Re: [Full-disclosure] [SPAM] [Bayesian][bayesTestMode] Re: Google vulnerabilities with PoC
http://thehackernews.com/2014/03/watch-out-scammers-targeting-google.html 2014-03-17 20:44 GMT+01:00 The Doctor dr...@virtadpt.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/15/2014 02:52 PM, Stefan Jon Silverman wrote: Running ... out ... of ... popcorn -- must .. resupply ... While this inspiring and amusing thread has been going on, what happened that we missed because we were too busy watching the fur fly? - -- The Doctor [412/724/301/703] [ZS] PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ IHOP: The world's largest, most popular goth club. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREKAAYFAlMnUIoACgkQO9j/K4B7F8H9qACg206K0zsz7Eyv7Whu7UUB3zkn lNEAnjuoLXknIuKXFrVQwhPFJmjLx6ln =wWkp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Disclaimer: This communication may contain confidential, proprietary or legally privileged information. It is intended only for the person(s) to whom it is addressed. If you are not an intended recipient, you may not use, read, retransmit, disseminate or take any action in reliance upon it. Please notify the sender that you have received it in error and immediately delete the entire communication, including any attachments. I do not encrypt and cannot ensure the confidentiality or integrity of external e-mail communications and, therefore, I cannot be responsible for any unauthorized access, disclosure, use or tampering that may occur during transmission. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. I accept no liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SPAM] [Bayesian][bayesTestMode] Re: Google vulnerabilities with PoC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/15/2014 02:52 PM, Stefan Jon Silverman wrote: Running ... out ... of ... popcorn -- must .. resupply ... While this inspiring and amusing thread has been going on, what happened that we missed because we were too busy watching the fur fly? - -- The Doctor [412/724/301/703] [ZS] PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ IHOP: The world's largest, most popular goth club. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREKAAYFAlMnUIoACgkQO9j/K4B7F8H9qACg206K0zsz7Eyv7Whu7UUB3zkn lNEAnjuoLXknIuKXFrVQwhPFJmjLx6ln =wWkp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SPAM] [Bayesian][bayesTestMode] Re: Google vulnerabilities with PoC
I signed onto this mailing list as an interested person in security - not to see everyone moan. We will all have differences in opinion and we should all respect that. This goes for everyone and I feel I speak for a lot of people here, everyone needs to grow up, and shut up. Email scanned and verified safe. On 15 Mar 2014, at 13:43, Mario Vilas mvi...@gmail.com wrote: Sockpuppet much? On Sat, Mar 15, 2014 at 2:35 PM, M Kirschbaum pr...@yahoo.co.uk wrote: Gynvael Coldwind, What Alfred has reiterated is that this is a security vulnerability irrelevantly of whether it qualifies for credit. It is an unusual one, but still a security vulnerability. Anyone who says otherwise is blind, has little or no experience in hands on security, or either has a different agenda. The obvious here is that Google dismissed it as a non-security issue which I find rather sad and somewhat ridiculous. Even if we asked Andrew Tanenbaum about ,I suspect his answers wouldn't be much different. Rgds, On Saturday, 15 March 2014, 12:45, Gynvael Coldwind gynv...@coldwind.pl wrote: Hey, I think the discussion digressed a little from the topic. Let's try to steer it back on it. What would make this a security vulnerability is one of the three standard outcomes: - information leak - i.e. leaking sensitive information that you normally do not have access to - remote code execution - in this case it would be: -- XSS - i.e. executing attacker provided JS/etc code in another user's browser, in the context *of a sensitive, non-sandboxed* domain (e.g. youtube.com) -- server-side code execution - i.e. executing attacker provided code on the youtube servers - denial of service - I think we all agree this bug doesn't increase the chance of a DoS; since you upload files that fail to be processed (so the CPU-consuming re-encoding is never run) I would argue that this decreases the chance of DoS if anything Which leaves us with the aforementioned RCE. I think we all agree that if Mr. Lemonias presents a PoC that uses the functionality he discovered to, either: (A) display a standard XSS alert(document.domain) in a sensitive domain (i.e. *.youtube.com or *.google.com, etc) for a different (test) user OR (B) execute code to fetch the standard /etc/passwd file from the youtube server and send it to him, then we will be convinced that this is vulnerability and will be satisfied by the presented proof. I think that further discussion without this proof is not leading anywhere. One more note - in the discussion I noticed some arguments were tried to be justified or backed by saying I am this this and that, and have this many years of experience, e.g. (the first one I could find): have worked for Lumension as a security consultant for more than a decade. Please note, that neither experience, nor job title, proves exploitability of a *potential* bug. Working exploits do. That's it from me. I'm looking forward to seeing the RCE exploits (be it client or server side). Kind regards, Gynvael Coldwind -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ smime.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SPAM] [Bayesian][bayesTestMode] Re: Google vulnerabilities with PoC
LOL. boy oh boy you would have HATED the N3td3v years then... I'm sure your delete key works doesn't it? From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Thomas Williams Sent: Saturday, March 15, 2014 10:44 AM To: Mario Vilas Cc: full-disclosure@lists.grok.org.uk; M Kirschbaum Subject: Re: [Full-disclosure] [SPAM] [Bayesian][bayesTestMode] Re: Google vulnerabilities with PoC I signed onto this mailing list as an interested person in security - not to see everyone moan. We will all have differences in opinion and we should all respect that. This goes for everyone and I feel I speak for a lot of people here, everyone needs to grow up, and shut up. Email scanned and verified safe. On 15 Mar 2014, at 13:43, Mario Vilas mvi...@gmail.com wrote: Sockpuppet much? On Sat, Mar 15, 2014 at 2:35 PM, M Kirschbaum pr...@yahoo.co.uk wrote: Gynvael Coldwind, What Alfred has reiterated is that this is a security vulnerability irrelevantly of whether it qualifies for credit. It is an unusual one, but still a security vulnerability. Anyone who says otherwise is blind, has little or no experience in hands on security, or either has a different agenda. The obvious here is that Google dismissed it as a non-security issue which I find rather sad and somewhat ridiculous. Even if we asked Andrew Tanenbaum about ,I suspect his answers wouldn't be much different. Rgds, On Saturday, 15 March 2014, 12:45, Gynvael Coldwind gynv...@coldwind.pl wrote: Hey, I think the discussion digressed a little from the topic. Let's try to steer it back on it. What would make this a security vulnerability is one of the three standard outcomes: - information leak - i.e. leaking sensitive information that you normally do not have access to - remote code execution - in this case it would be: -- XSS - i.e. executing attacker provided JS/etc code in another user's browser, in the context *of a sensitive, non-sandboxed* domain (e.g. youtube.com http://youtube.com/ ) -- server-side code execution - i.e. executing attacker provided code on the youtube servers - denial of service - I think we all agree this bug doesn't increase the chance of a DoS; since you upload files that fail to be processed (so the CPU-consuming re-encoding is never run) I would argue that this decreases the chance of DoS if anything Which leaves us with the aforementioned RCE. I think we all agree that if Mr. Lemonias presents a PoC that uses the functionality he discovered to, either: (A) display a standard XSS alert(document.domain) in a sensitive domain (i.e. *.youtube.com http://youtube.com/ or *.google.com http://google.com/ , etc) for a different (test) user OR (B) execute code to fetch the standard /etc/passwd file from the youtube server and send it to him, then we will be convinced that this is vulnerability and will be satisfied by the presented proof. I think that further discussion without this proof is not leading anywhere. One more note - in the discussion I noticed some arguments were tried to be justified or backed by saying I am this this and that, and have this many years of experience, e.g. (the first one I could find): have worked for Lumension as a security consultant for more than a decade. Please note, that neither experience, nor job title, proves exploitability of a *potential* bug. Working exploits do. That's it from me. I'm looking forward to seeing the RCE exploits (be it client or server side). Kind regards, Gynvael Coldwind -- There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SPAM] [Bayesian][bayesTestMode] Re: Google vulnerabilities with PoC
You must be new. On Sat, Mar 15, 2014 at 3:43 PM, Thomas Williams tho...@trwilliams.me.ukwrote: I signed onto this mailing list as an interested person in security - not to see everyone moan. We will all have differences in opinion and we should all respect that. This goes for everyone and I feel I speak for a lot of people here, everyone needs to grow up, and shut up. Email scanned and verified safe. On 15 Mar 2014, at 13:43, Mario Vilas mvi...@gmail.com wrote: Sockpuppet much? On Sat, Mar 15, 2014 at 2:35 PM, M Kirschbaum pr...@yahoo.co.uk wrote: Gynvael Coldwind, What Alfred has reiterated is that this is a security vulnerability irrelevantly of whether it qualifies for credit. It is an unusual one, but still a security vulnerability. Anyone who says otherwise is blind, has little or no experience in hands on security, or either has a different agenda. The obvious here is that Google dismissed it as a non-security issue which I find rather sad and somewhat ridiculous. Even if we asked Andrew Tanenbaum about ,I suspect his answers wouldn't be much different. Rgds, On Saturday, 15 March 2014, 12:45, Gynvael Coldwind gynv...@coldwind.pl wrote: Hey, I think the discussion digressed a little from the topic. Let's try to steer it back on it. What would make this a security vulnerability is one of the three standard outcomes: - information leak - i.e. leaking sensitive information that you normally do not have access to - remote code execution - in this case it would be: -- XSS - i.e. executing attacker provided JS/etc code in another user's browser, in the context *of a sensitive, non-sandboxed* domain (e.g. youtube.com) -- server-side code execution - i.e. executing attacker provided code on the youtube servers - denial of service - I think we all agree this bug doesn't increase the chance of a DoS; since you upload files that fail to be processed (so the CPU-consuming re-encoding is never run) I would argue that this decreases the chance of DoS if anything Which leaves us with the aforementioned RCE. I think we all agree that if Mr. Lemonias presents a PoC that uses the functionality he discovered to, either: (A) display a standard XSS alert(document.domain) in a sensitive domain (i.e. *.youtube.com or *.google.com, etc) for a different (test) user OR (B) execute code to fetch the standard /etc/passwd file from the youtube server and send it to him, then we will be convinced that this is vulnerability and will be satisfied by the presented proof. I think that further discussion without this proof is not leading anywhere. One more note - in the discussion I noticed some arguments were tried to be justified or backed by saying I am this this and that, and have this many years of experience, e.g. (the first one I could find): have worked for Lumension as a security consultant for more than a decade. Please note, that neither experience, nor job title, proves exploitability of a *potential* bug. Working exploits do. That's it from me. I'm looking forward to seeing the RCE exploits (be it client or server side). Kind regards, Gynvael Coldwind -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SPAM] [Bayesian][bayesTestMode] Re: Google vulnerabilities with PoC
Title: Message Running ... out ... of ... popcorn -- must .. resupply ... Regards, Stefan ** Stefan Jon Silverman - Founder / President SJS Associates, N.A., Inc. A Technology Strategy Consultancy ** Cell 917 929 1668 s...@sjsinc.com eMail www.sjsinc.com ** Aim/Skype/GoogleIM: LazloInSF Twitter/Yahoo: sjs_sf ** Weebles wobble but they don't fall down ** On 3/15/2014 9:33 AM, Mario Vilas wrote: You must be new. On Sat, Mar 15, 2014 at 3:43 PM, Thomas Williams tho...@trwilliams.me.uk wrote: I signed onto this mailing list as an interested person in security - not to see everyone moan. We will all have differences in opinion and we should all respect that. This goes for everyone and I feel I speak for a lot of people here, everyone needs to grow up, and shut up. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/