, 04 Mar 2009 14:15:05 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes. - -bm On Tue, 03 Mar 2009 18:28:30 -0500 Biz Marqee <biz.marqee () gmail com> wrote:
This was 2 years well spent... NOT! Seriously what is with all these people popping up releasing advisories that are absolute SHIT? Is it to try and get jobs or what? On Tue, Mar 3, 2009 at :55 AM, ISecAuditors Security Advisories < advisories at isecauditors.com> wrote:============================================= INTERNET SECURITY AUDITORS ALERT 2007-003 - Original release date: August 1st, 2007 - Last revised: January 11th, 2009 - Discovered by: Vicente Aguilera Diaz - Severity: 3/5 ============================================= I. VULNERABILITY ------------------------- CSRF vulnerability in GMail service II. BACKGROUND ------------------------- Gmail is Google's free webmail service. It comes with built-insearch technology and over 2,600 megabytes of storage (andgrowingevery day). You can keep all your important messages, files and pictures forever, use search to quickly and easily find anything you're looking for, and make sense of it all with a new way ofviewingmessages as part of conversations. III. DESCRIPTION ------------------------- Cross-Site Request Forgery, also known as one click attack orsessionriding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of malicious exploit of websites. Although this type of attack has similarities to cross-site scripting (XSS), cross-site scripting requires the attacker to inject unauthorized code into awebsite,while cross-site request forgery merely transmits unauthorized commands from a user the website trusts. GMail is vulnerable to CSRF attacks in the "Change Password" functionality. The only token for authenticate the user is asessioncookie, and this cookie is sent automatically by the browser ineveryrequest. An attacker can create a page that includes requests to the"Changepassword" functionality of GMail and modify the passwords of theuserswho, being authenticated, visit the page of the attacker. The attack is facilitated since the "Change Password" requestcan berealized across the HTTP GET method instead of the POST methodthat isrealized habitually across the "Change Password" form. IV. PROOF OF CONCEPT ------------------------- 1. An attacker create a web page "csrf-attack.html" that realizemanyHTTP GET requests to the "Change Password" functionality. For example, a password cracking of 3 attempts (see "OldPasswd" parameter): ... <img src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123& p=&save=Save"> <img src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro up1=OldPasswd&OldPasswd=PASSWORD2&Passwd=abc123&PasswdAgain=abc123& p=&save=Save"> <img src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro up1=OldPasswd&OldPasswd=PASSWORD3&Passwd=abc123&PasswdAgain=abc123& p=&save=Save"> ... or with hidden frames: ... <iframe src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123& p=&save=Save"> <iframe src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123& p=&save=Save"> <iframe src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123& p=&save=Save"> ... The attacker can use deliberately a weak new password (see"Passwd"and "PasswdAgain" parameters), this way he can know if theanalysedpassword is correct without need to modify the password of thevictimuser. Using weak passwords the "Change Password" response is: - " The password you gave is incorrect. ", if the analysedpasswordis not correct. - " We're sorry, but you've selected an insecure password. Inorderto protect the security of your account, please click "Password Strength" to get tips on choosing to safer password. ", if the analysed password is correct and the victim password is notmodified.If the attacker want to modify the password of the victim user,thewaited response message is: " Your new password has been saved -OK ".In any case, the attacker evades the restrictions imposed by the captcha of the authentication form. 2. A user authenticated in GMail visit the "csrf-attack.html"pagecontrolled by the attacker. For example, the attacker sends a mail to the victim (a GMailaccount)and provokes that the victim visits his page (socialengineering). So,the attacker insures himself that the victim is authenticated. 3. The password cracking is executed transparently to thevictim.V. BUSINESS IMPACT ------------------------- - Selective DoS on users of the GMail service (changing userpassword).- Possible access to the mail of other GMail users. VI. SYSTEMS AFFECTED ------------------------- Gmail service. VII. SOLUTION ------------------------- No solution provided by vendor. VIII. REFERENCES ------------------------- http://www.gmail.com IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- July 31, 2007: Initial release August 1, 2007: Fewer corrections. December 30, 2008: Last details. XI. DISCLOSURE TIMELINE ------------------------- July 30, 2007: Vulnerability acquired by Internet Security Auditors. August 1, 2007: Initial notification sent to the Google security team. August 1, 2007: Google security team request additional information. about and start review the vulnerability. August 13, 2007: Request information about the status. August 15, 2007: Google security team responds that they arestillworking on this. September 19, 2007: Request for the status. No response. November 26, 2007: Request for the status. No response. January 2, 2008: Request for the status. No response. January 4, 2008: Request for the status. No response. January 11, 2008: Request for the status. No response. January 15, 2008: Request for the status. Automated response. January 18, 2008: Google security team informs that don'texpectbehaviour to change in the short term giving the justification. We deconstruct those arguments asinsufficient.No more responses. December 30, 2008: Request for the status. Confirmation fromthey won't change the consideration aboutthis.January 11, 2009: Publication to Bugtraq. Rejected twice. No reasons. March 03, 2009: General publication for disclosure in otherlists.XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is"with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for anydamagecaused by the use or misuse of this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkmu0tgACgkQhNp8gzZx3siTfwP+IUd2rADVavW2BDTzO9Zt06Gz5ZyN dVp7XkmLzK+/8251Mv51NgYmVlnM6LmfIqvSM6W4qnjyhpOO2w6SbYEd6UupxADHN03h 5Yx2yYdKAGdojxB5tAsS3HhgRbVNIgCGrsXONH1fNn+P4+qXgvpkMKJ0QZ/J9WNbl2ZK Nj6U7f4= =WaFE -----END PGP SIGNATURE----- -- Quality Kitchen Cabinets. Great products, prices and service. http://tagline.hushmail.com/fc/BLSrjkqfY0piALt30UUvI7em6isIEZqpdHUXK6oIPRX4UzdkaBah8ad4ZV2/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Apple Safari ... DoS Vulnerability, (continued)
- Re: Apple Safari ... DoS Vulnerability Valdis' Mustache (Mar 03)
- Re: Apple Safari ... DoS Vulnerability Jason Starks (Mar 03)
- Re: Apple Safari ... DoS Vulnerability bobby . mugabe (Mar 03)
- Re: Apple Safari ... DoS Vulnerability bobby . mugabe (Mar 03)
- Re: Apple Safari ... DoS Vulnerability bobby . mugabe (Mar 03)
- Re: Apple Safari ... DoS Vulnerability Biz Marqee (Mar 04)
- Re: Apple Safari ... DoS Vulnerability Jason Starks (Mar 04)
- Re: Apple Safari ... DoS Vulnerability Valdis' Mustache (Mar 04)
- Re: Apple Safari ... DoS Vulnerability Jason Starks (Mar 04)
- Re: Apple Safari ... DoS Vulnerability Jason Starks (Mar 04)
- Re: Apple Safari ... DoS Vulnerability Chris Evans (Mar 04)
- Re: Apple Safari ... DoS Vulnerability Valdis' Mustache (Mar 04)