Full Disclosure mailing list archives
Re: Fwd: Google vulnerabilities with PoC
From: Sergio 'shadown' Alvarez <shadown () gmail com>
Date: Fri, 14 Mar 2014 22:33:46 +0800
I will, it's late here, but I'm enjoying the show way too much. xD Instead of discussing why don't you show a client side attack with that thing that you call a vulnerability and make every one shut up?, oh wait...because you can't! ;-) "A fail has thousand excuses, but success doesn't require any explaination". In this context a working client side exploit or a Server Shell proof is a success, any other thing is crap. Talking, complaining and showing certification don't work against a computer, a working exploit that gives you a shell does. Cheers, -- Sergio On Mar 14, 2014, "Nicholas Lemonias." <lem.nikolas () googlemail com> wrote:
Go to sleep. ---------- Forwarded message ---------- From: Nicholas Lemonias. <lem.nikolas () googlemail com> Date: Fri, Mar 14, 2014 at 2:16 PM Subject: Re: [Full-disclosure] Google vulnerabilities with PoC To: Sergio 'shadown' Alvarez <shadown () gmail com> Go to sleep.... On Fri, Mar 14, 2014 at 1:50 PM, Sergio 'shadown' Alvarez <shadown () gmail comwrote:Dear Nicholas Lemonias, I don't use to get in these scrapy discussions, but yeah you are in a completetly different level if you compare yourself with Mario. You are definitely a Web app/metasploit-user guy and pick up adiscussionwith a binary and memory corruption ninja exploit writter like Mario.Youshould know your place and shut up. Period. Btw, if you dare discussing with a beast like lcamtuf, you aredefinitelyout of your mind. Cheers, Sergio. -- Sergio On Mar 14, 2014, "Nicholas Lemonias." <lem.nikolas () googlemail com>wrote:We are on a different level perhaps. We do certainly disagree onthosepoints. I wouldn't hire you as a consultant, if you can't tell if that is avalidvulnerability.. Best Regards, Nicholas Lemonias. On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas <mvilas () gmail com>wrote:But do you have all the required EH certifications? Try this onefromthe Institute for Certified Application Security Specialists: http://www.asscert.com/ On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias. < lem.nikolas () googlemail com> wrote:Thanks Michal, We are just trying to improve Google's security and contribute totheresearch community after all. If you are still on EFNet give me ashoutsome time. We have done so and consulted to hundreds of clients including Microsoft, Nokia, Adobe and some of the world's biggestcorporations. Weare also strict supporters of the ACM code of conduct. Regards, Nicholas Lemonias. AISec On Fri, Mar 14, 2014 at 6:29 AM, Nicholas Lemonias. < lem.nikolas () googlemail com> wrote:Hi Jerome, Thank you for agreeing on access control, and separation ofduties.However successful exploitation permits arbitrary write() of anyfileof choice. I could release an exploit code in C Sharp or Python that permits multiple file uploads of any file/types, if the Google securityteam feelsthat this would be necessary. This is unpaid work, so we are notso keen onthat job. On Fri, Mar 14, 2014 at 6:04 AM, Jerome Athias<athiasjerome () gmail comwrote:Hi I concur that we are mainly discussing a terminology problem. In the context of a Penetration Test or WAPT, this is a Finding. Reporting this finding makes sense in this context. As a professional, you would have to explain if/how this findingis aWeakness*, a Violation (/Regulations, Compliance, Policies or Requirements[1]) * I would say Weakness + Exposure = Vulnerability. Vulnerability+Exploitability (PoC) = Confirmed Vulnerability that needsBusinessImpact and Risk Analysis So I would probably have reported this Finding as a Weakness(and notVulnerability. See: OWASP, WASC-TC, CWE), explaining that it isnotBest Practice (your OWASP link and Cheat Sheets), and even if mitigative/compensative security controls (Ref Orange Book),securitycontrols like white listing (or at least black listing. see also ESAPI) should be 1) part of the [1]security requirements of aproperSDLC (Build security in) as per Defense-in-Depth securityprinciplesand 2) used and implemented correctly. NB: A simple Threat Model (i.e. list of CAPEC) would be a solid support to your report This would help to evaluate/measure the risk (e.g. CVSS). Helping the decision/actions around this risk PS: interestingly, in this case, I'm not sure that theSeparation ofDuties security principle was applied correctly by Google interm ofRisk Acceptance (which could be another Finding) So in few words, be careful with the terminology. (don't alwayssayvulnerability like the media say hacker, see RFC1392) Use a CWEID(e.g. CWE-434, CWE-183, CWE-184 vs. CWE-616) My 2 bitcents Sorry if it is not edible :) Happy Hacking! /JA https://github.com/athiasjerome/XORCISM 2014-03-14 7:19 GMT+03:00 Michal Zalewski <lcamtuf () coredump cx>:Nicholas, I remember my early years in the infosec community - andsadly, sodosome of the more seasoned readers of this list :-) Back then,Ithought that the only thing that mattered is the ability tofindbugs.But after some 18 years in the industry, I now know thatthere's aneven more important and elusive skill. That skill boils down to having a robust mental model of what constitutes a security flaw - and being able to explain yourthinkingto others in a precise and internally consistent manner thatconvincesothers to act. We need this because the security of a systemcan'tbeusefully described using abstract terms: even the academicdefinitionsultimately boil down to saying "the system is secure if itdoesn'tdothe things we *really* don't want it to do". In this spirit, the term "vulnerability" is generally reservedforbehaviors that meet all of the following criteria: 1) The behavior must have negative consequences for at leastone ofthe legitimate stakeholders (users, service owners, etc), 2) The consequences must be widely seen as unexpected andunacceptable,3) There must be a realistic chance of such a negativeoutcome,4) The behavior must introduce substantial new risks that gobeyondthe previously accepted trade-offs. If we don't have that, we usually don't have a case, no matterhowclever the bug is. Cheers (and happy hunting!), /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- "There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people.Whenthe military becomes both, then the enemies of the state tend tobecome thepeople." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Fwd: Google vulnerabilities with PoC, (continued)
- Re: Fwd: Google vulnerabilities with PoC antisnatchor (Mar 15)
- Re: Fwd: Google vulnerabilities with PoC Mario Vilas (Mar 15)
- Re: Fwd: Google vulnerabilities with PoC R D (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Yvan Janssens (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Colette Chamberland (Mar 15)
- Re: Fwd: Fwd: Google vulnerabilities with PoC Mario Vilas (Mar 14)
- Re: Google vulnerabilities with PoC Mario Vilas (Mar 14)
- Re: Google vulnerabilities with PoC Sergio 'shadown' Alvarez (Mar 14)
- Message not available
- Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Sergio 'shadown' Alvarez (Mar 14)
- Message not available
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Google vulnerabilities with PoC Mario Vilas (Mar 14)
- Re: Google vulnerabilities with PoC Alfredo Ortega (Mar 14)
- Re: Google vulnerabilities with PoC Alfredo Ortega (Mar 14)
- Re: Google vulnerabilities with PoC Michael Smith (Mar 15)
- Re: Google vulnerabilities with PoC antisnatchor (Mar 14)
- Re: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Google vulnerabilities with PoC Michal Zalewski (Mar 13)
- Re: Google vulnerabilities with PoC Mario Vilas (Mar 14)
- Re: Google vulnerabilities with PoC Alfredo Ortega (Mar 14)