Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Apple Safari ... DoS Vulnerability

From: "Valdis' Mustache" <security.mustache () gmail com>
Date: Wed, 4 Mar 2009 18:59:41 -0600
Rob,

Our young scholar does nonetheless have some sage advice for young ladies of
colour.

http://www.helium.com/items/250130-advice-to-black-females

I was rather alarmed at his arrest and methamphetamine abuse, however one
might presume that his recent weight training is part of a rehabilitation
regimen.

http://www.coloradoan.com/article/20090117/NEWS01/901170316/1002/


Your humble servant,
Усы из Валдис


On Wed, Mar 4, 2009 at 6:44 PM,  <bobby.mugabe () hushmail com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mr. Stark,

You're body fat seems to be fairly high, you should consider a
cutting phase and quitting the muscle milk and whatever cheap
steroids you use.  Your looking like a fat dumb homosexual in those
tights.  Someone with you're levels of insecurity shouldn't be in
computer security.

- -bm

On Wed, 04 Mar 2009 16:44:50 -0500 Jason Starks
<jstarks440 () gmail com> wrote:

Ah, probably not. Your stringing together words to make sentences
is what
I'll regret reading. I'll continue to use my muscle milk and
you'll continue
to work your 9-5. The world turns once again!

On Wed, Mar 4, 2009 at 4:06 PM, Valdis' Mustache <
security.mustache () gmail com> wrote:


Mister Snarks,

I've never been anything but who I purport to be, the humble

upper

facial hair quadrant of a loquacious sysadmin. Low of birth,

though

noble in aspiration, a student of history and of the many

mustaches

who came before myself.

You, young scholar, should be wary, though! Prospective

employers do

make regular use of search engines, "googling" potential

candidates to

gain insight into possible character flaws!

True, your clean and jerk abilities as archived on the YouTube

are

admirable, but acting a fool on security lists is something

normally

reserved only for those in academia, who are markedly difficult

if not

impossible to unseat from their comfortable chairs, as

indisputably

underscored by the e-antics of this mutache's owner, and, of

course,

Mssr. Schmehl.

You'll come to regret your lack of anonymity, as your posts will

live

on for eternity, much as I've came to regret my unfortunate
association with the unruly beardlike growth connecting to me

from the

south, and my unavoidable tenuous connection with those

objectionable

and uncouth sideburns.


Your humble servant,
I baffi di Valdis

On Wed, Mar 4, 2009 at 12:55 PM, Jason Starks

<jstarks440 () gmail com>

wrote:

I know, its insane. It is a new trend, though, just like

people

registering

gmail accounts just to flame and troll on FD!

Its like, your credability like, goes like, ok you start like

at 0, and

then

like, it goes like to -1, and like, then even lower like.

Absolutely genius.

x0x0x0x0x0x0x0x0x0x

On Tue, Mar 3, 2009 at 6:28 PM, Biz Marqee

<biz.marqee () gmail com> wrote:


This was 2 years well spent... NOT!

Seriously what is with all these people popping up releasing

advisories

that are absolute SHIT? Is it to try and get jobs or what?


On Tue, Mar 3, 2009 at :55 AM, ISecAuditors Security

Advisories <

advisories at isecauditors.com> wrote:


=============================================
INTERNET SECURITY AUDITORS ALERT 2007-003
- Original release date: August 1st, 2007
- Last revised: January 11th, 2009
- Discovered by: Vicente Aguilera Diaz
- Severity: 3/5
=============================================

I. VULNERABILITY
-------------------------
CSRF vulnerability in GMail service

II. BACKGROUND
-------------------------
Gmail is Google's free webmail service. It comes with built-

in Google

search technology and over 2,600 megabytes of storage (and

growing

every day). You can keep all your important messages, files

and

pictures forever, use search to quickly and easily find

anything

you're looking for, and make sense of it all with a new way

of viewing

messages as part of conversations.

III. DESCRIPTION
-------------------------
Cross-Site Request Forgery, also known as one click attack

or session

riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a

kind of

malicious exploit of websites. Although this type of attack

has

similarities to cross-site scripting (XSS), cross-site

scripting

requires the attacker to inject unauthorized code into a

website,

while cross-site request forgery merely transmits

unauthorized

commands from a user the website trusts.

GMail is vulnerable to CSRF attacks in the "Change

Password"

functionality. The only token for authenticate the user is

a session

cookie, and this cookie is sent automatically by the

browser in every

request.

An attacker can create a page that includes requests to the

"Change

password" functionality of GMail and modify the passwords

of the users

who, being authenticated, visit the page of the attacker.

The attack is facilitated since the "Change Password"

request can be

realized across the HTTP GET method instead of the POST

method that is

realized habitually across the "Change Password" form.

IV. PROOF OF CONCEPT
-------------------------
1. An attacker create a web page "csrf-attack.html" that

realize many

HTTP GET requests to the "Change Password" functionality.

For example, a password cracking of 3 attempts (see

"OldPasswd"

parameter):
...
<img
src="





https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro
up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123&
p=&save=Save

">
<img
src="





https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro
up1=OldPasswd&OldPasswd=PASSWORD2&Passwd=abc123&PasswdAgain=abc123&
p=&save=Save

">
<img
src="





https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro
up1=OldPasswd&OldPasswd=PASSWORD3&Passwd=abc123&PasswdAgain=abc123&
p=&save=Save

">
...

or with hidden frames:
...
<iframe
src="





https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro
up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123&
p=&save=Save

">
<iframe
src="





https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro
up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123&
p=&save=Save

">
<iframe
src="





https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro
up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123&
p=&save=Save

">
...

The attacker can use deliberately a weak new password (see

"Passwd"

and "PasswdAgain" parameters), this way he can know if the

analysed

password is correct without need to modify the password of

the victim

user.

Using weak passwords the "Change Password" response is:
 - " The password you gave is incorrect. ", if the analysed

password

is not correct.
 - " We're sorry, but you've selected an insecure password.

In order

to protect the security of your account, please click

"Password

Strength" to get tips on choosing to safer password. ", if

the

analysed password is correct and the victim password is not

modified.


If the attacker want to modify the password of the victim

user, the

waited response message is: " Your new password has been

saved - OK ".


In any case, the attacker evades the restrictions imposed

by the

captcha of the authentication form.

2. A user authenticated in GMail visit the "csrf-

attack.html" page

controlled by the attacker.

For example, the attacker sends a mail to the victim (a

GMail account)

and provokes that the victim visits his page (social

engineering). So,

the attacker insures himself that the victim is

authenticated.


3. The password cracking is executed transparently to the

victim.


V. BUSINESS IMPACT
-------------------------
- Selective DoS on users of the GMail service (changing

user

password).

- Possible access to the mail of other GMail users.

VI. SYSTEMS AFFECTED
-------------------------
Gmail service.

VII. SOLUTION
-------------------------
No solution provided by vendor.

VIII. REFERENCES
-------------------------
http://www.gmail.com

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by
Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot)

com).


X. REVISION HISTORY
-------------------------
July      31, 2007: Initial release
August     1, 2007: Fewer corrections.
December  30, 2008: Last details.

XI. DISCLOSURE TIMELINE
-------------------------
July      30, 2007: Vulnerability acquired by
                   Internet Security Auditors.
August     1, 2007: Initial notification sent to the
                   Google security team.
August     1, 2007: Google security team request additional
                   information.
                   about and start review the

vulnerability.

August    13, 2007: Request information about the status.
August    15, 2007: Google security team responds that they

are still

                   working on this.
September 19, 2007: Request for the status. No response.
November  26, 2007: Request for the status. No response.
January    2, 2008: Request for the status. No response.
January    4, 2008: Request for the status. No response.
January   11, 2008: Request for the status. No response.
January   15, 2008: Request for the status. Automated

response.

January   18, 2008: Google security team informs that don't

expect

                   behaviour to change in the short term

giving

                   the justification.
                   We deconstruct those arguments as

insufficient.

                   No more responses.
December  30, 2008: Request for the status. Confirmation

from Google

                   they won't change the consideration

about this.

January   11, 2009: Publication to Bugtraq. Rejected twice.
                   No reasons.
March     03, 2009: General publication for disclosure in

other lists.


XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied

"as-is"

with no warranties or guarantees of fitness of use or

otherwise.

Internet Security Auditors accepts no responsibility for

any damage

caused by the use or misuse of this information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-

charter.html

Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-

charter.html

Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkmvIAQACgkQhNp8gzZx3sifPQP/Z/JwoxHfL+/YWIumE6ohkDzHigcM
FFMGnJtPy1PUYahP2Kkq4oBUiFgNsqWsBjvNnp+hrILgO6w73OasuLZQSvYX7hCMK8k1
eK7r0H5fjSlqoRhkJSGhgBDL4H7q1nMrkr0x4zGO7Jeeeq8DuU23x2A1UvnJCE+RAo65
vFaHNwE=
=uYwk
-----END PGP SIGNATURE-----

--
Click to find information on your credit score and your credit report.


http://tagline.hushmail.com/fc/BLSrjkqeNwyn7W35g2EhsFTPSKje8aswj4QTZvrXUmflUijsGrXajBFpRZG/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: