On 16 Mar 2014 23:36, T Imbrahim timbra...@techemail.com wrote:
The thread read Google vulnerabilities with PoC. From my understanding
it was a RFI vulnerability on YouTube, and I voiced my support that this
is a vulnerability.
I also explained a JSON Hijacking case as a follow up, and you
...@coredump.cx wrote:
From: Michal Zalewski lcam...@coredump.cx
To: timbra...@techemail.com
Cc: pr...@yahoo.co.uk, full-disclosure full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Sat, 15 Mar 2014 10:59:40 -0700
A hacker exploits a JSON
...@techemail.com
Cc: full-disclosure@lists.grok.org.uk, Michal Zalewski
lcam...@coredump.cx, mvi...@gmail.com, gynv...@coldwind.pl
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Mon, 17 Mar 2014 09:24:08 +
On 16 Mar 2014 23:36, T Imbrahim timbra...@techemail.com wrote
What drugs are you on Pedro RibeiroI wonder...?I express myviews, if you don't like don't watch them. You responses so farhave only been assy speculations so don't tell me Im wrong, and please don't say thing like that. I don't know who the other peopleis,but what is true in security I support.
... ?
Is the English language causing you ill effects?
--- ped...@gmail.com wrote:
From: Pedro Ribeiro ped...@gmail.com
To: timbra...@techemail.com
Cc: full-disclosure@lists.grok.org.uk, Michal Zalewski
lcam...@coredump.cx, mvi...@gmail.com, gynv...@coldwind.pl
Subject: Re: [Full-disclosure] Fwd
Hi,
The only probable way of exploiting it I can see would be if the servers
at Google where the files are uploaded would perform some specific tasks
with such files that could result in exploiting a vulnerability in any
of the used software (and this is something the discoverer failed to
probe).
...@yahoo.es
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Mon, 17 Mar 2014 12:27:27 +0100
Hi,
The only probable way of exploiting it I can see would be if the servers
at Google where the files are uploaded would perform some specific tasks
Especially considering that all three use Tor to post on the list. I wonder why.
Other header/content details can be interesting as well...
2014-03-17 10:24 GMT+01:00 Pedro Ribeiro ped...@gmail.com:
On 16 Mar 2014 23:36, T Imbrahim timbra...@techemail.com wrote:
The thread read Google
On Mon, Mar 17, 2014 at 2:25 PM, T Imbrahim timbra...@techemail.com wrote:
I definitely would patch my computer if I discovered that somebody could
upload files to my computer, even thought if couldn't 'probe' them.
1) I don't think you understood the meaning of the word probe in this
On 17 Mar 2014 13:39, Źmicier Januszkiewicz ga...@tut.by wrote:
Especially considering that all three use Tor to post on the list. I
wonder why.
Other header/content details can be interesting as well...
Good catch, I didn't even remember checking the headers.
Have a look at the comments
Let's try some scenarios and if those can be pulled out then I'd say it's
safe to assume this is an issue:
1. Upload a webshell (in a war, php, asp[x], jsp or similar file) and have
it executed by YouTube;
2. Upload a malicious file (pdf, swf, jar or similar file which exploits a
known or unknown
On Mon, Mar 17, 2014 at 3:11 PM, Ulisses Montenegro
ulisses.montene...@gmail.com wrote:
Should YouTube restrict file uploads to known valid mime types? Sure, but
that's only how you got the data in there to begin with. It's what happens
after the data is in that will make all the difference.
@lists.grok.org.uk full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Sat, 15 Mar 2014 09:46:27 -0700
As a professional penetration tester, [...]
The JSON service responds to GET requests , and there is a good chance that
the service is also vulnerable
full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Sat, 15 Mar 2014 10:59:40 -0700
A hacker exploits a JSON (javascript) object that has information of interest
for example holding some values for cookies. A lot of times that exploits
security that way, there are other
parties like NSA who welcome them happily.
--- lcam...@coredump.cx wrote:
From: Michal Zalewski lcam...@coredump.cx
To: timbra...@techemail.com
Cc: M Kirschbaum pr...@yahoo.co.uk, full-disclosure
full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd
You are so incompetent.. If you want proof why don't you do it yourself?
https://www.youtube.com/watch?v=G4EkgJtjDvU - Here is proof that the file
is saved and processed. If you want to question it come up with your real
name, stop hiding behind fake emails. Are you a Google employee? What's
The thread starter is right about this. It is a vulnerability, and I think
Google should start considering this.
The JSON service responds to GET requests , and there is a good chance that the
service is also vulnerable to JSON Hijacking attacks.
As a professional penetration tester , I
Same here... It's like a train wreck, you know you shouldn't watch but it's
just so damned entertaining at this point that I can't stop...
Sent from my iPhone
On Mar 14, 2014, at 2:46 PM, Yvan Janssens i...@yvanj.me wrote:
Does anybody still have some popcorn left?
They ran out of it
It's amazing how much dumber I feel for having read your drivel.
Please for the love of $diety stop posting to this list.
--
W. Scott Lockwood III
AMST Tech (SPI)
GWB2009033817
http://www.shadowplayinternational.org/
There are four boxes to be used in defense of liberty: soap, ballot,
jury, and
Omg please for the love of all things human STFU!!!
Sent from my iPhone
On Mar 15, 2014, at 12:43 AM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
If you wish to talk seriously about the problem, please send me an email
privately. And we can talk about what we have found so far,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03/15/2014 02:26, Nicholas Lemonias. wrote:
https://www.youtube.com/watch?v=G4EkgJtjDvU - Here is proof that
the file is saved and processed.
disclaimer
Compared to probably most of the folks on this list, I have absolutely
no idea what I'm
Just curious; what universities have hired you as a lecturer?
On Sat, Mar 15, 2014 at 1:09 AM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
You are too vague. Please keep this to a level.
Thank you.
*Best Regards,*
*Nicholas Lemonias*
*Advanced Information Security
Btw, not sure if someone already mentioned it, but you are really
reaching the level
of MustLive. That's actually a big achievement. Congratz.
I'm not sure if you got what lcamtuf is saying (I'm impressed he still
takes time to reply to you),
apparently not. You're still trying to convince us
On Sat, Mar 15, 2014 at 5:43 AM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
People who do not have the facts have been, trying to attack the arguer,
on the basis of their personal beliefs.
Wow. I seriously can't tell if you're trolling or unbelievably narcissistic.
Your work has
That is not what this email says. You can't reply correct to criticism
and pretend it's praise.
On Sat, Mar 15, 2014 at 6:11 AM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
Correct.
The mime type can be circumvented. We can confirm this to be a valid
vulnerability.
For the PoC's
Some of the replies in this thread are very unfair to the original poster.I have read the news story and have thoroughly read the proof of concepts which in my opinion indicate that this is surely a security vulnerability. I have worked for Lumension as a security consultant for more than a
As a professional penetration tester, [...]
The JSON service responds to GET requests , and there is a good chance that
the service is also vulnerable to JSON Hijacking attacks.
That's... not how XSSI works.
To have a script inclusion vulnerability, you need to have a vanilla
GET response
A hacker exploits a JSON (javascript) object that has information of interest
for example holding some values for cookies. A lot of times that exploits the
same policy origin. The JSON object returned from a server can be forged over
writing javascript function that create the object. This
Is this treated with the same way that says that Remote File Inclusion is not
a security issue ?
I'm not sure how RFI came into play on this thread - the original
report wasn't about RFI.
I don't have an agenda here; I'm just trying to get to the bottom of
it and make sure that we converge on
The thread read Google vulnerabilities with PoC. From my understanding it
was a RFI vulnerability on YouTube, and I voiced my support that this is a
vulnerability.
I don't think this is accurate, at least based on the standard
definition of RFI: a server-side scripting language - usually
I will, it's late here, but I'm enjoying the show way too much. xD
Instead of discussing why don't you show a client side attack with that thing
that you call a vulnerability and make every one shut up?, oh wait...because
you can't! ;-)
A fail has thousand excuses, but success doesn't require
Enough with this thread.
On Fri, Mar 14, 2014 at 2:37 PM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
I am too buy researching satellite security. Been doing that since the
times of TESO, probably before you were born.
Have a good night's sleep.
On Fri, Mar 14, 2014 at 2:33 PM,
LOL you're hopeless.
Good luck with your business. Brave customers!
Cheers
antisnatchor
Nicholas Lemonias. wrote:
People can read the report if they like. Can't you even do basic
things like reading a vulnerability report?
Can't you see that the advisory is about writing arbitrary files.
--
From: Nicholas Lemonias. lem.niko...@googlemail.com
Date: Fri, Mar 14, 2014 at 5:58 PM
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
To: antisnatchor antisnatc...@gmail.com
Says the script kiddie... Beg for some publicity. My customers are FTSE
100
, 2014 at 5:58 PM
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
To: antisnatchor antisnatc...@gmail.com
Says the script kiddie... Beg for some publicity. My customers are FTSE
100.
On Fri, Mar 14, 2014 at 5:55 PM, antisnatchor antisnatc...@gmail.comwrote:
LOL you're
...@googlemail.com
Date: Fri, Mar 14, 2014 at 5:58 PM
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities
with PoC
To: antisnatchor antisnatc...@gmail.com
mailto:antisnatc...@gmail.com
Says the script kiddie... Beg for some publicity. My customers
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
To: antisnatchor antisnatc...@gmail.com
Says the script kiddie... Beg for some publicity. My customers are FTSE
100.
On Fri, Mar 14, 2014 at 5:55 PM, antisnatchor antisnatc...@gmail.comwrote:
LOL you're hopeless.
Good luck
: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
To: antisnatchor antisnatc...@gmail.com
Says the script kiddie... Beg for some publicity. My customers are FTSE
100.
On Fri, Mar 14, 2014 at 5:55 PM, antisnatchor antisnatc...@gmail.com
wrote:
LOL you're hopeless.
Good luck
customers are FTSE
100.
-- Forwarded message --
From: Nicholas Lemonias. lem.niko...@googlemail.com
Date: Fri, Mar 14, 2014 at 5:58 PM
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
To: antisnatchor antisnatc...@gmail.com
Says the script kiddie
at 5:58 PM
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities
with PoC
To: antisnatchor antisnatc...@gmail.com
mailto:antisnatc...@gmail.com
Says the script kiddie... Beg for some publicity. My
customers are FTSE
...@googlemail.com
Date: Fri, Mar 14, 2014 at 5:58 PM
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
To: antisnatchor antisnatc...@gmail.com
Says the script kiddie... Beg for some publicity. My customers are
FTSE
100.
On Fri, Mar 14, 2014 at 5:55 PM
-disclosure] Fwd: Google vulnerabilities with PoC
To: antisnatchor antisnatc...@gmail.com
Says the script kiddie... Beg for some publicity. My customers are FTSE
100.
On Fri, Mar 14, 2014 at 5:55 PM, antisnatchor antisnatc...@gmail.comwrote:
LOL you're hopeless.
Good luck with your business
...@googlemail.com
Date: Fri, Mar 14, 2014 at 5:58 PM
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
To: antisnatchor antisnatc...@gmail.com
Says the script kiddie... Beg for some publicity. My customers are FTSE
100.
On Fri, Mar 14, 2014 at 5:55 PM, antisnatchor
antisnatc
:
Says the script kiddie... Beg for some publicity. My customers are
FTSE 100.
-- Forwarded message --
From: Nicholas Lemonias. lem.niko...@googlemail.com
Date: Fri, Mar 14, 2014 at 5:58 PM
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
To: antisnatchor
: Nicholas Lemonias. lem.niko...@googlemail.com
Date: Fri, Mar 14, 2014 at 5:58 PM
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
To: antisnatchor antisnatc...@gmail.com
Says the script kiddie... Beg for some publicity. My customers are
FTSE 100.
On Fri, Mar 14, 2014 at 5:55
Jerome of MacAfee has made a very valid point on revisiting separation of
duties in this security instance.
Remote code execution by Social Engineering is also a prominent scenario.
If you can't tell that that is a vulnerability (probably coming from a
bunch of CEH's), I feel sorry for those
Laughing at the incompetency of some people, who wish to discredit
OWASP and their reports. Say that to any serious professional, and they
will laugh at you. Writing arbitrary files to a remote network is a serious
risk, irrelevantly of how good and reputable that service is.
Best,
We have many PoC's including video clips. We may upload for the security
world to see.
However, this is not the way to treat security vulnerabilities. Attacking
the researcher and bringing you friends to do aswell, won't mitigate the
problem.
___
Google research not awarded.
http://www.techworm.net/2014/03/security-research-finds-flaws-in.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
You are wrong, because we do have proof of concepts. If we didn't have
them, then there would be no case.
But if there are video clips, images demonstrating impact - in which case
arbitrary file uploads (which is a write() call ) to a remote network, then
it is a vulnerability. It is not about
We are not asking for a payment. But at least a thank you for our efforts
would do.
Saying that it is not an issue, to upload remotely any file of choice, that
is ridiculous for the organisation they represent.
On Fri, Mar 14, 2014 at 7:09 PM, Nicholas Lemonias.
lem.niko...@googlemail.com
And I am not referring just to Google. But for those people who support
that remote uploads to a trusted network is not an issue. Then that also
means that firewalls and IPS systems are worthless. Why spend so much time
protecting the network layers if a user can send any file of choice to a
And I am not referring just to Google. But for those people who support
that remote uploads to a trusted network is not an issue. Then that also
means that firewalls and IPS systems are worthless. Why spend so much time
protecting the network layers if a user can send any file of choice to a
Then that also means that firewalls and IPS systems are worthless. Why
spend so much time protecting the network layers if a user can send any
file of choice to a remote network through http...
As for the uploaded files being persistent, there is evidence of that. For
instance a remote admin
It is an example, citing that there has been a security hole on Youtube
that needs patching. End of Story.
On Fri, Mar 14, 2014 at 7:32 PM, Julius Kivimäki
julius.kivim...@gmail.comwrote:
Wait, so remote code execution by social engineering wasn't a troll? I'm
confused.
2014-03-14 21:28
http://upload.youtube.com/?authuser=0upload_id=
AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--
uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aworigin=
CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
That information can be queried from the db, where the metadata are
My claim is now verified
Cheers!
On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
http://upload.youtube.com/?authuser=0upload_id=
AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--
uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aworigin=
So you can query a file that I uploaded, and you can see that is uploaded
successfully and saved. That information does not require the user to be
logged in.
On Fri, Mar 14, 2014 at 8:08 PM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
My claim is now verified
Cheers!
On Fri,
You are trying to execute an sh script through a video player. That's an
exec() command. So its the wrong way about accessing the file.
On Fri, Mar 14, 2014 at 8:20 PM, R D rd.secli...@gmail.com wrote:
No it's not. As Chris and I are saying, you don't have proof your file is
accessible to
Are you sure this json response, or this file, will be there in a month? Or
in a year? Is the fact that this json response exists a threat to youtube?
Can you quantify how of a threat? How much, in dollars, does it hurt their
business?
This file may be here if the admins don't delete it. Now they
So where do you think that information is coming from? The metadata and
tags, and headers are contained in a database.
The files are stored persistently , since they can be quoted. So the API
works both ways. The main thing here is that the files are there, otherwise
there metadata information
In my expertise, that is a vulnerability.
Now if Google doesn't want to fix patch that, it's their choice. However I
have already disclosed that to them.
On Fri, Mar 14, 2014 at 8:25 PM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
So where do you think that information is coming
-disclosure] Fwd: Google vulnerabilities with PoC
To: antisnatchor antisnatc...@gmail.com
Says the script kiddie... Beg for some publicity. My customers are
FTSE
100.
On Fri, Mar 14, 2014 at 5:55 PM, antisnatchor antisnatc...@gmail.com
wrote:
LOL you're hopeless.
Good
So if you can upload a file to Google Drive and trick someone to run it,
you'd call that a vulnerability too?
Hey, I've got another one. I can upload a video on Youtube telling people
to download and install a virus. I'll claim a prize too!
Keep at it man, you're hilarious! xDDD
/me goes grab
Please provide an attack scenario. Can you do that?
On Fri, Mar 14, 2014 at 9:23 PM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
Are you sure this json response, or this file, will be there in a month?
Or in a year? Is the fact that this json response exists a threat to
youtube?
.
-- Forwarded message --
From: Nicholas Lemonias. lem.niko...@googlemail.com
Date: Fri, Mar 14, 2014 at 5:58 PM
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
To: antisnatchor antisnatc...@gmail.com
Says the script kiddie... Beg for some publicity. My customers
You have a Googlemail account. How do we know you don't work for Google
too...
Inception type stuff going on here.
Nicholas Lemonias.
14 March 2014
18:17
Google is a
great service, but according to our proof of concepts (images, poc's,
codes) presented to Softpedia,
Nicholas, seriously, just stop.
You have found an 'arbitrary file upload' in a file hosting service and
claim it is a serious vulnerability. With no proof that your 'arbitrary
file' is being used anywhere in any context that would lead to code
execution - on server or client side. You cite OWASP
congrats for your discover, get you prize
[image: 24167992.jpg (1024×768)]
On Fri, Mar 14, 2014 at 3:56 PM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
Google research not awarded.
http://www.techworm.net/2014/03/security-research-finds-flaws-in.html
Care to report the same to Dropbox and Pastebin? It's a gold mine, you
know...
2014-03-14 20:09 GMT+01:00 Nicholas Lemonias. lem.niko...@googlemail.com:
You are wrong, because we do have proof of concepts. If we didn't have
them, then there would be no case.
But if there are video clips,
Wait, so remote code execution by social engineering wasn't a troll? I'm
confused.
2014-03-14 21:28 GMT+02:00 Nicholas Lemonias. lem.niko...@googlemail.com:
Then that also means that firewalls and IPS systems are worthless. Why
spend so much time protecting the network layers if a user can
Then that also means that firewalls and IPS systems are worthless. Why
spend so much time protecting the network layers if a user can send any
file of choice to a remote network through http...
well, if you are running a file upload system, or any webserver, you really
should block any incoming
Hi Nicholas,
Again, you hypothesize that you are getting a response from the database,
but you really don't know that. You have no idea when the code is doing
behind the endpoint.
upload.youtube.com is simple an endpoint that you are sending a request to
and getting a response from -
Can you
No it's not. As Chris and I are saying, you don't have proof your file is
accessible to others, only that is was uploaded. Now, you see, when you
upload a video to youtube, you get the adress where it will be viewable in
the response. In your case :
Does anybody still have some popcorn left?
They ran out of it in the tax free zone in here due to this thread...
Kind regards,
Yvan Janssens
Sent from my PDA - excuse me for my brevity
On 14 Mar 2014, at 18:40, Nicholas Lemonias. lem.niko...@googlemail.com
wrote:
We have many PoC's
I'm going to try to spell it out clearly.
You don't have unrestricted file upload[1]. Keep in mind you're trying to
abuse youtube, which is essentially a video file upload service. So the
fact that you can upload files is not surprising.
Now you're uploading non-video files. Cool. But not
Hi Nikolas,
Please do read (and understand) my entire email before responding - I
understand your frustration trying to get your message across but maybe
this will help.
Please put aside professional pride for the time being - I know how it
feels to be passionate about something yet have others
2014-03-14 20:28 GMT+01:00 Nicholas Lemonias. lem.niko...@googlemail.com:
Then that also means that firewalls and IPS systems are worthless. Why
spend so much time protecting the network layers if a user can send any
file of choice to a remote network through http...
No, they are not
Hey dude just give up!
You can convince a lot of journalists without professional skills but if
you cant convince Google or at least the community, so you doing it wrong.
by the way you can upload everything to youtube just tricking the file's
magic number but you cant retrieve it back. so what?
Go to sleep. You have absolutely no understanding of the vulnerability, nor
you have the facts.
If you want a full report ask Softpedia, because we aint releasing them.
On Fri, Mar 14, 2014 at 8:39 PM, R D rd.secli...@gmail.com wrote:
You are trying to execute an sh script through a video
Happy trolling...
On Fri, Mar 14, 2014 at 7:49 PM, R D rd.secli...@gmail.com wrote:
Then that also means that firewalls and IPS systems are worthless. Why
spend so much time protecting the network layers if a user can send any
file of choice to a remote network through http...
well, if you
Oh, wow :-)
To put things in perspective, it probably helps to understand that
virtually all video hosting sites perform batch, queue-based
conversions of uploaded content. There is a good reason for this
design: video conversions are extremely CPU-intensive - and an
orderly, capped-throughput
If you wish to talk seriously about the problem, please send me an email
privately. And we can talk about what we have found so far, and perhaps
present some more proof of concepts for this on going research. This is
between the researcher and Google.
People who do not have the facts have been,
You are too vague. Please keep this to a level.
Thank you.
*Best Regards,*
*Nicholas Lemonias*
*Advanced Information Security Corporation.*
On Sat, Mar 15, 2014 at 5:06 AM, Colette Chamberland
cjchamberl...@gmail.com wrote:
Omg please for the love of all things human STFU!!!
Sent from
Correct.
The mime type can be circumvented. We can confirm this to be a valid
vulnerability.
For the PoC's :
http://news.softpedia.com/news/Expert-Finds-File-Upload-Vulnerability-in-YouTube-Google-Denies-It-s-a-Security-Issue-431489.shtml
On Fri, Mar 14, 2014 at 8:40 PM, Krzysztof Kotowicz
85 matches
Mail list logo
