Re: [Full-disclosure] Google vulnerabilities with PoC

[Alfredo Ortega]

Mario has years of experience (more than 10 in fact) in exploit writing
and vulnerability assessment. I would consider his position on the subject.

If you don't believe me, Argentina extended me certifications that
proves that I can tell who has vulnerability assesment skills and who
does not.

If you don't believe in Argentina, you should know the ONU accepts it as
a sovereign independent country.

That is the complete certificate chain proving you that Mario is not an
idiot as you inferred.

Best regards,

Alfred


On 03/14/2014 10:50 AM, Sergio 'shadown' Alvarez wrote:
 Dear Nicholas Lemonias,
 
 I don't use to get in these scrapy discussions, but yeah you are in a 
 completetly different level if you compare yourself with Mario.
 You are definitely a Web app/metasploit-user guy and pick up a discussion 
 with a binary and memory corruption ninja exploit writter like Mario. You 
 should know your place and shut up. Period.
 
 Btw, if you dare discussing with a beast like lcamtuf, you are definitely out 
 of your mind.
 
 Cheers,
   Sergio.
 -- Sergio
 
 On Mar 14, 2014, Nicholas Lemonias. lem.niko...@googlemail.com wrote:
 We are on a different level perhaps. We do certainly disagree on those
 points.
 I wouldn't hire you as a consultant, if you can't tell if that is a
 valid
 vulnerability..


 Best Regards,
 Nicholas Lemonias.

 On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas mvi...@gmail.com wrote:

 But do you have all the required EH certifications? Try this one from
 the
 Institute for
 Certified Application Security Specialists: http://www.asscert.com/


 On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias. 
 lem.niko...@googlemail.com wrote:

 Thanks Michal,

 We are just trying to improve Google's security and contribute to
 the
 research community after all. If you are still on EFNet give me a
 shout
 some time.

  We have done so and consulted to hundreds of clients including
 Microsoft, Nokia, Adobe and some of the world's biggest
 corporations. We
 are also strict supporters of the ACM code of conduct.

 Regards,
 Nicholas Lemonias.
 AISec


 On Fri, Mar 14, 2014 at 6:29 AM, Nicholas Lemonias. 
 lem.niko...@googlemail.com wrote:

 Hi Jerome,

 Thank you for agreeing on access control, and separation of duties.

 However successful exploitation permits arbitrary write() of any
 file of
 choice.

 I could release an exploit code in C Sharp or Python that permits
 multiple file uploads of any file/types, if the Google security
 team feels
 that this would be necessary. This is unpaid work, so we are not so
 keen on
 that job.



 On Fri, Mar 14, 2014 at 6:04 AM, Jerome Athias
 athiasjer...@gmail.comwrote:

 Hi

 I concur that we are mainly discussing a terminology problem.

 In the context of a Penetration Test or WAPT, this is a Finding.
 Reporting this finding makes sense in this context.

 As a professional, you would have to explain if/how this finding
 is a
 Weakness*, a Violation (/Regulations, Compliance, Policies or
 Requirements[1])
 * I would say Weakness + Exposure = Vulnerability. Vulnerability +
 Exploitability (PoC) = Confirmed Vulnerability that needs Business
 Impact and Risk Analysis

 So I would probably have reported this Finding as a Weakness (and
 not
 Vulnerability. See: OWASP, WASC-TC, CWE), explaining that it is
 not
 Best Practice (your OWASP link and Cheat Sheets), and even if
 mitigative/compensative security controls (Ref Orange Book),
 security
 controls like white listing (or at least black listing. see also
 ESAPI) should be 1) part of the [1]security requirements of a
 proper
 SDLC (Build security in) as per Defense-in-Depth security
 principles
 and 2) used and implemented correctly.
 NB: A simple Threat Model (i.e. list of CAPEC) would be a solid
 support to your report
 This would help to evaluate/measure the risk (e.g. CVSS).
 Helping the decision/actions around this risk

 PS: interestingly, in this case, I'm not sure that the Separation
 of
 Duties security principle was applied correctly by Google in term
 of
 Risk Acceptance (which could be another Finding)

 So in few words, be careful with the terminology. (don't always
 say
 vulnerability like the media say hacker, see RFC1392) Use a CWE ID
 (e.g. CWE-434, CWE-183, CWE-184 vs. CWE-616)

 My 2 bitcents
 Sorry if it is not edible :)
 Happy Hacking!

 /JA
 https://github.com/athiasjerome/XORCISM

 2014-03-14 7:19 GMT+03:00 Michal Zalewski lcam...@coredump.cx:
 Nicholas,

 I remember my early years in the infosec community - and sadly,
 so do
 some of the more seasoned readers of this list :-) Back then, I
 thought that the only thing that mattered is the ability to find
 bugs.
 But after some 18 years in the industry, I now know that there's
 an
 even more important and elusive skill.

 That skill boils down to having a robust mental model of what
 constitutes a security flaw - and being able to explain your
 thinking
 to others in a precise and internally consistent manner that
 convinces
 others to act. 

Re: [Full-disclosure] Google vulnerabilities with PoC

[Alfredo Ortega]

Oh and this guy Shadown seems pretty knowledgeable too.

BTW now I have to read what is this about,lets see...

Alright, from TFA:

That means that a door was open for anyone to upload any file of
choice. Whether this is a security vulnerability or not, I will leave
that to your discretion

Not even you are sure this is a real vulnerability. It is not.



On 03/14/2014 03:36 PM, Alfredo Ortega wrote:
 Mario has years of experience (more than 10 in fact) in exploit writing
 and vulnerability assessment. I would consider his position on the subject.
 
 If you don't believe me, Argentina extended me certifications that
 proves that I can tell who has vulnerability assesment skills and who
 does not.
 
 If you don't believe in Argentina, you should know the ONU accepts it as
 a sovereign independent country.
 
 That is the complete certificate chain proving you that Mario is not an
 idiot as you inferred.
 
 Best regards,
 
 Alfred
 
 
 On 03/14/2014 10:50 AM, Sergio 'shadown' Alvarez wrote:
 Dear Nicholas Lemonias,

 I don't use to get in these scrapy discussions, but yeah you are in a 
 completetly different level if you compare yourself with Mario.
 You are definitely a Web app/metasploit-user guy and pick up a discussion 
 with a binary and memory corruption ninja exploit writter like Mario. You 
 should know your place and shut up. Period.

 Btw, if you dare discussing with a beast like lcamtuf, you are definitely 
 out of your mind.

 Cheers,
   Sergio.
 -- Sergio

 On Mar 14, 2014, Nicholas Lemonias. lem.niko...@googlemail.com wrote:
 We are on a different level perhaps. We do certainly disagree on those
 points.
 I wouldn't hire you as a consultant, if you can't tell if that is a
 valid
 vulnerability..


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Google vulnerabilities with PoC

[Alfredo Ortega]

If he can change the mime type, then he indeed may have an attack
vector, e.g. he could upload a complete youtube-lookalike site and
snatch credentials. If you can access the fake site via HTTPS with a
youtube cert, it's an obvious vulnerability.



On 03/14/2014 07:05 AM, Mario Vilas wrote:
 You're still missing the attack vector (and the point of the discussion
 too, but that's painfully obvious).
 
 
 On Fri, Mar 14, 2014 at 4:21 AM, Nicholas Lemonias. 
 lem.niko...@googlemail.com wrote:
 

 Here's my evidence.

 Live Proof Of Concept
 ==

 http://upload.youtube.com/?authuser=0upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aworigin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw



 {sessionStatus:{state:FINALIZED,externalFieldTransfers:[{name:file,status:COMPLETED,bytesTransferred:113,bytesTotal:113,formPostInfo:{url:
 http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000
 ,cross_domain_url:
 http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw},content_type:text/x-sh}],additionalInfo:{uploader_service.GoogleRupioAdditionalInfo:{completionInfo:{status:SUCCESS,customerSpecificInfo:{status:
 ok, video_id:
 KzKDtijwHFI,upload_id:AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw}}

 The above proof of concept demonstrates :

 1. We have bypassed the security controls in Youtube and uploaded an
 unexpected file type.
 2. The file is persistent and has not been deleted by YouTube.
 3. It can be queried for information since it is assigned a unique
 upload_id.
 4. It's successfully uploaded to youtube.com  As you can see it give out
 the total bytes written to the remote network.
 5. content_type:text/x-sh}]   --- The file is a shell
 script script named 'file'
 6. It can be enumerated by a non-authenticated user, remotely.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/