Full Disclosure mailing list archives
Re: Google vulnerabilities with PoC
From: Alfredo Ortega <alfred () groundworkstech com>
Date: Fri, 14 Mar 2014 16:13:14 -0300
If he can change the mime type, then he indeed may have an attack vector, e.g. he could upload a complete youtube-lookalike site and snatch credentials. If you can access the fake site via HTTPS with a youtube cert, it's an obvious vulnerability. On 03/14/2014 07:05 AM, Mario Vilas wrote:
You're still missing the attack vector (and the point of the discussion too, but that's painfully obvious). On Fri, Mar 14, 2014 at 4:21 AM, Nicholas Lemonias. < lem.nikolas () googlemail com> wrote:Here's my evidence. Live Proof Of Concept ================== http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw {"sessionStatus":{"state":"FINALIZED","externalFieldTransfers":[{"name":"file","status":"COMPLETED","bytesTransferred":113,"bytesTotal":113,"formPostInfo":{"url":" http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000 ","cross_domain_url":" http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw"},"content_type":"text/x-sh"}],"additionalInfo":{"uploader_service.GoogleRupioAdditionalInfo":{"completionInfo":{"status":"SUCCESS","customerSpecificInfo":{"status": "ok", "video_id": "KzKDtijwHFI"}}}},"upload_id":"AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw"}} The above proof of concept demonstrates : 1. We have bypassed the security controls in Youtube and uploaded an unexpected file type. 2. The file is persistent and has not been deleted by YouTube. 3. It can be queried for information since it is assigned a unique upload_id. 4. It's successfully uploaded to youtube.com As you can see it give out the total bytes written to the remote network. 5. "content_type":"text/x-sh"}] -------> The file is a shell script script named 'file' 6. It can be enumerated by a non-authenticated user, remotely.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Fwd: Google vulnerabilities with PoC, (continued)
- Re: Fwd: Google vulnerabilities with PoC Sergio 'shadown' Alvarez (Mar 14)
- Message not available
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Google vulnerabilities with PoC Mario Vilas (Mar 14)
- Re: Google vulnerabilities with PoC Alfredo Ortega (Mar 14)
- Re: Google vulnerabilities with PoC Alfredo Ortega (Mar 14)
- Re: Google vulnerabilities with PoC Michael Smith (Mar 15)
- Re: Google vulnerabilities with PoC antisnatchor (Mar 14)
- Re: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Google vulnerabilities with PoC Michal Zalewski (Mar 13)
- Re: Google vulnerabilities with PoC Mario Vilas (Mar 14)
- Re: Google vulnerabilities with PoC Alfredo Ortega (Mar 14)
- Re: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 13)
- Re: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 13)
- Re: Google vulnerabilities with PoC Pedro Ribeiro (Mar 14)
- Re: Google vulnerabilities with PoC Gichuki John Chuksjonia (Mar 15)
- Re: Google vulnerabilities with PoC Mario Vilas (Mar 14)
- Message not available
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)