[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
- To: "Nicholas Lemonias." <lem.nikolas@xxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
- From: Thomas MacKenzie <thomas@xxxxxxxxxxxx>
- Date: Fri, 14 Mar 2014 18:26:41 +0000
<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000"><br>
You have a Googlemail account. How do we know you don't work for Google
too...<br>
<br>
Inception type stuff going on here.<br>
<blockquote style="border: 0px none;"
cite="mid:CA+CewVA5+3Z8UJPMYOy-v-bVkK8x5rY7dJt_X254Agt8=zg0AA@xxxxxxxxxxxxxx"
type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="lem.nikolas@xxxxxxxxxxxxxx" photoname="Nicholas
Lemonias." src="cid:part1.03010601.07010203@tmacuk.co.uk"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:lem.nikolas@xxxxxxxxxxxxxx";
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Nicholas Lemonias.</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">14 March 2014
18:17</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div dir="ltr"><div>Google is a
great service, but according to our proof of concepts (images, poc's,
codes) presented to Softpedia, and verified</div><div>by a couple of
recognised experts including OWASP - that was a serious vulnerability.</div>
<div> </div><div>Now you can say whatever you like, and argue about it.
You can argue about the impact and whatsoever , but that's not the way
to deal with security issues. </div></div><div class="gmail_extra"><br><br>
<br></div>
<div>_______________________________________________<br>Full-Disclosure -
We believe in it.<br>Charter:
<a class="moz-txt-link-freetext"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted
and
sponsored by Secunia - <a class="moz-txt-link-freetext"
href="http://secunia.com/";>http://secunia.com/</a></div></div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="lem.nikolas@xxxxxxxxxxxxxx" photoname="Nicholas
Lemonias." src="cid:part1.03010601.07010203@tmacuk.co.uk"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:lem.nikolas@xxxxxxxxxxxxxx";
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Nicholas Lemonias.</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">14 March 2014
18:16</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div dir="ltr"><div>Google is a
great service, but according to our proof of concepts (images, poc's,
codes) presented to Softpedia, and verified</div><div>by a couple of
recognised experts including OWASP - that was a serious vulnerability.</div>
<div> </div><div>Now you can say whatever you like, and argue about it.
You can argue about the impact and whatsoever , but that's not the way
to deal with security
issues. </div><div> </div><div> </div></div><div
class="gmail_extra">
<br><br><br></div>
<div>_______________________________________________<br>Full-Disclosure -
We believe in it.<br>Charter:
<a class="moz-txt-link-freetext"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted
and
sponsored by Secunia - <a class="moz-txt-link-freetext"
href="http://secunia.com/";>http://secunia.com/</a></div></div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="lem.nikolas@xxxxxxxxxxxxxx" photoname="Nicholas
Lemonias." src="cid:part1.03010601.07010203@tmacuk.co.uk"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:lem.nikolas@xxxxxxxxxxxxxx";
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Nicholas Lemonias.</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">14 March 2014
18:13</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div dir="ltr"><div>Security
vulnerabilities need to be published and reported. That's the
spirit.</div><div> </div><div>Attacking
the researcher, won't make it go away.</div></div><div
class="gmail_extra"><br><br>
<br></div>
<div>_______________________________________________<br>Full-Disclosure -
We believe in it.<br>Charter:
<a class="moz-txt-link-freetext"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted
and
sponsored by Secunia - <a class="moz-txt-link-freetext"
href="http://secunia.com/";>http://secunia.com/</a></div></div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="mvilas@xxxxxxxxx" photoname="Mario Vilas"
src="cid:part4.02040405.00090109@tmacuk.co.uk"
name="postbox-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:mvilas@xxxxxxxxx";
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Mario Vilas</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">14 March 2014
15:55</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div dir="ltr"><div
class="gmail_extra"><div class="gmail_quote">On Fri, Mar 14, 2014 at
12:38 PM, Nicholas Lemonias. <span dir="ltr"><<a
moz-do-not-send="true" target="_blank"
href="mailto:lem.nikolas@xxxxxxxxxxxxxx";>lem.nikolas@xxxxxxxxxxxxxx</a>></span>
wrote:<br>
<blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex" class="gmail_quote"><div dir="ltr"><div>Jerome
of Mcafee has made a very valid point on revisiting separation
of
duties in this security instance. </div>
<div> </div><div>Happy to see more professionals with some skills.
Some
others have also mentioned the feasibility for Denial of Service
attacks. Remote code execution by Social Engineering is also a prominent
scenario.</div>
</div></blockquote><div><br></div><div>Actually, people have been
pointing out exactly the opposite. But if you insist on believing you
can DoS an EC2 by uploading files, good luck to you
then...</div><div> </div><blockquote
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"
class="gmail_quote"><div dir="ltr">
<div> </div><div>If you can't tell that that is a vulnerability
(probably coming from a bunch of CEH's), I feel sorry for those
consultants.</div></div></blockquote><div><br></div><div>You're the only
one throwing around certifications here. I can no longer tell if you're
being serious or this is a massive prank.</div>
<div> </div><blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex" class="gmail_quote"><div dir="ltr"><span
class="HOEnZb"><font
color="#888888"><div> </div><div>Nicholas.</div></font></span></div>
<div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br>
<br><div class="gmail_quote">On Fri, Mar 14, 2014 at 10:45 AM, Nicholas
Lemonias. <span dir="ltr"><<a moz-do-not-send="true" target="_blank"
href="mailto:lem.nikolas@xxxxxxxxxxxxxx";>lem.nikolas@xxxxxxxxxxxxxx</a>></span>
wrote:<br><blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex" class="gmail_quote"><div dir="ltr"><div
class="gmail_extra">We are on a different level perhaps. We do certainly
disagree on those points.</div><div class="gmail_extra">I wouldn't hire
you as a consultant, if you can't tell if that is a valid
vulnerability..</div>
<div class="gmail_extra"> </div><div class="gmail_extra"> </div><div
class="gmail_extra">Best Regards,</div><div class="gmail_extra">Nicholas
Lemonias.</div><div><div><div class="gmail_extra"> </div><div
class="gmail_quote">
On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas <span dir="ltr"><<a
moz-do-not-send="true" target="_blank"
href="mailto:mvilas@xxxxxxxxx";>mvilas@xxxxxxxxx</a>></span>
wrote:<br>
<blockquote style="margin:0px 0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"
class="gmail_quote"><div dir="ltr">But do you have all the required EH
certifications? Try this one from the Institute for <div>
Certified Application Security Specialists: <a moz-do-not-send="true"
target="_blank" href="http://www.asscert.com/";>http://www.asscert.com/</a></div>
<div class="gmail_extra"><div><div>
<br><br><div class="gmail_quote">On Fri, Mar 14, 2014 at 7:41 AM,
Nicholas Lemonias. <span dir="ltr"><<a moz-do-not-send="true"
target="_blank"
href="mailto:lem.nikolas@xxxxxxxxxxxxxx";>lem.nikolas@xxxxxxxxxxxxxx</a>></span>
wrote:<br>
<blockquote style="margin:0px 0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"
class="gmail_quote"><div dir="ltr"><div>Thanks
Michal,</div><div> </div><div>
We are just trying to improve Google's security and contribute to the
research community after all. If you are still on EFNet give me a shout
some time.</div>
<div>
</div><div> We have done so and consulted to hundreds of
clients
including Microsoft, Nokia, Adobe and some of the world's biggest
corporations. We are also strict supporters of the ACM code of
conduct.</div><div> </div>
<div>Regards,</div><div>Nicholas Lemonias.</div><div>AISec
</div></div><div><div><div
class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Mar 14,
2014 at 6:29 AM, Nicholas Lemonias. <span dir="ltr"><<a
moz-do-not-send="true" target="_blank"
href="mailto:lem.nikolas@xxxxxxxxxxxxxx";>lem.nikolas@xxxxxxxxxxxxxx</a>></span>
wrote:<br>
<blockquote style="margin:0px 0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"
class="gmail_quote"><div dir="ltr"><div>Hi
Jerome,</div><div> </div><div>Thank
you for agreeing on access control, and separation of duties. </div>
<div> </div><div>However successful exploitation permits arbitrary
write() of any file of choice. </div>
<div> </div><div>I could release an exploit code in C Sharp or Python
that permits multiple file uploads of any file/types, if the Google
security team feels that this would be necessary. This is unpaid work,
so we are not so keen on that job. </div>
<div><code></code> </div></div><div><div><div
class="gmail_extra"><br><br><div
class="gmail_quote">On Fri, Mar 14, 2014 at 6:04 AM, Jerome Athias <span
dir="ltr"><<a moz-do-not-send="true" target="_blank"
href="mailto:athiasjerome@xxxxxxxxx";>athiasjerome@xxxxxxxxx</a>></span>
wrote:<br>
<blockquote style="margin:0px 0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"
class="gmail_quote">Hi<br>
<br>
I concur that we are mainly discussing a terminology problem.<br>
<br>
In the context of a Penetration Test or WAPT, this is a Finding.<br>
Reporting this finding makes sense in this context.<br>
<br>
As a professional, you would have to explain if/how this finding is a<br>
Weakness*, a Violation (/Regulations, Compliance, Policies or<br>
Requirements[1])<br>
* I would say Weakness + Exposure = Vulnerability. Vulnerability +<br>
Exploitability (PoC) = Confirmed Vulnerability that needs Business<br>
Impact and Risk Analysis<br>
<br>
So I would probably have reported this Finding as a Weakness (and not<br>
Vulnerability. See: OWASP, WASC-TC, CWE), explaining that it is not<br>
Best Practice (your OWASP link and Cheat Sheets), and even if<br>
mitigative/compensative security controls (Ref Orange Book), security<br>
controls like white listing (or at least black listing. see also<br>
ESAPI) should be 1) part of the [1]security requirements of a proper<br>
SDLC (Build security in) as per Defense-in-Depth security principles<br>
and 2) used and implemented correctly.<br>
NB: A simple Threat Model (i.e. list of CAPEC) would be a solid<br>
support to your report<br>
This would help to evaluate/measure the risk (e.g. CVSS).<br>
Helping the decision/actions around this risk<br>
<br>
PS: interestingly, in this case, I'm not sure that the Separation of<br>
Duties security principle was applied correctly by Google in term of<br>
Risk Acceptance (which could be another Finding)<br>
<br>
So in few words, be careful with the terminology. (don't always say<br>
vulnerability like the media say hacker, see RFC1392) Use a CWE ID<br>
(e.g. CWE-434, CWE-183, CWE-184 vs. CWE-616)<br>
<br>
My 2 bitcents<br>
Sorry if it is not edible :)<br>
Happy Hacking!<br>
<br>
/JA<br>
<a moz-do-not-send="true" target="_blank"
href="https://github.com/athiasjerome/XORCISM";>https://github.com/athiasjerome/XORCISM</a><br>
<br>
2014-03-14 7:19 GMT+03:00 Michal Zalewski <<a moz-do-not-send="true"
target="_blank"
href="mailto:lcamtuf@xxxxxxxxxxx";>lcamtuf@xxxxxxxxxxx</a>>:<br>
<div><div>> Nicholas,<br>
><br>
> I remember my early years in the infosec community - and sadly, so
do<br>
> some of the more seasoned readers of this list :-) Back then, I<br>
> thought that the only thing that mattered is the ability to find
bugs.<br>
> But after some 18 years in the industry, I now know that there's an<br>
> even more important and elusive skill.<br>
><br>
> That skill boils down to having a robust mental model of what<br>
> constitutes a security flaw - and being able to explain your
thinking<br>
> to others in a precise and internally consistent manner that
convinces<br>
> others to act. We need this because the security of a system can't
be<br>
> usefully described using abstract terms: even the academic
definitions<br>
> ultimately boil down to saying "the system is secure if it doesn't
do<br>
> the things we *really* don't want it to do".<br>
><br>
> In this spirit, the term "vulnerability" is generally reserved for<br>
> behaviors that meet all of the following criteria:<br>
><br>
> 1) The behavior must have negative consequences for at least one of<br>
> the legitimate stakeholders (users, service owners, etc),<br>
><br>
> 2) The consequences must be widely seen as unexpected and
unacceptable,<br>
><br>
> 3) There must be a realistic chance of such a negative outcome,<br>
><br>
> 4) The behavior must introduce substantial new risks that go beyond<br>
> the previously accepted trade-offs.<br>
><br>
> If we don't have that, we usually don't have a case, no matter how<br>
> clever the bug is.<br>
><br>
> Cheers (and happy hunting!),<br>
> /mz<br>
><br>
</div></div><div><div>>
_______________________________________________<br>
> Full-Disclosure - We believe in it.<br>
> Charter: <a moz-do-not-send="true" target="_blank"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
> Hosted and sponsored by Secunia - <a moz-do-not-send="true"
target="_blank" href="http://secunia.com/";>http://secunia.com/</a><br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a moz-do-not-send="true" target="_blank"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a moz-do-not-send="true"
target="_blank"
href="http://secunia.com/";>http://secunia.com/</a><br></blockquote></div><br><br
clear="all"><div><br></div></div></div><div>-- <br><span
style="font-family:arial,sans-serif;font-size:13px;border-collapse:collapse">“There's
a reason we separate military and the police: one fights the enemy of
the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the
people.”<br>
</span>
</div></div></div>
<br>_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a moz-do-not-send="true" target="_blank"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a moz-do-not-send="true"
target="_blank"
href="http://secunia.com/";>http://secunia.com/</a><br></blockquote></div><div
class="gmail_extra"><br></div></div></div></div></blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><span
style="font-family:arial,sans-serif;font-size:13px;border-collapse:collapse">“There's
a reason we separate military and the police: one fights the enemy of
the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the
people.”<br>
</span>
</div></div>
<pre wrap="">_______________________________________________
Full-Disclosure - We believe in it.
Charter: <a class="moz-txt-link-freetext"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a>
Hosted and sponsored by Secunia - <a class="moz-txt-link-freetext"
href="http://secunia.com/";>http://secunia.com/</a></pre></div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="lem.nikolas@xxxxxxxxxxxxxx" photoname="Nicholas
Lemonias." src="cid:part1.03010601.07010203@tmacuk.co.uk"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:lem.nikolas@xxxxxxxxxxxxxx";
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Nicholas Lemonias.</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">14 March 2014
11:38</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div dir="ltr"><div>Jerome of
Mcafee has made a very valid point on revisiting separation of
duties
in this security instance. </div><div> </div><div>Happy to see more
professionals with some skills. Some others have also mentioned the
feasibility for Denial of Service attacks. Remote code execution by
Social Engineering is also a prominent scenario.</div>
<div> </div><div>If you can't tell that that is a vulnerability
(probably coming from a bunch of CEH's), I feel sorry for those
consultants.</div><div> </div><div>Nicholas.</div></div><div
class="gmail_extra"><br>
<br><br></div>
<div>_______________________________________________<br>Full-Disclosure -
We believe in it.<br>Charter:
<a class="moz-txt-link-freetext"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted
and
sponsored by Secunia - <a class="moz-txt-link-freetext"
href="http://secunia.com/";>http://secunia.com/</a></div></div>
</blockquote>
</body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/