Full Disclosure mailing list archives
Re: Fwd: Google vulnerabilities with PoC
From: William Scott Lockwood III <scott () guppylog com>
Date: Fri, 14 Mar 2014 21:50:23 -0500
It's amazing how much dumber I feel for having read your drivel. Please for the love of <$diety> stop posting to this list. -- W. Scott Lockwood III AMST Tech (SPI) GWB2009033817 http://www.shadowplayinternational.org/ "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) On Fri, Mar 14, 2014 at 9:48 PM, Nicholas Lemonias. <lem.nikolas () googlemail com> wrote:
Go to sleep. You have absolutely no understanding of the vulnerability, nor you have the facts. If you want a full report ask Softpedia, because we aint releasing them. On Fri, Mar 14, 2014 at 8:39 PM, R D <rd.seclists () gmail com> wrote:You are trying to execute an sh script through a video player. That's an exec() command.No, it's not. That's an HTTP GET. Do you have such a poor understanding of how web applications work? Or did you just not read what I said?So its the wrong way about accessing the file.This way, which is the standard way to access files on youtube, tells me the file doesn't exist. You have yet to prove the file you uploaded can be accessed or executed by anyone. For that matter, you have still to prove it can be discovered by anyone. That URL is hard to guess. And you have still to answer all my other questions, and most of the questions asked to you on this list. The burden of proof is on you, and you are making a fool of yourself by answering all the questions here with the same statements, and links to your PoC that doesn't proves anything, while everybody asks you for more evidence. Keep on the (good?) work, --Rob' On Fri, Mar 14, 2014 at 9:22 PM, Nicholas Lemonias. <lem.nikolas () googlemail com> wrote:You are trying to execute an sh script through a video player. That's an exec() command. So its the wrong way about accessing the file. On Fri, Mar 14, 2014 at 8:20 PM, R D <rd.seclists () gmail com> wrote:No it's not. As Chris and I are saying, you don't have proof your file is accessible to others, only that is was uploaded. Now, you see, when you upload a video to youtube, you get the adress where it will be viewable in the response. In your case : {"sessionStatus":{"state":"FINALIZED","externalFieldTransfers":[{"name":"file","status":"COMPLETED","bytesTransferred":113,"bytesTotal":113,"formPostInfo":{"url":"http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000","cross_domain_url":"http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw"},"content_type":"text/x-sh"}],"additionalInfo":{"uploader_service.GoogleRupioAdditionalInfo":{"completionInfo":{"status":"SUCCESS","customerSpecificInfo":{"status": "ok", "video_id": "KzKDtijwHFI"}}}},"upload_id":"AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw"}} And what do we get when we browse to https://youtube.com/watch?v=KzKDtijwHFI ? Nothing. Can you send me a link where I can access the file content of the arbitrary file you uploaded? Are you sure this json response, or this file, will be there in a month? Or in a year? Is the fact that this json response exists a threat to youtube? Can you quantify how of a threat? How much, in dollars, does it hurt their business? --Rob On Fri, Mar 14, 2014 at 9:08 PM, Nicholas Lemonias. <lem.nikolas () googlemail com> wrote:My claim is now verified.... Cheers! On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <lem.nikolas () googlemail com> wrote:http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw That information can be queried from the db, where the metadata are saved. The files are being saved persistently , as per the above example. On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <lem.nikolas () googlemail com> wrote:http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw That information can be queried from the db, where the metadata are saved. The files are being saved persistently , as per the above example. On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson <christhom7851 () gmail com> wrote:Hi Nikolas, Please do read (and understand) my entire email before responding - I understand your frustration trying to get your message across but maybe this will help. Please put aside professional pride for the time being - I know how it feels to be passionate about something yet have others simply not understand. Let me try and bring some sanity to the discussion and explain to you why people maybe not agreeing with you. You (rightly so) highlighted what you believe to be an issue in a Youtube whereby it appears (to you) than you can upload an arbitrary file. If you can indeed do this as you suspect then your points are valid and you "may" be able to cause various issues associated with it such as DOS etc - especially if the uploaded files cannot or are not tracked. However... Consider than you are talking to an API and what you are getting back (the JSON response) in your example is simply a response from the API to say the file you uploaded has been received and saved. Now, as you no doubt know, when you upload a regular movie to YouTube, once uploaded it goes away and does some post-processing, converting it to flash for example. What's to say that there isn't some verification aspect to this post-processing that checks if the file is intact a valid movie and if not removes it. If you could for example demonstrate that the file was indeed persistent, by being able to retrieve it for example then again, you would have solid ground to claim an issue however your claims at this point are based on an assumption.... Let me explain. 1. You have demonstrated than you can send "any" file to an API and the API returned an acknowledgment of receiving (and saving) the file. 2. You / we don't know what Google do with files once they have been received from the API - maybe they process them and validate them - we simply don't know. 3. You have hypothesized that you can retrieve the file by manipulating tokens etc and you may be right, but you have not demonstrated it as such. Because of this, you seem to have made a CLAIM that you can upload arbitrary files to Google however SHOWN that you can simply send files to an API and an API responds in a certain way. I am NOT saying you haven't found an issue, what I am saying is that you need to demonstrate that the issue is real and thus can be abused. If the Google service simply verifies all uploaded files once they are uploaded and discards them if invalid, then you haven't really found anything. If you were to prove that you were able to retrieve this uploaded file then how could anyone dispute your bug. Hope this helps.... Cheers!_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Fwd: Google vulnerabilities with PoC, (continued)
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Chris Thompson (Mar 14)
- Message not available
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC J. Tozo (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC R D (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Mario Vilas (Mar 14)
- Message not available
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC William Scott Lockwood III (Mar 15)
- Message not available
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Brian M. Waters (Mar 15)
- Re: Fwd: Google vulnerabilities with PoC Michal Zalewski (Mar 15)
- Re: Google vulnerabilities with PoC Mario Vilas (Mar 15)
- Re: Google vulnerabilities with PoC antisnatchor (Mar 15)
- Re: Google vulnerabilities with PoC M Kirschbaum (Mar 15)
- Re: Google vulnerabilities with PoC Gynvael Coldwind (Mar 15)
- Re: Google vulnerabilities with PoC Mario Vilas (Mar 15)