Full Disclosure mailing list archives
Re: Do world's famous companies take care of their security?
From: Octal <octetstream () gmail com>
Date: Mon, 31 Jul 2006 09:47:40 -0500
Does anybody happen to realize that XSS vulnerabilities make it simpler to leverage other vulnerabilities? I mean, credential stealing is only the beginning. Try loading WMF/JPEG/DCOM/AJAX/etc exploit code using an XSS vulnerability on PayPal/Yahoo/Amazon/etc, sending the link off to millions of people, and receiving several thousand bots to your IRC channel. Granted XSS vulnerabilities on their own aren't useful, just like making IE go boom when you poison the heap with garbage prior to loading bad COM objects, it's using them effectively that makes them a problem. They don't even have to be used on a large scale either. Take for instance the corporate intranet page that has an XSS vulnerability that none of the developers want to fix. Let's say that the corporate patching policy is crap ( i.e. 2-4 months behind Microsoft). Then let's say we have a pissed off employee who knows of this XSS, and has a naughty little exploit that'll work on 90% of the systems on the network, including some systems with logged in users running as domain admin. One forged email from HR to the company has everyone hitting the page with the XSS and the loaded exploit and BOOM! Domain admin, access to all systems, financial records, trade secrets, etc. Still not good enough? How about this. You bank at SuperUltraMegaBank, and they have an XSS vulnerability on their online banking page. Let's say there's a jerk out there who finds this XSS vulnerability and has a naughty little 0day that'll work on 90% of the systems on SuperUltraMegaBank's internal network. The jerk harvests email addresses from the internet, and phone system. The jerk spoofs an email to bank employees from IT telling employees to login to the online banking system for whatever reason, and includes a nice little link that load the jerk's 0day via XSS when the employees visit the site. Now the attacker has pwn3d the internal systems of people who visited the link, and gathered credentials to people who were able to sign in. Guess what the attacker's going to do next...wait I'll spell it out: he's going to rape the DP and steal as much info as possible to pull off ID theft, then he's going to use any compromised information to login to the online banking and use the bill pay system to transfer money out of the bank to credit cards he has control of. So XSS on its own isn't anything special, just like a heap overflow. It's all about how you use it. On 7/31/06, n3td3v <xploitable () gmail com> wrote:
On 7/31/06, Valery Marchuk <tecklord () argocom cv ua> wrote: > I will publish such information in my blog and hope that companies will take > care of their security. That comment bugs me, because when you are a large multi national corporation, it is no longer THEIR security, it is OUR security, because security incidents often spill further, and become a global security incident rather than a vendor security incident. n3td3v _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- .: Eat Me
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Do world's famous companies take care of their security? Valery Marchuk (Jul 31)
- Re: Do world's famous companies take care of their security? n3td3v (Jul 31)
- Re: Do world's famous companies take care of their security? n3td3v (Jul 31)
- Re: Do world's famous companies take care of their security? Octal (Jul 31)
- Re: Do world's famous companies take care of theirsecurity? Morning Wood (Jul 31)
- Re: Do world's famous companies take care of their security? Octal (Jul 31)
- <Possible follow-ups>
- Re: Do world's famous companies take care of their security? uncleron (Jul 31)
- Re: Do world's famous companies take care of their security? Dude VanWinkle (Jul 31)