[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google

To: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
From: antisnatchor <antisnatchor@xxxxxxxxx>
Date: Tue, 29 Jan 2013 11:03:21 +0000

<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000">Agree with Michal,<br>
<br>
at the end you achieve code execution with an XSS as well, it's just in 
the DOM.<br>
Depending on the attack surface, browser type and so on, this can be 
devastating.<br>
<br>
I bet you remember the XSS on Amazon EC2 web interface, which combined 
with XSRF lead to stealing x.509 certificates and so on :D<br>
<br>
Cheers<br>
antisnatchor<br>
<br>
<blockquote style="border: 0px none;" 
cite="mid:CALx_OUBYeU1Sq_CxtLeZAcm9UavYOok=-g-Ye7UmbhJVb-gBNQ@xxxxxxxxxxxxxx"
 type="cite">
  <div style="margin-left:40px"><hr style="border:none 0;border-top:1px 
dotted #B5B5B5;height:1px;margin:0;" class="__pbConvHr"><br></div>
  <table style="padding-top: 5px;" class="__pbConvTable">
<tbody><tr><td style="padding-top:4px;" valign="top"><img 
src="cid:part1.08030100.08050306@gmail.com" 
photoaddress="lcamtuf@xxxxxxxxxxx" photoname="Michal Zalewski" 
name="compose-unknown-contact.jpg" height="25px" width="25px"></td><td 
style="padding-left:5px;" valign="top"><a moz-do-not-send="true" 
href="mailto:lcamtuf@xxxxxxxxxxx"; style="color:#2057EF 
!important;text-decoration:none !important;">Michal Zalewski</a><br><font
 color="#888888">January 27, 2013 7:17 PM</font></td></tr></tbody>
  </table>
  <div style="color:#888888;margin-left:35px;" __pbrmquotes="true" 
class="__pbConvBody"><br><div class="gmail_quote"><blockquote 
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" 
class="gmail_quote">OGMMM WTFF 0DAY XSS<br>Sorry, getting a bit tired of
 these.</blockquote><div><br></div><div>Well, the world is changing. You
 can probably do a lot more direct damage with a (legit) XSS in a 
high-value site than with a local privilege escalation in sudo.</div>

<div><br></div><div>XSS reports are less actionable for the average 
reader, but full disclosure is probably still beneficial, in that it 
provides data points about the types of flaws a particular vendor 
happens to have, and the speed and quality of the deployed fixes.</div>

<div><br></div><div>Of course, many of the XSS reports in <a 
moz-do-not-send="true" href="http://knorr.com";>knorr.com</a> and 
similarly exciting destinations are 
zzzzzzzzzz...</div><div><br></div><div>/mz</div></div>

<div>_______________________________________________<br>Full-Disclosure -
 We believe in it.<br>Charter: 
<a class="moz-txt-link-freetext" 
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted
 and 
sponsored by Secunia - <a class="moz-txt-link-freetext" 
href="http://secunia.com/";>http://secunia.com/</a></div><hr style="border: none 
0;border-top:1px dotted #B5B5B5;height:1px;margin:15px 0 0 0;" 
class="__pbConvHr"><br></div>
  <table style="padding-top: 5px;" class="__pbConvTable">
<tbody><tr><td style="padding-top:4px;" valign="top"><img 
src="cid:part1.08030100.08050306@gmail.com" 
photoaddress="elfius@xxxxxxxxx" photoname="Elfius" 
name="compose-unknown-contact.jpg" height="25px" width="25px"></td><td 
style="padding-left:5px;" valign="top"><a moz-do-not-send="true" 
href="mailto:elfius@xxxxxxxxx"; style="color:#2057EF 
!important;text-decoration:none !important;">Elfius</a><br><font 
color="#888888">January 25, 2013 11:56 PM</font></td></tr></tbody>
  </table>
  <div style="color:#888888;margin-left:35px;" __pbrmquotes="true" 
class="__pbConvBody"><br>OGMMM WTFF 0DAY XSS<br><br>Sorry, getting a bit
 tired of these.<div><br><br></div>

<div>_______________________________________________<br>Full-Disclosure -
 We believe in it.<br>Charter: 
<a class="moz-txt-link-freetext" 
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted
 and 
sponsored by Secunia - <a class="moz-txt-link-freetext" 
href="http://secunia.com/";>http://secunia.com/</a></div><hr style="border: none 
0;border-top:1px dotted #B5B5B5;height:1px;margin:15px 0 0 0;" 
class="__pbConvHr"><br></div>
  <table style="padding-top: 5px;" class="__pbConvTable">
<tbody><tr><td style="padding-top:4px;" valign="top"><img 
src="cid:part1.08030100.08050306@gmail.com" 
photoaddress="antrax.bt@xxxxxxxxx" photoname="ANTRAX" 
name="compose-unknown-contact.jpg" height="25px" width="25px"></td><td 
style="padding-left:5px;" valign="top"><a moz-do-not-send="true" 
href="mailto:antrax.bt@xxxxxxxxx"; style="color:#2057EF 
!important;text-decoration:none !important;">ANTRAX</a><br><font 
color="#888888">January 25, 2013 3:50 PM</font></td></tr></tbody>
  </table>
  <div style="color:#888888;margin-left:35px;" __pbrmquotes="true" 
class="__pbConvBody"><br>Gynvael Coldwind, I know this and I posted a 
reply in Underc0de about that.<br><br><a moz-do-not-send="true" 
href="http://underc0de.org/foro/hacking-showoff/xss-persistente-blogger-13978/";>http://underc0de.org/foro/hacking-showoff/xss-persistente-blogger-13978/</a><br>

<br><span class="short_text" id="result_box" lang="en"><span class="hps">It
 isn't a critical bug but, despite that, this shouldn't 
happen..</span></span><br><br>Thanks
 all!<br><div><br>---<br>Best Regards<br><b>ANTRAX</b><br>

<br></div>
<br><br><br>

<div>_______________________________________________<br>Full-Disclosure -
 We believe in it.<br>Charter: 
<a class="moz-txt-link-freetext" 
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted
 and 
sponsored by Secunia - <a class="moz-txt-link-freetext" 
href="http://secunia.com/";>http://secunia.com/</a></div><hr style="border: none 
0;border-top:1px dotted #B5B5B5;height:1px;margin:15px 0 0 0;" 
class="__pbConvHr"><br></div>
  <table style="padding-top: 5px;" class="__pbConvTable">
<tbody><tr><td style="padding-top:4px;" valign="top"><img 
src="cid:part1.08030100.08050306@gmail.com" 
photoaddress="gynvael@xxxxxxxxxxx" photoname="Gynvael Coldwind" 
name="compose-unknown-contact.jpg" height="25px" width="25px"></td><td 
style="padding-left:5px;" valign="top"><a moz-do-not-send="true" 
href="mailto:gynvael@xxxxxxxxxxx"; style="color:#2057EF 
!important;text-decoration:none !important;">Gynvael Coldwind</a><br><font
 color="#888888">January 25, 2013 1:24 PM</font></td></tr></tbody>
  </table>
  <div style="color:#888888;margin-left:35px;" __pbrmquotes="true" 
class="__pbConvBody"><br><div dir="ltr">Hey ANTRAX,<div><br></div><div 
style="">JZ is correct, even in the template view the script is still 
executed only in the *.<a moz-do-not-send="true" 
href="http://blogspot.com";>blogspot.com</a> context, and not in the 
context of <a moz-do-not-send="true" href="http://blogger.com";>blogger.com</a>
 - look at your first screenshot - it's clearly said there that the 
alert box popped up on *.<a moz-do-not-send="true" 
href="http://blogspot.com";>blogspot.com</a>.</div>

<div style=""><br></div><div style="">It's good to always 
alert(document.domain) to be sure of the context in which the script is 
executed.</div><div style="">As you know, script executing in the 
context of the cookieless *.<a moz-do-not-send="true" 
href="http://blogspot.com";>blogspot.com</a> cannot interact / or steal 
cookies from <a moz-do-not-send="true" href="http://blogger.com";>blogger.com</a>
 domain.</div>

<div style=""><br></div><div style="">So, to repeat what JZ already said
 - this is by design, it's not a bug, and no, you cannot attack an admin
 this way (unless you found some other way to execute that script in the
 context of <a moz-do-not-send="true" href="http://blogger.com";>blogger.com</a>
 - in such case try reporting it again).</div>

<div style=""><br></div><div style="">Cheers,</div><div style="">Gynvael
 Coldwind</div><div style=""><br></div><div class="gmail_extra"><br><br><br><br
 clear="all"><div><br></div>-- <br>gynvael.coldwind//vx
</div></div>

<div>_______________________________________________<br>Full-Disclosure -
 We believe in it.<br>Charter: 
<a class="moz-txt-link-freetext" 
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted
 and 
sponsored by Secunia - <a class="moz-txt-link-freetext" 
href="http://secunia.com/";>http://secunia.com/</a></div><hr style="border: none 
0;border-top:1px dotted #B5B5B5;height:1px;margin:15px 0 0 0;" 
class="__pbConvHr"><br></div>
  <table style="padding-top: 5px;" class="__pbConvTable">
<tbody><tr><td style="padding-top:4px;" valign="top"><img 
src="cid:part1.08030100.08050306@gmail.com" 
photoaddress="antrax.bt@xxxxxxxxx" photoname="ANTRAX" 
name="compose-unknown-contact.jpg" height="25px" width="25px"></td><td 
style="padding-left:5px;" valign="top"><a moz-do-not-send="true" 
href="mailto:antrax.bt@xxxxxxxxx"; style="color:#2057EF 
!important;text-decoration:none !important;">ANTRAX</a><br><font 
color="#888888">January 22, 2013 12:11 AM</font></td></tr></tbody>
  </table>
  <div style="color:#888888;margin-left:35px;" __pbrmquotes="true" 
class="__pbConvBody"><br>I know JZ, but this vulnerability is in the 
post and no in the template.<br>And this could be generated by blogger 
and affect to administrator!<br>The blogger can edit, but haven't admin.
 If the blogger post some script, this affect to administrator.<br>

<br clear="all"><div><br>---<br>Saludos Cordiales<br><b>ANTRAX</b><br><a
 moz-do-not-send="true" target="_blank" 
href="http://www.antrax-labs.org";>www.antrax-labs.org</a><br></div>
<br><br><br>

<div>_______________________________________________<br>Full-Disclosure -
 We believe in it.<br>Charter: 
<a class="moz-txt-link-freetext" 
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted
 and 
sponsored by Secunia - <a class="moz-txt-link-freetext" 
href="http://secunia.com/";>http://secunia.com/</a></div></div>
</blockquote>
</body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
  - From: ANTRAX
- Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
  - From: Jakub Zoczek
- Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
  - From: ANTRAX
- Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
  - From: Gynvael Coldwind
- Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
  - From: ANTRAX
- Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
  - From: Elfius
- Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
  - From: Michal Zalewski

Prev by Date: [Full-disclosure] What Intruder Detection System (IDS) or Network Security Monitor (NSM) do you use?
Next by Date: [Full-disclosure] Cisco Security Advisory: Portable SDK for UPnP Devices Contains Buffer Overflow Vulnerabilities
Previous by thread: Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
Next by thread: Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
Index(es):
- Date
- Thread