Re: Do world's famous companies take care of their security?

[Octal <octetstream () gmail com>]

Does anybody happen to realize that XSS vulnerabilities make it simpler to
leverage other vulnerabilities?  I mean, credential stealing is only the
beginning.  Try loading WMF/JPEG/DCOM/AJAX/etc exploit code using an XSS
vulnerability on PayPal/Yahoo/Amazon/etc, sending the link off to millions
of people, and receiving several thousand bots to your IRC channel.

Granted XSS vulnerabilities on their own aren't useful, just like making IE
go boom when you poison the heap with garbage prior to loading bad COM
objects, it's using them effectively that makes them a problem.

They don't even have to be used on a large scale either.  Take for instance
the corporate intranet page that has an XSS vulnerability that none of the
developers want to fix.  Let's say that the corporate patching policy is
crap ( i.e. 2-4 months behind Microsoft).  Then let's say we have a pissed
off employee who knows of this XSS, and has a naughty little exploit that'll
work on 90% of the systems on the network, including some systems with
logged in users running as domain admin.  One forged email from HR to the
company has everyone hitting the page with the XSS and the loaded exploit
and BOOM!  Domain admin, access to all systems, financial records, trade
secrets, etc.

Still not good enough?  How about this.  You bank at SuperUltraMegaBank, and
they have an XSS vulnerability on their online banking page.  Let's say
there's a jerk out there who finds this XSS vulnerability and has a naughty
little 0day that'll work on 90% of the systems on SuperUltraMegaBank's
internal network.  The jerk harvests email addresses from the internet, and
phone system.  The jerk spoofs an email to bank employees from IT telling
employees to login to the online banking system for whatever reason, and
includes a nice little link that load the jerk's 0day via XSS when the
employees visit the site.  Now the attacker has pwn3d the internal systems
of people who visited the link, and gathered credentials to people who were
able to sign in.  Guess what the attacker's going to do next...wait I'll
spell it out: he's going to rape the DP and steal as much info as possible
to pull off ID theft, then he's going to use any compromised information to
login to the online banking and use the bill pay system to transfer money
out of the bank to credit cards he has control of.

So XSS on its own isn't anything special, just like a heap overflow.  It's
all about how you use it.

On 7/31/06, n3td3v <xploitable () gmail com> wrote:
> On 7/31/06, Valery Marchuk <tecklord () argocom cv ua> wrote:
> > I will publish such information in my blog and hope that companies will
> take
> > care of their security.
>
> That comment bugs me, because when you are a large multi national
> corporation, it is no longer THEIR security, it is OUR security,
> because security incidents often spill further, and become a global
> security incident rather than a vendor security incident.
>
> n3td3v
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



--
.: Eat Me

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/