Are you a Google employee...I wonder? There is nothing else to be said regarding this. Our research for remote code execution continues and will let you and Google know once that is confirmed; through the coordinated security program.
And please OWASP, is recognised worldwide. Best Regards, Nicholas Lemonias On Thu, Mar 13, 2014 at 11:06 PM, Julius Kivimäki <julius.kivim...@gmail.com > wrote: > Look, you keep calling it a "vulnerability" with 0 evidence that it's even > exploitable. Until you can prove otherwise this is like speculating the > potential security repercussions of uploading files to EC2 (Which would > probably have potential to be much more severe than what you're discussing > here since javascript uploaded to ec2 could actually get executed by > someones browser) > > You keep throwing around keywords like OWASP, OSI, "security best > practices" as if they actually make a difference here. Truth is there's no > reason to believe that what you have discovered here is exploitable. This > mostly seems like a desperate attempt of getting money off of google and > your name in some publication shitty enough to not do any fact checking > (eg. softpedia) . > > > 2014-03-13 21:48 GMT+02:00 Nicholas Lemonias. <lem.niko...@googlemail.com> > : > > Julius Kivimaki, your disbelief in OWASP, CEH, Journalists and anything >> you may, or may not be qualified to question amazes. But everyone's opinion >> is of course respected. >> >> I normally don't provide security lessons via e-mail and full-disclosure, >> however you seem not to understand the security report fully and some core >> principles. If you can't see what information security best practises, the >> OSI/network model and self-automata propagation has anything to do with >> arbitrary write permissions to a remote network leveraging from the >> application layer, then me and you have nothing to talk about. >> >> As for the exploitability of this vulnerability, you will never know >> until you try. And we have tried it , and seem to know better. >> >> I suggest you read the report again. >> >> Thank you. >> >> >> ---------- Forwarded message ---------- >> From: Nicholas Lemonias. <lem.niko...@googlemail.com> >> Date: Thu, Mar 13, 2014 at 7:47 PM >> Subject: Re: [Full-disclosure] Google vulnerabilities with PoC >> To: Julius Kivimäki <julius.kivim...@gmail.com> >> >> >> Julius Kivimaki, your disbelief in OWASP, CEH, Journalists and anything >> you may, or may not be qualified to question amazes. But everyone's opinion >> is of course respected. >> >> I normally don't provide security lessons via e-mail and full-disclosure, >> however you seem not to understand the security report fully and some core >> principles. If you can't see what information security best practises, the >> OSI/network model and self-automata propagation has anything to do with >> arbitrary write permissions to a remote network leveraging from the >> application layer, then me and you have nothing to talk about. >> >> As for the exploitability of this vulnerability, you will never know >> until you try. And we have tried it , and seem to know better. >> >> I suggest you read the report again. >> >> Thank you. >> >> >> >> On Thu, Mar 13, 2014 at 7:02 PM, Julius Kivimäki < >> julius.kivim...@gmail.com> wrote: >> >>> I don't see what OSI model has to do with anything here. Why is >>> arbitrary file upload to youtube CDN any worse than to google drive CDN? >>> And how will your "self-executing encrypted virus like Cryptolocker" >>> end up getting executed anyways? And cryptolocker was definitely not >>> "self-executing", but spread via email attachments (excluding the boring >>> USB spread functionality). >>> >>> What you have here is not a vulnerability, just give up. And stop trying >>> to get "journalists" like Eduard Kovacs to spread your BS. >>> >>> 2014-03-13 19:10 GMT+02:00 Nicholas Lemonias. < >>> lem.niko...@googlemail.com>: >>> >>> Hello Julius, >>>> >>>> I appreciate your interest to learn more. OWASP is quite credible, and >>>> has gained some international recognition. It is a benchmark for many >>>> vendors. I suggest you to read on OSI/7-Layer Model. A website may disallow >>>> uploads of certain file types for security reasons, and let's assume at the >>>> application layer. If we manage to get past the security controls, that >>>> means we can write unrestrictedly any type of file to the remote network. >>>> That also means that we get past their firewall, since the communication is >>>> through HTTP (port 80). CDN nodes are deployed to multiple colocation >>>> (thousands of nodes and thousands of servers across the world). The files >>>> (let's say a self-executing encrypted virus like Cryptolocker? ) are cached >>>> deeply in the network across thousands of servers. >>>> >>>> >>>> On Thu, Mar 13, 2014 at 5:07 PM, Nicholas Lemonias. < >>>> lem.niko...@googlemail.com> wrote: >>>> >>>>> Hello Julius, >>>>> >>>>> I appreciate your interest to learn more. OWASP is quite credible, and >>>>> has gained some international recognition. It is a benchmark for many >>>>> vendors. I suggest you to read on OSI/7-Layer Model. A website may >>>>> disallow >>>>> uploads of certain file types for security reasons, and let's assume at >>>>> the >>>>> application layer. If we manage to get past the security controls, that >>>>> means we can write unrestrictedly any type of file to the remote network. >>>>> That also means that we get past their firewall, since the communication >>>>> is >>>>> through HTTP (port 80). CDN nodes are deployed to multiple colocation >>>>> (thousands of nodes and thousands of servers across the world). The files >>>>> are cached deep in the network structures to thousands of servers. >>>>> >>>>> >>>>> On Thu, Mar 13, 2014 at 4:20 PM, Julius Kivimäki < >>>>> julius.kivim...@gmail.com> wrote: >>>>> >>>>>> OWASP is recognized worldwide, so is CEH and a bunch of other morons. >>>>>> That doesn't mean their publications are worth anything. Now tell me, why >>>>>> would arbitrary file upload on a CDN lead to code execution (Besides for >>>>>> HTML, which you have been unable to confirm)? >>>>>> >>>>>> >>>>>> 2014-03-13 18:16 GMT+02:00 Nicholas Lemonias. < >>>>>> lem.niko...@googlemail.com>: >>>>>> >>>>>> *You are wrong about accessing the files. What has not been confirmed >>>>>>> is remote code execution. We are working on it.* >>>>>>> *And please, OWASP is recognised worldwide... * >>>>>>> >>>>>>> *Files can be accessed through Google Take out with a little bit of >>>>>>> skills.* >>>>>>> >>>>>>> *https://www.google.com/settings/takeout >>>>>>> <https://www.google.com/settings/takeout> * >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Thu, Mar 13, 2014 at 4:09 PM, Julius Kivimäki < >>>>>>> julius.kivim...@gmail.com> wrote: >>>>>>> >>>>>>>> Did you even read that article? (Not that OWASP has any sort of >>>>>>>> credibility anyways). From what I saw in your previous post you are >>>>>>>> both >>>>>>>> unable to execute the files or even access them and thus unable to >>>>>>>> manipulate the content-type the files are returned with, therefore >>>>>>>> there is >>>>>>>> no vulnerability (According to the article you linked.). >>>>>>>> >>>>>>>> BTW, you should look for more cool vulnerabilities in amazons EC2, >>>>>>>> I'm sure you will find some "Unrestricted File Upload" holes. >>>>>>>> >>>>>>>> >>>>>>>> 2014-03-13 16:18 GMT+02:00 Nicholas Lemonias. < >>>>>>>> lem.niko...@googlemail.com>: >>>>>>>> >>>>>>>> Here is your answer. >>>>>>>>> https://www.owasp.org/index.php/Unrestricted_File_Upload >>>>>>>>> >>>>>>>>> >>>>>>>>> On Thu, Mar 13, 2014 at 1:39 PM, Julius Kivimäki < >>>>>>>>> julius.kivim...@gmail.com> wrote: >>>>>>>>> >>>>>>>>>> When did the ability to upload files of arbitrary types become a >>>>>>>>>> security issue? If the file doesn't get executed, it's really not a >>>>>>>>>> problem. (Besides from potentially breaking site layout standpoint.) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2014-03-13 12:43 GMT+02:00 Nicholas Lemonias. < >>>>>>>>>> lem.niko...@googlemail.com>: >>>>>>>>>> >>>>>>>>>>> Google vulnerabilities uncovered... >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> http://news.softpedia.com/news/Expert-Finds-File-Upload-Vulnerability-in-YouTube-Google-Denies-It-s-a-Security-Issue-431489.shtml >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Full-Disclosure - We believe in it. >>>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >> >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
