Re: Fwd: Google vulnerabilities with PoC

[William Scott Lockwood III <scott () guppylog com>]

It's amazing how much dumber I feel for having read your drivel.
Please for the love of <$diety> stop posting to this list.

--
W. Scott Lockwood III
AMST Tech (SPI)
GWB2009033817
http://www.shadowplayinternational.org/
"There are four boxes to be used in defense of liberty:  soap, ballot,
jury, and ammo. Please use in that order." -Ed Howdershelt (Author)


On Fri, Mar 14, 2014 at 9:48 PM, Nicholas Lemonias.
<lem.nikolas () googlemail com> wrote:
> Go to sleep. You have absolutely no understanding of the vulnerability, nor
> you have the facts.
>
> If you want a full report ask Softpedia, because we aint releasing them.
>
>
> On Fri, Mar 14, 2014 at 8:39 PM, R D <rd.seclists () gmail com> wrote:
> > > You are trying to execute an sh script through a video player. That's an
> > > exec() command.
> > No, it's not. That's an HTTP GET. Do you have such a poor understanding of
> > how web applications work? Or did you just not read what I said?
> >
> > > So its the wrong way about accessing the file.
> > This way, which is the standard way to access files on youtube, tells me
> > the file doesn't exist. You have yet to prove the file you uploaded can be
> > accessed or executed by anyone. For that matter, you have still to prove it
> > can be discovered by anyone. That URL is hard to guess.
> > And you have still to answer all my other questions, and most of the
> > questions asked to you on this list.
> > The burden of proof is on you, and you are making a fool of yourself by
> > answering all the questions here with the same statements, and links to your
> > PoC that doesn't proves anything, while everybody asks you for more
> > evidence.
> > Keep on the (good?) work,
> > --Rob'
> >
> >
> > On Fri, Mar 14, 2014 at 9:22 PM, Nicholas Lemonias.
> > <lem.nikolas () googlemail com> wrote:
> > > You are trying to execute an sh script through a video player. That's an
> > > exec() command. So its the wrong way about accessing the file.
> > >
> > >
> > > On Fri, Mar 14, 2014 at 8:20 PM, R D <rd.seclists () gmail com> wrote:
> > > > No it's not. As Chris and I are saying, you don't have proof your file
> > > > is accessible to others, only that is was uploaded. Now, you see, when you
> > > > upload a video to youtube, you get the adress where it will be viewable in
> > > > the response. In your case :
> > > >
> > > > {"sessionStatus":{"state":"FINALIZED","externalFieldTransfers":[{"name":"file","status":"COMPLETED","bytesTransferred":113,"bytesTotal":113,"formPostInfo":{"url":"http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000","cross_domain_url":"http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw"},"content_type":"text/x-sh"}],"additionalInfo":{"uploader_service.GoogleRupioAdditionalInfo":{"completionInfo":{"status":"SUCCESS","customerSpecificInfo":{"status":
> > > > "ok", "video_id":
> > > > "KzKDtijwHFI"}}}},"upload_id":"AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw"}}
> > > > And what do we get when we browse to
> > > > https://youtube.com/watch?v=KzKDtijwHFI ?
> > > > Nothing.
> > > > Can you send me a link where I can access the file content of the
> > > > arbitrary file you uploaded?
> > > > Are you sure this json response, or this file, will be there in a month?
> > > > Or in a year? Is the fact that this json response exists a threat to
> > > > youtube? Can you quantify how of a threat? How much, in dollars, does it
> > > > hurt their business?
> > > >
> > > > --Rob
> > > >
> > > >
> > > > On Fri, Mar 14, 2014 at 9:08 PM, Nicholas Lemonias.
> > > > <lem.nikolas () googlemail com> wrote:
> > > > > My claim is now verified....
> > > > >
> > > > > Cheers!
> > > > >
> > > > >
> > > > > On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias.
> > > > > <lem.nikolas () googlemail com> wrote:
> > > > > > http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
> > > > > >
> > > > > > That information can be queried from the db, where the metadata are
> > > > > > saved. The files are being saved persistently , as per the above example.
> > > > > >
> > > > > >
> > > > > > On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias.
> > > > > > <lem.nikolas () googlemail com> wrote:
> > > > > > > http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
> > > > > > >
> > > > > > > That information can be queried from the db, where the metadata are
> > > > > > > saved. The files are being saved persistently , as per the above example.
> > > > > > >
> > > > > > >
> > > > > > > On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson
> > > > > > > <christhom7851 () gmail com> wrote:
> > > > > > > > Hi Nikolas,
> > > > > > > >
> > > > > > > > Please do read (and understand) my entire email before responding -
> > > > > > > > I understand your frustration trying to get your message across but maybe
> > > > > > > > this will help.
> > > > > > > >
> > > > > > > > Please put aside professional pride for the time being - I know how
> > > > > > > > it feels to be passionate about something yet have others simply not
> > > > > > > > understand.
> > > > > > > >
> > > > > > > > Let me try and bring some sanity to the discussion and explain to
> > > > > > > > you why people maybe not agreeing with you.
> > > > > > > >
> > > > > > > > You (rightly so) highlighted what you believe to be an issue in a
> > > > > > > > Youtube whereby it appears (to you) than you can upload an arbitrary file.
> > > > > > > > If you can indeed do this as you suspect then your points are valid and you
> > > > > > > > "may" be able to cause various issues associated with it such as DOS etc -
> > > > > > > > especially if the uploaded files cannot or are not tracked.
> > > > > > > >
> > > > > > > > However...
> > > > > > > >
> > > > > > > > Consider than you are talking to an API and what you are getting
> > > > > > > > back (the JSON response) in your example is simply a response from the API
> > > > > > > > to say the file you uploaded has been received and saved.
> > > > > > > >
> > > > > > > > Now, as you no doubt know, when you upload a regular movie to
> > > > > > > > YouTube, once uploaded it goes away and does some post-processing,
> > > > > > > > converting it to flash for example. What's to say that there isn't some
> > > > > > > > verification aspect to this post-processing that checks if the file is
> > > > > > > > intact a valid movie and if not removes it.
> > > > > > > >
> > > > > > > > If you could for example demonstrate that the file was indeed
> > > > > > > > persistent, by being able to retrieve it for example then again, you would
> > > > > > > > have solid ground to claim an issue however your claims at this point are
> > > > > > > > based on an assumption.... Let me explain.
> > > > > > > >
> > > > > > > > 1. You have demonstrated than you can send "any" file to an API and
> > > > > > > > the API returned an acknowledgment of receiving (and saving) the file.
> > > > > > > >
> > > > > > > > 2. You / we don't know what Google do with files once they have been
> > > > > > > > received from the API - maybe they process them and validate them - we
> > > > > > > > simply don't know.
> > > > > > > >
> > > > > > > > 3. You have hypothesized that you can retrieve the file by
> > > > > > > > manipulating tokens etc and you may be right, but you have not demonstrated
> > > > > > > > it as such.
> > > > > > > >
> > > > > > > > Because of this, you seem to have made a CLAIM that you can upload
> > > > > > > > arbitrary files to Google however SHOWN that you can simply send files to an
> > > > > > > > API and an API responds in a certain way.
> > > > > > > >
> > > > > > > > I am NOT saying you haven't found an issue, what I am saying is that
> > > > > > > > you need to demonstrate that the issue is real and thus can be abused. If
> > > > > > > > the Google service simply verifies all uploaded files once they are uploaded
> > > > > > > > and discards them if invalid, then you haven't really found anything.
> > > > > > > >
> > > > > > > > If you were to prove that you were able to retrieve this uploaded
> > > > > > > > file then how could anyone dispute your bug.
> > > > > > > >
> > > > > > > > Hope this helps....
> > > > > > > >
> > > > > > > > Cheers!
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Full-Disclosure - We believe in it.
> > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/