Mailing List Archive

Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Please provide an attack scenario. Can you do that?



On Fri, Mar 14, 2014 at 9:23 PM, Nicholas Lemonias. <
lem.nikolas@googlemail.com> wrote:

> Are you sure this json response, or this file, will be there in a month?
> Or in a year? Is the fact that this json response exists a threat to
> youtube? Can you quantify how of a threat? How much, in dollars, does it
> hurt their business?
>
> This file may be here if the admins don't delete it. Now they may do ;@)
>
>
> So where do you think that information is coming from? The metadata and
> tags, and headers are contained in a database.
>
> The files are stored persistently , since they can be quoted. So the API
> works both ways. The main thing here is that the files are there, otherwise
> there metadata information would be deleted from the db aswell.
>
> http://gdata.youtube.com/demo/index.html?utm_source=
> twitterfeed&utm_medium=twitter
>
> Youtube DATA API is unique.. the commands can be send through that
> interface... So we do definitely know that that is coming from a database.
>
>
> On Fri, Mar 14, 2014 at 8:22 PM, Nicholas Lemonias. <
> lem.nikolas@googlemail.com> wrote:
>
>> You are trying to execute an sh script through a video player. That's an
>> exec() command. So its the wrong way about accessing the file.
>>
>>
>> On Fri, Mar 14, 2014 at 8:20 PM, R D <rd.seclists@gmail.com> wrote:
>>
>>> No it's not. As Chris and I are saying, you don't have proof your file
>>> is accessible to others, only that is was uploaded. Now, you see, when you
>>> upload a video to youtube, you get the adress where it will be viewable in
>>> the response. In your case :
>>>
>>> {"sessionStatus":{"state":"FINALIZED","externalFieldTransfers":[{"name":"file","status":"COMPLETED","bytesTransferred":113,"bytesTotal":113,"formPostInfo":{"url":"
>>> http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000
>>> ","cross_domain_url":"
>>> http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw"},"content_type":"text/x-sh"}],"additionalInfo":{"uploader_service.GoogleRupioAdditionalInfo":{"completionInfo":{"status":"SUCCESS","customerSpecificInfo":{"status":
>>> "ok", *"video_id": "KzKDtijwHFI"*
>>> }}}},"upload_id":"AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw"}}
>>> And what do we get when we browse to
>>> https://youtube.com/watch?v=KzKDtijwHFI ?
>>> Nothing.
>>> Can you send me a link where I can access the file content of the
>>> arbitrary file you uploaded?
>>> Are you sure this json response, or this file, will be there in a month?
>>> Or in a year? Is the fact that this json response exists a threat to
>>> youtube? Can you quantify how of a threat? How much, in dollars, does it
>>> hurt their business?
>>>
>>> --Rob
>>>
>>>
>>> On Fri, Mar 14, 2014 at 9:08 PM, Nicholas Lemonias. <
>>> lem.nikolas@googlemail.com> wrote:
>>>
>>>> My claim is now verified....
>>>>
>>>> Cheers!
>>>>
>>>>
>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <
>>>> lem.nikolas@googlemail.com> wrote:
>>>>
>>>>> http://upload.youtube.com/?authuser=0&upload_id=
>>>>> AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--
>>>>> uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=
>>>>> CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
>>>>>
>>>>> That information can be queried from the db, where the metadata are
>>>>> saved. The files are being saved persistently , as per the above example.
>>>>>
>>>>>
>>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <
>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>
>>>>>>
>>>>>> http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
>>>>>>
>>>>>> That information can be queried from the db, where the metadata are
>>>>>> saved. The files are being saved persistently , as per the above example.
>>>>>>
>>>>>>
>>>>>> On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson <
>>>>>> christhom7851@gmail.com> wrote:
>>>>>>
>>>>>>> Hi Nikolas,
>>>>>>>
>>>>>>> Please do read (and understand) my entire email before responding -
>>>>>>> I understand your frustration trying to get your message across but maybe
>>>>>>> this will help.
>>>>>>>
>>>>>>> Please put aside professional pride for the time being - I know how
>>>>>>> it feels to be passionate about something yet have others simply not
>>>>>>> understand.
>>>>>>>
>>>>>>> Let me try and bring some sanity to the discussion and explain to
>>>>>>> you why people maybe not agreeing with you.
>>>>>>>
>>>>>>> You (rightly so) highlighted what you believe to be an issue in a
>>>>>>> Youtube whereby it appears (to you) than you can upload an arbitrary file.
>>>>>>> If you can indeed do this as you suspect then your points are valid and you
>>>>>>> "may" be able to cause various issues associated with it such as DOS etc -
>>>>>>> especially if the uploaded files cannot or are not tracked.
>>>>>>>
>>>>>>> However...
>>>>>>>
>>>>>>> Consider than you are talking to an API and what you are getting
>>>>>>> back (the JSON response) in your example is simply a response from the API
>>>>>>> to say the file you uploaded has been received and saved.
>>>>>>>
>>>>>>> Now, as you no doubt know, when you upload a regular movie to
>>>>>>> YouTube, once uploaded it goes away and does some post-processing,
>>>>>>> converting it to flash for example. What's to say that there isn't some
>>>>>>> verification aspect to this post-processing that checks if the file is
>>>>>>> intact a valid movie and if not removes it.
>>>>>>>
>>>>>>> If you could for example demonstrate that the file was indeed
>>>>>>> persistent, by being able to retrieve it for example then again, you would
>>>>>>> have solid ground to claim an issue however your claims at this point are
>>>>>>> based on an assumption.... Let me explain.
>>>>>>>
>>>>>>> 1. You have demonstrated than you can send "any" file to an API and
>>>>>>> the API returned an acknowledgment of receiving (and saving) the file.
>>>>>>>
>>>>>>> 2. You / we don't know what Google do with files once they have been
>>>>>>> received from the API - maybe they process them and validate them - we
>>>>>>> simply don't know.
>>>>>>>
>>>>>>> 3. You have hypothesized that you can retrieve the file by
>>>>>>> manipulating tokens etc and you may be right, but you have not demonstrated
>>>>>>> it as such.
>>>>>>>
>>>>>>> Because of this, you seem to have made a CLAIM that you can upload
>>>>>>> arbitrary files to Google however SHOWN that you can simply send files to
>>>>>>> an API and an API responds in a certain way.
>>>>>>>
>>>>>>> I am NOT saying you haven't found an issue, what I am saying is that
>>>>>>> you need to demonstrate that the issue is real and thus can be abused. If
>>>>>>> the Google service simply verifies all uploaded files once they are
>>>>>>> uploaded and discards them if invalid, then you haven't really found
>>>>>>> anything.
>>>>>>>
>>>>>>> If you were to prove that you were able to retrieve this uploaded
>>>>>>> file then how could anyone dispute your bug.
>>>>>>>
>>>>>>> Hope this helps....
>>>>>>>
>>>>>>> Cheers!
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Hey dude just give up!

You can convince a lot of journalists without professional skills but if
you cant convince Google or at least the community, so you doing it wrong.
by the way you can upload everything to youtube just tricking the file's
magic number but you cant retrieve it back. so what?

How can you assure that your "proof" isnt just a log for the application?

If you have the expertise you said, i have a challenge to you:

http://upload.youtube.com/?authuser=0&upload_id=AEnB2Uox6eWMN_LyrVQZdsCdQkDezvvNwpthROQn1SRe7idjqRFiez7SKVMd1t-rkCb7_CalkGc2oOJmdrnfxho2FNQt5aIjQw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw

Its not a 3gp file, just has the magic number. if you retrieve the contents
of its file and show it to us. i will start agreeing with you that it can
be security issue.
otherwise stop annoyin everyone, get back to your desk and do your job.



On Fri, Mar 14, 2014 at 5:27 PM, Nicholas Lemonias. <
lem.nikolas@googlemail.com> wrote:

> In my expertise, that is a vulnerability.
>
> Now if Google doesn't want to fix patch that, it's their choice. However I
> have already disclosed that to them.
>
>
>
>
> On Fri, Mar 14, 2014 at 8:25 PM, Nicholas Lemonias. <
> lem.nikolas@googlemail.com> wrote:
>
>> So where do you think that information is coming from? The metadata and
>> tags, and headers are contained in a database.
>>
>> The files are stored persistently , since they can be quoted. So the API
>> works both ways. The main thing here is that the files are there, otherwise
>> there metadata information would be deleted from the db aswell.
>>
>> http://gdata.youtube.com/demo/index.html?utm_source=
>> twitterfeed&utm_medium=twitter
>>
>> Youtube DATA API is unique.. the commands can be send through that
>> interface... So we do definitely know that that is coming from a database.
>> That same video id can be queried through the above link. Having done so, I
>> confirmed that the information originate from a direct connection to the
>> db, where the data are stored.
>>
>>
>> On Fri, Mar 14, 2014 at 8:20 PM, Nicholas Lemonias. <
>> lem.nikolas@googlemail.com> wrote:
>>
>>> So where do you think that information is coming from? The metadata and
>>> tags, and headers are contained in a database.
>>>
>>> The files are stored persistently , since they can be quoted. So the API
>>> works both ways. The main thing here is that the files are there, otherwise
>>> there metadata information would be deleted from the db aswell.
>>>
>>>
>>> http://gdata.youtube.com/demo/index.html?utm_source=twitterfeed&utm_medium=twitter
>>>
>>> Youtube DATA API is unique.. the commands can be send through that
>>> interface... So we do definitely know that that is coming from a database.
>>>
>>>
>>> On Fri, Mar 14, 2014 at 8:16 PM, Chris Thompson <christhom7851@gmail.com
>>> > wrote:
>>>
>>>> Hi Nicholas,
>>>>
>>>> Again, you hypothesize that you are getting a response from the
>>>> database, but you really don't know that. You have no idea when the code is
>>>> doing behind the endpoint.
>>>>
>>>> upload.youtube.com is simple an endpoint that you are sending a
>>>> request to and getting a response from -
>>>>
>>>> Can you upload a ZIP file for example and then get that same ZIP file
>>>> from another machine? If you can do that, then who can question your bug.
>>>>
>>>> Again, i'm not trying to be a dick - just trying to help!
>>>>
>>>> Cheers...
>>>>
>>>>
>>>>
>>>> On Fri, Mar 14, 2014 at 4:08 PM, Nicholas Lemonias. <
>>>> lem.nikolas@googlemail.com> wrote:
>>>>
>>>>> My claim is now verified....
>>>>>
>>>>> Cheers!
>>>>>
>>>>>
>>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <
>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>
>>>>>> http://upload.youtube.com/?authuser=0&upload_id=
>>>>>> AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--
>>>>>> uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=
>>>>>> CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8t
>>>>>> dXBsb2Fkcw
>>>>>>
>>>>>> That information can be queried from the db, where the metadata are
>>>>>> saved. The files are being saved persistently , as per the above example.
>>>>>>
>>>>>>
>>>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <
>>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>>
>>>>>>>
>>>>>>> http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
>>>>>>>
>>>>>>> That information can be queried from the db, where the metadata are
>>>>>>> saved. The files are being saved persistently , as per the above example.
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson <
>>>>>>> christhom7851@gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi Nikolas,
>>>>>>>>
>>>>>>>> Please do read (and understand) my entire email before responding -
>>>>>>>> I understand your frustration trying to get your message across but maybe
>>>>>>>> this will help.
>>>>>>>>
>>>>>>>> Please put aside professional pride for the time being - I know how
>>>>>>>> it feels to be passionate about something yet have others simply not
>>>>>>>> understand.
>>>>>>>>
>>>>>>>> Let me try and bring some sanity to the discussion and explain to
>>>>>>>> you why people maybe not agreeing with you.
>>>>>>>>
>>>>>>>> You (rightly so) highlighted what you believe to be an issue in a
>>>>>>>> Youtube whereby it appears (to you) than you can upload an arbitrary file.
>>>>>>>> If you can indeed do this as you suspect then your points are valid and you
>>>>>>>> "may" be able to cause various issues associated with it such as DOS etc -
>>>>>>>> especially if the uploaded files cannot or are not tracked.
>>>>>>>>
>>>>>>>> However...
>>>>>>>>
>>>>>>>> Consider than you are talking to an API and what you are getting
>>>>>>>> back (the JSON response) in your example is simply a response from the API
>>>>>>>> to say the file you uploaded has been received and saved.
>>>>>>>>
>>>>>>>> Now, as you no doubt know, when you upload a regular movie to
>>>>>>>> YouTube, once uploaded it goes away and does some post-processing,
>>>>>>>> converting it to flash for example. What's to say that there isn't some
>>>>>>>> verification aspect to this post-processing that checks if the file is
>>>>>>>> intact a valid movie and if not removes it.
>>>>>>>>
>>>>>>>> If you could for example demonstrate that the file was indeed
>>>>>>>> persistent, by being able to retrieve it for example then again, you would
>>>>>>>> have solid ground to claim an issue however your claims at this point are
>>>>>>>> based on an assumption.... Let me explain.
>>>>>>>>
>>>>>>>> 1. You have demonstrated than you can send "any" file to an API and
>>>>>>>> the API returned an acknowledgment of receiving (and saving) the file.
>>>>>>>>
>>>>>>>> 2. You / we don't know what Google do with files once they have
>>>>>>>> been received from the API - maybe they process them and validate them - we
>>>>>>>> simply don't know.
>>>>>>>>
>>>>>>>> 3. You have hypothesized that you can retrieve the file by
>>>>>>>> manipulating tokens etc and you may be right, but you have not demonstrated
>>>>>>>> it as such.
>>>>>>>>
>>>>>>>> Because of this, you seem to have made a CLAIM that you can upload
>>>>>>>> arbitrary files to Google however SHOWN that you can simply send files to
>>>>>>>> an API and an API responds in a certain way.
>>>>>>>>
>>>>>>>> I am NOT saying you haven't found an issue, what I am saying is
>>>>>>>> that you need to demonstrate that the issue is real and thus can be abused.
>>>>>>>> If the Google service simply verifies all uploaded files once they are
>>>>>>>> uploaded and discards them if invalid, then you haven't really found
>>>>>>>> anything.
>>>>>>>>
>>>>>>>> If you were to prove that you were able to retrieve this uploaded
>>>>>>>> file then how could anyone dispute your bug.
>>>>>>>>
>>>>>>>> Hope this helps....
>>>>>>>>
>>>>>>>> Cheers!
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



--
Grato,

J. Tozo
_
°v°
/(S)\ SLACKWARE
^ ^ Linux
_____________________
because it works
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Same here... It's like a train wreck, you know you shouldn't watch but it's just so damned entertaining at this point that I can't stop...



Sent from my iPhone

> On Mar 14, 2014, at 2:46 PM, Yvan Janssens <ik@yvanj.me> wrote:
>
> Does anybody still have some popcorn left?
>
> They ran out of it in the tax free zone in here due to this thread...
>
> Kind regards,
>
> Yvan Janssens
>
> Sent from my PDA - excuse me for my brevity
>
>> On 14 Mar 2014, at 18:40, "Nicholas Lemonias." <lem.nikolas@googlemail.com> wrote:
>>
>> We have many PoC's including video clips. We may upload for the security world to see.
>>
>> However, this is not the way to treat security vulnerabilities. Attacking the researcher and bringing you friends to do aswell, won't mitigate the problem.
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Go to sleep. You have absolutely no understanding of the vulnerability, nor
you have the facts.

If you want a full report ask Softpedia, because we aint releasing them.


On Fri, Mar 14, 2014 at 8:39 PM, R D <rd.seclists@gmail.com> wrote:

> >You are trying to execute an sh script through a video player. That's an
> exec() command.
> No, it's not. That's an HTTP GET. Do you have such a poor understanding of
> how web applications work? Or did you just not read what I said?
>
> >So its the wrong way about accessing the file.
> This way, which is the standard way to access files on youtube, tells me
> the file doesn't exist. You have yet to prove the file you uploaded can be
> accessed or executed by anyone. For that matter, you have still to prove it
> can be discovered by anyone. That URL is hard to guess.
> And you have still to answer all my other questions, and most of the
> questions asked to you on this list.
> The burden of proof is on you, and you are making a fool of yourself by
> answering all the questions here with the same statements, and links to
> your PoC that doesn't proves anything, while everybody asks you for more
> evidence.
> Keep on the (good?) work,
> --Rob'
>
>
> On Fri, Mar 14, 2014 at 9:22 PM, Nicholas Lemonias. <
> lem.nikolas@googlemail.com> wrote:
>
>> You are trying to execute an sh script through a video player. That's an
>> exec() command. So its the wrong way about accessing the file.
>>
>>
>> On Fri, Mar 14, 2014 at 8:20 PM, R D <rd.seclists@gmail.com> wrote:
>>
>>> No it's not. As Chris and I are saying, you don't have proof your file
>>> is accessible to others, only that is was uploaded. Now, you see, when you
>>> upload a video to youtube, you get the adress where it will be viewable in
>>> the response. In your case :
>>>
>>> {"sessionStatus":{"state":"FINALIZED","externalFieldTransfers":[{"name":"file","status":"COMPLETED","bytesTransferred":113,"bytesTotal":113,"formPostInfo":{"url":"
>>> http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000
>>> ","cross_domain_url":"
>>> http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw"},"content_type":"text/x-sh"}],"additionalInfo":{"uploader_service.GoogleRupioAdditionalInfo":{"completionInfo":{"status":"SUCCESS","customerSpecificInfo":{"status":
>>> "ok", *"video_id": "KzKDtijwHFI"*
>>> }}}},"upload_id":"AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw"}}
>>> And what do we get when we browse to
>>> https://youtube.com/watch?v=KzKDtijwHFI ?
>>> Nothing.
>>> Can you send me a link where I can access the file content of the
>>> arbitrary file you uploaded?
>>> Are you sure this json response, or this file, will be there in a month?
>>> Or in a year? Is the fact that this json response exists a threat to
>>> youtube? Can you quantify how of a threat? How much, in dollars, does it
>>> hurt their business?
>>>
>>> --Rob
>>>
>>>
>>> On Fri, Mar 14, 2014 at 9:08 PM, Nicholas Lemonias. <
>>> lem.nikolas@googlemail.com> wrote:
>>>
>>>> My claim is now verified....
>>>>
>>>> Cheers!
>>>>
>>>>
>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <
>>>> lem.nikolas@googlemail.com> wrote:
>>>>
>>>>> http://upload.youtube.com/?authuser=0&upload_id=
>>>>> AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--
>>>>> uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=
>>>>> CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
>>>>>
>>>>> That information can be queried from the db, where the metadata are
>>>>> saved. The files are being saved persistently , as per the above example.
>>>>>
>>>>>
>>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <
>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>
>>>>>>
>>>>>> http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
>>>>>>
>>>>>> That information can be queried from the db, where the metadata are
>>>>>> saved. The files are being saved persistently , as per the above example.
>>>>>>
>>>>>>
>>>>>> On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson <
>>>>>> christhom7851@gmail.com> wrote:
>>>>>>
>>>>>>> Hi Nikolas,
>>>>>>>
>>>>>>> Please do read (and understand) my entire email before responding -
>>>>>>> I understand your frustration trying to get your message across but maybe
>>>>>>> this will help.
>>>>>>>
>>>>>>> Please put aside professional pride for the time being - I know how
>>>>>>> it feels to be passionate about something yet have others simply not
>>>>>>> understand.
>>>>>>>
>>>>>>> Let me try and bring some sanity to the discussion and explain to
>>>>>>> you why people maybe not agreeing with you.
>>>>>>>
>>>>>>> You (rightly so) highlighted what you believe to be an issue in a
>>>>>>> Youtube whereby it appears (to you) than you can upload an arbitrary file.
>>>>>>> If you can indeed do this as you suspect then your points are valid and you
>>>>>>> "may" be able to cause various issues associated with it such as DOS etc -
>>>>>>> especially if the uploaded files cannot or are not tracked.
>>>>>>>
>>>>>>> However...
>>>>>>>
>>>>>>> Consider than you are talking to an API and what you are getting
>>>>>>> back (the JSON response) in your example is simply a response from the API
>>>>>>> to say the file you uploaded has been received and saved.
>>>>>>>
>>>>>>> Now, as you no doubt know, when you upload a regular movie to
>>>>>>> YouTube, once uploaded it goes away and does some post-processing,
>>>>>>> converting it to flash for example. What's to say that there isn't some
>>>>>>> verification aspect to this post-processing that checks if the file is
>>>>>>> intact a valid movie and if not removes it.
>>>>>>>
>>>>>>> If you could for example demonstrate that the file was indeed
>>>>>>> persistent, by being able to retrieve it for example then again, you would
>>>>>>> have solid ground to claim an issue however your claims at this point are
>>>>>>> based on an assumption.... Let me explain.
>>>>>>>
>>>>>>> 1. You have demonstrated than you can send "any" file to an API and
>>>>>>> the API returned an acknowledgment of receiving (and saving) the file.
>>>>>>>
>>>>>>> 2. You / we don't know what Google do with files once they have been
>>>>>>> received from the API - maybe they process them and validate them - we
>>>>>>> simply don't know.
>>>>>>>
>>>>>>> 3. You have hypothesized that you can retrieve the file by
>>>>>>> manipulating tokens etc and you may be right, but you have not demonstrated
>>>>>>> it as such.
>>>>>>>
>>>>>>> Because of this, you seem to have made a CLAIM that you can upload
>>>>>>> arbitrary files to Google however SHOWN that you can simply send files to
>>>>>>> an API and an API responds in a certain way.
>>>>>>>
>>>>>>> I am NOT saying you haven't found an issue, what I am saying is that
>>>>>>> you need to demonstrate that the issue is real and thus can be abused. If
>>>>>>> the Google service simply verifies all uploaded files once they are
>>>>>>> uploaded and discards them if invalid, then you haven't really found
>>>>>>> anything.
>>>>>>>
>>>>>>> If you were to prove that you were able to retrieve this uploaded
>>>>>>> file then how could anyone dispute your bug.
>>>>>>>
>>>>>>> Hope this helps....
>>>>>>>
>>>>>>> Cheers!
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>
>
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
It's amazing how much dumber I feel for having read your drivel.
Please for the love of <$diety> stop posting to this list.

--
W. Scott Lockwood III
AMST Tech (SPI)
GWB2009033817
http://www.shadowplayinternational.org/
"There are four boxes to be used in defense of liberty: soap, ballot,
jury, and ammo. Please use in that order." -Ed Howdershelt (Author)


On Fri, Mar 14, 2014 at 9:48 PM, Nicholas Lemonias.
<lem.nikolas@googlemail.com> wrote:
> Go to sleep. You have absolutely no understanding of the vulnerability, nor
> you have the facts.
>
> If you want a full report ask Softpedia, because we aint releasing them.
>
>
> On Fri, Mar 14, 2014 at 8:39 PM, R D <rd.seclists@gmail.com> wrote:
>>
>> >You are trying to execute an sh script through a video player. That's an
>> > exec() command.
>> No, it's not. That's an HTTP GET. Do you have such a poor understanding of
>> how web applications work? Or did you just not read what I said?
>>
>> >So its the wrong way about accessing the file.
>> This way, which is the standard way to access files on youtube, tells me
>> the file doesn't exist. You have yet to prove the file you uploaded can be
>> accessed or executed by anyone. For that matter, you have still to prove it
>> can be discovered by anyone. That URL is hard to guess.
>> And you have still to answer all my other questions, and most of the
>> questions asked to you on this list.
>> The burden of proof is on you, and you are making a fool of yourself by
>> answering all the questions here with the same statements, and links to your
>> PoC that doesn't proves anything, while everybody asks you for more
>> evidence.
>> Keep on the (good?) work,
>> --Rob'
>>
>>
>> On Fri, Mar 14, 2014 at 9:22 PM, Nicholas Lemonias.
>> <lem.nikolas@googlemail.com> wrote:
>>>
>>> You are trying to execute an sh script through a video player. That's an
>>> exec() command. So its the wrong way about accessing the file.
>>>
>>>
>>> On Fri, Mar 14, 2014 at 8:20 PM, R D <rd.seclists@gmail.com> wrote:
>>>>
>>>> No it's not. As Chris and I are saying, you don't have proof your file
>>>> is accessible to others, only that is was uploaded. Now, you see, when you
>>>> upload a video to youtube, you get the adress where it will be viewable in
>>>> the response. In your case :
>>>>
>>>> {"sessionStatus":{"state":"FINALIZED","externalFieldTransfers":[{"name":"file","status":"COMPLETED","bytesTransferred":113,"bytesTotal":113,"formPostInfo":{"url":"http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000","cross_domain_url":"http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw"},"content_type":"text/x-sh"}],"additionalInfo":{"uploader_service.GoogleRupioAdditionalInfo":{"completionInfo":{"status":"SUCCESS","customerSpecificInfo":{"status":
>>>> "ok", "video_id":
>>>> "KzKDtijwHFI"}}}},"upload_id":"AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw"}}
>>>> And what do we get when we browse to
>>>> https://youtube.com/watch?v=KzKDtijwHFI ?
>>>> Nothing.
>>>> Can you send me a link where I can access the file content of the
>>>> arbitrary file you uploaded?
>>>> Are you sure this json response, or this file, will be there in a month?
>>>> Or in a year? Is the fact that this json response exists a threat to
>>>> youtube? Can you quantify how of a threat? How much, in dollars, does it
>>>> hurt their business?
>>>>
>>>> --Rob
>>>>
>>>>
>>>> On Fri, Mar 14, 2014 at 9:08 PM, Nicholas Lemonias.
>>>> <lem.nikolas@googlemail.com> wrote:
>>>>>
>>>>> My claim is now verified....
>>>>>
>>>>> Cheers!
>>>>>
>>>>>
>>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias.
>>>>> <lem.nikolas@googlemail.com> wrote:
>>>>>>
>>>>>>
>>>>>> http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
>>>>>>
>>>>>> That information can be queried from the db, where the metadata are
>>>>>> saved. The files are being saved persistently , as per the above example.
>>>>>>
>>>>>>
>>>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias.
>>>>>> <lem.nikolas@googlemail.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>> http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
>>>>>>>
>>>>>>> That information can be queried from the db, where the metadata are
>>>>>>> saved. The files are being saved persistently , as per the above example.
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson
>>>>>>> <christhom7851@gmail.com> wrote:
>>>>>>>>
>>>>>>>> Hi Nikolas,
>>>>>>>>
>>>>>>>> Please do read (and understand) my entire email before responding -
>>>>>>>> I understand your frustration trying to get your message across but maybe
>>>>>>>> this will help.
>>>>>>>>
>>>>>>>> Please put aside professional pride for the time being - I know how
>>>>>>>> it feels to be passionate about something yet have others simply not
>>>>>>>> understand.
>>>>>>>>
>>>>>>>> Let me try and bring some sanity to the discussion and explain to
>>>>>>>> you why people maybe not agreeing with you.
>>>>>>>>
>>>>>>>> You (rightly so) highlighted what you believe to be an issue in a
>>>>>>>> Youtube whereby it appears (to you) than you can upload an arbitrary file.
>>>>>>>> If you can indeed do this as you suspect then your points are valid and you
>>>>>>>> "may" be able to cause various issues associated with it such as DOS etc -
>>>>>>>> especially if the uploaded files cannot or are not tracked.
>>>>>>>>
>>>>>>>> However...
>>>>>>>>
>>>>>>>> Consider than you are talking to an API and what you are getting
>>>>>>>> back (the JSON response) in your example is simply a response from the API
>>>>>>>> to say the file you uploaded has been received and saved.
>>>>>>>>
>>>>>>>> Now, as you no doubt know, when you upload a regular movie to
>>>>>>>> YouTube, once uploaded it goes away and does some post-processing,
>>>>>>>> converting it to flash for example. What's to say that there isn't some
>>>>>>>> verification aspect to this post-processing that checks if the file is
>>>>>>>> intact a valid movie and if not removes it.
>>>>>>>>
>>>>>>>> If you could for example demonstrate that the file was indeed
>>>>>>>> persistent, by being able to retrieve it for example then again, you would
>>>>>>>> have solid ground to claim an issue however your claims at this point are
>>>>>>>> based on an assumption.... Let me explain.
>>>>>>>>
>>>>>>>> 1. You have demonstrated than you can send "any" file to an API and
>>>>>>>> the API returned an acknowledgment of receiving (and saving) the file.
>>>>>>>>
>>>>>>>> 2. You / we don't know what Google do with files once they have been
>>>>>>>> received from the API - maybe they process them and validate them - we
>>>>>>>> simply don't know.
>>>>>>>>
>>>>>>>> 3. You have hypothesized that you can retrieve the file by
>>>>>>>> manipulating tokens etc and you may be right, but you have not demonstrated
>>>>>>>> it as such.
>>>>>>>>
>>>>>>>> Because of this, you seem to have made a CLAIM that you can upload
>>>>>>>> arbitrary files to Google however SHOWN that you can simply send files to an
>>>>>>>> API and an API responds in a certain way.
>>>>>>>>
>>>>>>>> I am NOT saying you haven't found an issue, what I am saying is that
>>>>>>>> you need to demonstrate that the issue is real and thus can be abused. If
>>>>>>>> the Google service simply verifies all uploaded files once they are uploaded
>>>>>>>> and discards them if invalid, then you haven't really found anything.
>>>>>>>>
>>>>>>>> If you were to prove that you were able to retrieve this uploaded
>>>>>>>> file then how could anyone dispute your bug.
>>>>>>>>
>>>>>>>> Hope this helps....
>>>>>>>>
>>>>>>>> Cheers!
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
The thread starter is right about this. It is a vulnerability, and I think Google should start considering this.
 
The JSON service responds to GET requests , and there is a good chance that the service is also vulnerable to JSON Hijacking attacks.
 
As a professional penetration tester , I believe that Google was false not to award this.
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Happy trolling...


On Fri, Mar 14, 2014 at 7:49 PM, R D <rd.seclists@gmail.com> wrote:

> >Then that also means that firewalls and IPS systems are worthless. Why
> spend so much time protecting the network layers if a user can send any
> file of choice to a remote network through http...
> well, if you are running a file upload system, or any webserver, you
> really should block any incoming traffic to port 80, and if you can't of
> course your IPS knows what a video file is and can whitelist that /s
> That's why server-side controls are in place, and your POC doesn't show
> you circumventing them.
>
> >As for the uploaded files being persistent, there is evidence of that.
> No. You have evidence they were uploaded. You don't have evidence they
> will stay forever. When reporting a vulnerability, please try to not
> include hyperbole, the reporters will do that for you.
>
> >For instance a remote admin could be tricked to execute some of
> the uploaded files
> As I said, your uploaded files are not accessible to any user, unless you
> prove me wrong. They are not executable (in the context of the webserver)
> for any remote user, unless you can prove me wrong. They are not executable
> in the context of an admin browsing the server content, unless the guys at
> youtube made a major mistake, and you can't tell if they are, and neither
> can I.
> > (Social Engineering).
> Ohai, youtube admin, could you please copy that file I can't give you the
> path of, or even the server where it resides, to your home folder and
> please chmod it 777 and then run it? For debugging purposes obviously
> http://www.youtube.com/watch?v=oOqJ1F44_-Y
>
> Have a nice day, and may the bug elves fill your socks with awesome
> presents,
>
> --Rob'
>
>
>
> On Fri, Mar 14, 2014 at 8:28 PM, Nicholas Lemonias. <
> lem.nikolas@googlemail.com> wrote:
>
>> Then that also means that firewalls and IPS systems are worthless. Why
>> spend so much time protecting the network layers if a user can send any
>> file of choice to a remote network through http...
>>
>> As for the uploaded files being persistent, there is evidence of that.
>> For instance a remote admin could be tricked to execute some of
>> the uploaded files (Social Engineering).
>>
>> So our report sent as part of Google's security program, should not be
>> treated as a non-security issue.
>>
>>
>> Thanks,
>>
>>
>> On Fri, Mar 14, 2014 at 7:23 PM, R D <rd.seclists@gmail.com> wrote:
>>
>>> I'm going to try to spell it out clearly.
>>>
>>> You don't have unrestricted file upload[1]. Keep in mind you're trying
>>> to abuse youtube, which is essentially a video file upload service. So the
>>> fact that you can upload files is not surprising.
>>> Now you're uploading non-video files. Cool. But not earth-shattering.
>>> They are not accessible to anyone but you, as far as I can tell, and I
>>> don't even think you can access the file contents on the remote server, but
>>> please prove me wrong on both points.
>>> You are still, as far as I can tell, bound by the per-file and
>>> per-account quota on disk occupation, so you don't have a DoS by resource
>>> exhaustion.
>>> You can't force server-side file path, so you don't have RFI or DoS by
>>> messing with the remote file system. You can't execute the files you
>>> uploaded, so you don't have arbitrary code execution.
>>>
>>> But you are right about what your PoC does. You bypassed a security
>>> control, you uploaded crap on youtube servers, and by that you exhausted
>>> their resources by a fraction of the quota they allow you when signing up.
>>> BTW, I don't think they keep invalid video files for an indefinite period
>>> of time in a user account, but I might be wrong.
>>>
>>> The burden of proof is still on your side as to whether or not the bug
>>> you found has any impact that was not already accepted by youtube allowing
>>> registered users to upload whatever crap they see fit as long as it is
>>> video. You failed to provide this proof, and please be sure the audience of
>>> fulldisclosure is not "attacking the researcher" but working with you to
>>> have a better understanding of the bug you found, even though you kinda
>>> acted like a fool in this thread.
>>>
>>> Please keep on searching and finding vulns, please keep on publishing
>>> them, and use this as a learning experience that not all bugs or control
>>> bypasses are security vulnerabilities.
>>>
>>> --Rob'
>>>
>>> [1] As per OWASP (
>>> https://www.owasp.org/index.php/Unrestricted_File_Upload):
>>>
>>> >There are really two classes of problems here. The first is with the
>>> file metadata, like the path and file name. These are generally provided by
>>> the transport, such as HTTP multi-part encoding. This data may trick the
>>> application into overwriting a critical file or storing the file in a bad
>>> location. You must validate the metadata extremely carefully before using
>>> it.
>>>
>>> Your POC doesn't demonstrate that.
>>>
>>> >The other class of problem is with the file size or content. The range
>>> of problems here depends entirely on what the file is used for. See the
>>> examples below for some ideas about how files might be misused. To protect
>>> against this type of attack, you should analyze everything your application
>>> does with files and think carefully about what processing and interpreters
>>> are involved.
>>>
>>> Your POC kinda does that, but you didn't provide proof it's possible to
>>> execute what you uploaded, either using social engineering or any other
>>> method.
>>>
>>> Also, please don't say "verified by a couple of recognised experts
>>> including OWASP" unless you actually spoke with someone @owasp and she
>>> validated your findings.
>>>
>>>
>>> On Fri, Mar 14, 2014 at 7:40 PM, Nicholas Lemonias. <
>>> lem.nikolas@googlemail.com> wrote:
>>>
>>>> We have many PoC's including video clips. We may upload for the
>>>> security world to see.
>>>>
>>>> However, this is not the way to treat security vulnerabilities.
>>>> Attacking the researcher and bringing you friends to do aswell, won't
>>>> mitigate the problem.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Oh, wow :-)

To put things in perspective, it probably helps to understand that
virtually all video hosting sites perform batch, queue-based
conversions of uploaded content. There is a good reason for this
design: video conversions are extremely CPU-intensive - and an
orderly, capped-throughput queue gives you much better resilience to
DoS attacks.

Alas, this model is not very user-friendly: it may take good 20
minutes to upload a clip to Vimeo over my lowly DSL connection, and
then another 40 to wait my turn in the conversion queue. If the video
I uploaded turns out to be in an unsupported format (I'm still using
MS-CRAM), I have just wasted an hour of my time. A simple workaround
would be for Vimeo to have a client-side check that flags obvious
problems before sending any data to the server. It's not a security
feature, but it minimizes my pain.

Does it make sense to duplicate this check on the server, too? You
could, but I don't think it adds real value: after all, the converter
will sooner or later perform the same check anyway. And for users who
want to take Vimeo down, uploading tons of cat videos makes more
sense: after all, converting them will cost more than just bailing out
early on an invalid file. As for other attacks you mention: it's
fairly easy to construct valid videos that also work as file archives,
HTML documents, or shell scripts.

Ultimately, sites that deal with user-supplied content often have to
make tough decisions that don't fit in the neat defitions of ISO
standards or academic papers of the old. Mechanisms such as quotas,
various abuse-detection heuristics, rapid scalability - and even user
education and good UX design - go hand-in-hand with more traditional
approaches to minimizing risk.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
If you wish to talk seriously about the problem, please send me an email
privately. And we can talk about what we have found so far, and perhaps
present some more proof of concepts for this on going research. This is
between the researcher and Google.

People who do not have the facts have been, trying to attack the arguer, on
the basis of their personal beliefs. We are not speaking from experience,
but based on our findings which includes PoC media, images, codes - and
based on academic literature and recognised practise. Please bear in mind
that a lot of research is conducted in academia (those old papers you
say) before finally released to the commercial markets.

Regards,

*Nicholas Lemonias*
*Information Security Expert*
*Advanced Information Security Corp.*


On Fri, Mar 14, 2014 at 10:49 PM, Mario Vilas <mvilas@gmail.com> wrote:

> Try learning how to properly send emails before critizicing anyone, pal. ;)
>
>
> On Fri, Mar 14, 2014 at 6:44 PM, Nicholas Lemonias. <
> lem.nikolas@googlemail.com> wrote:
>
>>
>> People can read the report if they like. Can't you even do basic things
>> like reading a vulnerability report?
>>
>> Can't you see that the advisory is about writing arbitrary files. If I
>> was your boss I would fire you.
>> ---------- Forwarded message ----------
>> From: Nicholas Lemonias. <lem.nikolas@googlemail.com>
>> Date: Fri, Mar 14, 2014 at 5:43 PM
>> Subject: Re: [Full-disclosure] Google vulnerabilities with PoC
>> To: Mario Vilas <mvilas@gmail.com>
>>
>>
>> People can read the report if they like. Can't you even do basic things
>> like reading a vulnerability report?
>>
>> Can't you see that the advisory is about writing arbitrary files. If I
>> was your boss I would fire you, with a good kick outta the door.
>>
>>
>>
>>
>>
>>
>> On Fri, Mar 14, 2014 at 3:55 PM, Mario Vilas <mvilas@gmail.com> wrote:
>>
>>> On Fri, Mar 14, 2014 at 12:38 PM, Nicholas Lemonias. <
>>> lem.nikolas@googlemail.com> wrote:
>>>
>>>> Jerome of Mcafee has made a very valid point on revisiting separation
>>>> of duties in this security instance.
>>>>
>>>> Happy to see more professionals with some skills. Some others have
>>>> also mentioned the feasibility for Denial of Service attacks. Remote code
>>>> execution by Social Engineering is also a prominent scenario.
>>>>
>>>
>>> Actually, people have been pointing out exactly the opposite. But if you
>>> insist on believing you can DoS an EC2 by uploading files, good luck to you
>>> then...
>>>
>>>
>>>>
>>>> If you can't tell that that is a vulnerability (probably coming from a
>>>> bunch of CEH's), I feel sorry for those consultants.
>>>>
>>>
>>> You're the only one throwing around certifications here. I can no longer
>>> tell if you're being serious or this is a massive prank.
>>>
>>>
>>>>
>>>> Nicholas.
>>>>
>>>>
>>>> On Fri, Mar 14, 2014 at 10:45 AM, Nicholas Lemonias. <
>>>> lem.nikolas@googlemail.com> wrote:
>>>>
>>>>> We are on a different level perhaps. We do certainly disagree on those
>>>>> points.
>>>>> I wouldn't hire you as a consultant, if you can't tell if that is a
>>>>> valid vulnerability..
>>>>>
>>>>>
>>>>> Best Regards,
>>>>> Nicholas Lemonias.
>>>>>
>>>>> On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas <mvilas@gmail.com>wrote:
>>>>>
>>>>>> But do you have all the required EH certifications? Try this one from
>>>>>> the Institute for
>>>>>> Certified Application Security Specialists: http://www.asscert.com/
>>>>>>
>>>>>>
>>>>>> On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias. <
>>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>>
>>>>>>> Thanks Michal,
>>>>>>>
>>>>>>> We are just trying to improve Google's security and contribute to
>>>>>>> the research community after all. If you are still on EFNet give me a shout
>>>>>>> some time.
>>>>>>>
>>>>>>> We have done so and consulted to hundreds of clients including
>>>>>>> Microsoft, Nokia, Adobe and some of the world's biggest corporations. We
>>>>>>> are also strict supporters of the ACM code of conduct.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Nicholas Lemonias.
>>>>>>> AISec
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Mar 14, 2014 at 6:29 AM, Nicholas Lemonias. <
>>>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>>>
>>>>>>>> Hi Jerome,
>>>>>>>>
>>>>>>>> Thank you for agreeing on access control, and separation of duties.
>>>>>>>>
>>>>>>>> However successful exploitation permits arbitrary write() of any
>>>>>>>> file of choice.
>>>>>>>>
>>>>>>>> I could release an exploit code in C Sharp or Python that permits
>>>>>>>> multiple file uploads of any file/types, if the Google security team feels
>>>>>>>> that this would be necessary. This is unpaid work, so we are not so keen on
>>>>>>>> that job.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Mar 14, 2014 at 6:04 AM, Jerome Athias <
>>>>>>>> athiasjerome@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi
>>>>>>>>>
>>>>>>>>> I concur that we are mainly discussing a terminology problem.
>>>>>>>>>
>>>>>>>>> In the context of a Penetration Test or WAPT, this is a Finding.
>>>>>>>>> Reporting this finding makes sense in this context.
>>>>>>>>>
>>>>>>>>> As a professional, you would have to explain if/how this finding
>>>>>>>>> is a
>>>>>>>>> Weakness*, a Violation (/Regulations, Compliance, Policies or
>>>>>>>>> Requirements[1])
>>>>>>>>> * I would say Weakness + Exposure = Vulnerability. Vulnerability +
>>>>>>>>> Exploitability (PoC) = Confirmed Vulnerability that needs Business
>>>>>>>>> Impact and Risk Analysis
>>>>>>>>>
>>>>>>>>> So I would probably have reported this Finding as a Weakness (and
>>>>>>>>> not
>>>>>>>>> Vulnerability. See: OWASP, WASC-TC, CWE), explaining that it is not
>>>>>>>>> Best Practice (your OWASP link and Cheat Sheets), and even if
>>>>>>>>> mitigative/compensative security controls (Ref Orange Book),
>>>>>>>>> security
>>>>>>>>> controls like white listing (or at least black listing. see also
>>>>>>>>> ESAPI) should be 1) part of the [1]security requirements of a
>>>>>>>>> proper
>>>>>>>>> SDLC (Build security in) as per Defense-in-Depth security
>>>>>>>>> principles
>>>>>>>>> and 2) used and implemented correctly.
>>>>>>>>> NB: A simple Threat Model (i.e. list of CAPEC) would be a solid
>>>>>>>>> support to your report
>>>>>>>>> This would help to evaluate/measure the risk (e.g. CVSS).
>>>>>>>>> Helping the decision/actions around this risk
>>>>>>>>>
>>>>>>>>> PS: interestingly, in this case, I'm not sure that the Separation
>>>>>>>>> of
>>>>>>>>> Duties security principle was applied correctly by Google in term
>>>>>>>>> of
>>>>>>>>> Risk Acceptance (which could be another Finding)
>>>>>>>>>
>>>>>>>>> So in few words, be careful with the terminology. (don't always say
>>>>>>>>> vulnerability like the media say hacker, see RFC1392) Use a CWE ID
>>>>>>>>> (e.g. CWE-434, CWE-183, CWE-184 vs. CWE-616)
>>>>>>>>>
>>>>>>>>> My 2 bitcents
>>>>>>>>> Sorry if it is not edible :)
>>>>>>>>> Happy Hacking!
>>>>>>>>>
>>>>>>>>> /JA
>>>>>>>>> https://github.com/athiasjerome/XORCISM
>>>>>>>>>
>>>>>>>>> 2014-03-14 7:19 GMT+03:00 Michal Zalewski <lcamtuf@coredump.cx>:
>>>>>>>>> > Nicholas,
>>>>>>>>> >
>>>>>>>>> > I remember my early years in the infosec community - and sadly,
>>>>>>>>> so do
>>>>>>>>> > some of the more seasoned readers of this list :-) Back then, I
>>>>>>>>> > thought that the only thing that mattered is the ability to find
>>>>>>>>> bugs.
>>>>>>>>> > But after some 18 years in the industry, I now know that there's
>>>>>>>>> an
>>>>>>>>> > even more important and elusive skill.
>>>>>>>>> >
>>>>>>>>> > That skill boils down to having a robust mental model of what
>>>>>>>>> > constitutes a security flaw - and being able to explain your
>>>>>>>>> thinking
>>>>>>>>> > to others in a precise and internally consistent manner that
>>>>>>>>> convinces
>>>>>>>>> > others to act. We need this because the security of a system
>>>>>>>>> can't be
>>>>>>>>> > usefully described using abstract terms: even the academic
>>>>>>>>> definitions
>>>>>>>>> > ultimately boil down to saying "the system is secure if it
>>>>>>>>> doesn't do
>>>>>>>>> > the things we *really* don't want it to do".
>>>>>>>>> >
>>>>>>>>> > In this spirit, the term "vulnerability" is generally reserved
>>>>>>>>> for
>>>>>>>>> > behaviors that meet all of the following criteria:
>>>>>>>>> >
>>>>>>>>> > 1) The behavior must have negative consequences for at least one
>>>>>>>>> of
>>>>>>>>> > the legitimate stakeholders (users, service owners, etc),
>>>>>>>>> >
>>>>>>>>> > 2) The consequences must be widely seen as unexpected and
>>>>>>>>> unacceptable,
>>>>>>>>> >
>>>>>>>>> > 3) There must be a realistic chance of such a negative outcome,
>>>>>>>>> >
>>>>>>>>> > 4) The behavior must introduce substantial new risks that go
>>>>>>>>> beyond
>>>>>>>>> > the previously accepted trade-offs.
>>>>>>>>> >
>>>>>>>>> > If we don't have that, we usually don't have a case, no matter
>>>>>>>>> how
>>>>>>>>> > clever the bug is.
>>>>>>>>> >
>>>>>>>>> > Cheers (and happy hunting!),
>>>>>>>>> > /mz
>>>>>>>>> >
>>>>>>>>> > _______________________________________________
>>>>>>>>> > Full-Disclosure - We believe in it.
>>>>>>>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> "There's a reason we separate military and the police: one fights
>>>>>> the enemy of the state, the other serves and protects the people. When
>>>>>> the military becomes both, then the enemies of the state tend to become the
>>>>>> people."
>>>>>>
>>>>>> _______________________________________________
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> "There's a reason we separate military and the police: one fights
>>> the enemy of the state, the other serves and protects the people. When
>>> the military becomes both, then the enemies of the state tend to become the
>>> people."
>>>
>>
>>
>>
>
>
> --
> "There's a reason we separate military and the police: one fights
> the enemy of the state, the other serves and protects the people. When
> the military becomes both, then the enemies of the state tend to become the
> people."
>
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Omg please for the love of all things human STFU!!!

Sent from my iPhone

> On Mar 15, 2014, at 12:43 AM, "Nicholas Lemonias." <lem.nikolas@googlemail.com> wrote:
>
> If you wish to talk seriously about the problem, please send me an email privately. And we can talk about what we have found so far, and perhaps present some more proof of concepts for this on going research. This is between the researcher and Google.
>
> People who do not have the facts have been, trying to attack the arguer, on the basis of their personal beliefs. We are not speaking from experience, but based on our findings which includes PoC media, images, codes - and based on academic literature and recognised practise. Please bear in mind that a lot of research is conducted in academia (those old papers you say) before finally released to the commercial markets.
>
> Regards,
>
> Nicholas Lemonias
> Information Security Expert
> Advanced Information Security Corp.
>
>
>> On Fri, Mar 14, 2014 at 10:49 PM, Mario Vilas <mvilas@gmail.com> wrote:
>> Try learning how to properly send emails before critizicing anyone, pal. ;)
>>
>>
>>> On Fri, Mar 14, 2014 at 6:44 PM, Nicholas Lemonias. <lem.nikolas@googlemail.com> wrote:
>>>
>>> People can read the report if they like. Can't you even do basic things like reading a vulnerability report?
>>>
>>> Can't you see that the advisory is about writing arbitrary files. If I was your boss I would fire you.
>>> ---------- Forwarded message ----------
>>> From: Nicholas Lemonias. <lem.nikolas@googlemail.com>
>>> Date: Fri, Mar 14, 2014 at 5:43 PM
>>> Subject: Re: [Full-disclosure] Google vulnerabilities with PoC
>>> To: Mario Vilas <mvilas@gmail.com>
>>>
>>>
>>> People can read the report if they like. Can't you even do basic things like reading a vulnerability report?
>>>
>>> Can't you see that the advisory is about writing arbitrary files. If I was your boss I would fire you, with a good kick outta the door.
>>>
>>>
>>>
>>>
>>>
>>>
>>>> On Fri, Mar 14, 2014 at 3:55 PM, Mario Vilas <mvilas@gmail.com> wrote:
>>>>> On Fri, Mar 14, 2014 at 12:38 PM, Nicholas Lemonias. <lem.nikolas@googlemail.com> wrote:
>>>>> Jerome of Mcafee has made a very valid point on revisiting separation of duties in this security instance.
>>>>>
>>>>> Happy to see more professionals with some skills. Some others have also mentioned the feasibility for Denial of Service attacks. Remote code execution by Social Engineering is also a prominent scenario.
>>>>
>>>> Actually, people have been pointing out exactly the opposite. But if you insist on believing you can DoS an EC2 by uploading files, good luck to you then...
>>>>
>>>>>
>>>>> If you can't tell that that is a vulnerability (probably coming from a bunch of CEH's), I feel sorry for those consultants.
>>>>
>>>> You're the only one throwing around certifications here. I can no longer tell if you're being serious or this is a massive prank.
>>>>
>>>>>
>>>>> Nicholas.
>>>>>
>>>>>
>>>>>> On Fri, Mar 14, 2014 at 10:45 AM, Nicholas Lemonias. <lem.nikolas@googlemail.com> wrote:
>>>>>> We are on a different level perhaps. We do certainly disagree on those points.
>>>>>> I wouldn't hire you as a consultant, if you can't tell if that is a valid vulnerability..
>>>>>>
>>>>>>
>>>>>> Best Regards,
>>>>>> Nicholas Lemonias.
>>>>>>
>>>>>>> On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas <mvilas@gmail.com> wrote:
>>>>>>> But do you have all the required EH certifications? Try this one from the Institute for
>>>>>>> Certified Application Security Specialists: http://www.asscert.com/
>>>>>>>
>>>>>>>
>>>>>>>> On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias. <lem.nikolas@googlemail.com> wrote:
>>>>>>>> Thanks Michal,
>>>>>>>>
>>>>>>>> We are just trying to improve Google's security and contribute to the research community after all. If you are still on EFNet give me a shout some time.
>>>>>>>>
>>>>>>>> We have done so and consulted to hundreds of clients including Microsoft, Nokia, Adobe and some of the world's biggest corporations. We are also strict supporters of the ACM code of conduct.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Nicholas Lemonias.
>>>>>>>> AISec
>>>>>>>>
>>>>>>>>
>>>>>>>>> On Fri, Mar 14, 2014 at 6:29 AM, Nicholas Lemonias. <lem.nikolas@googlemail.com> wrote:
>>>>>>>>> Hi Jerome,
>>>>>>>>>
>>>>>>>>> Thank you for agreeing on access control, and separation of duties.
>>>>>>>>>
>>>>>>>>> However successful exploitation permits arbitrary write() of any file of choice.
>>>>>>>>>
>>>>>>>>> I could release an exploit code in C Sharp or Python that permits multiple file uploads of any file/types, if the Google security team feels that this would be necessary. This is unpaid work, so we are not so keen on that job.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> On Fri, Mar 14, 2014 at 6:04 AM, Jerome Athias <athiasjerome@gmail.com> wrote:
>>>>>>>>>> Hi
>>>>>>>>>>
>>>>>>>>>> I concur that we are mainly discussing a terminology problem.
>>>>>>>>>>
>>>>>>>>>> In the context of a Penetration Test or WAPT, this is a Finding.
>>>>>>>>>> Reporting this finding makes sense in this context.
>>>>>>>>>>
>>>>>>>>>> As a professional, you would have to explain if/how this finding is a
>>>>>>>>>> Weakness*, a Violation (/Regulations, Compliance, Policies or
>>>>>>>>>> Requirements[1])
>>>>>>>>>> * I would say Weakness + Exposure = Vulnerability. Vulnerability +
>>>>>>>>>> Exploitability (PoC) = Confirmed Vulnerability that needs Business
>>>>>>>>>> Impact and Risk Analysis
>>>>>>>>>>
>>>>>>>>>> So I would probably have reported this Finding as a Weakness (and not
>>>>>>>>>> Vulnerability. See: OWASP, WASC-TC, CWE), explaining that it is not
>>>>>>>>>> Best Practice (your OWASP link and Cheat Sheets), and even if
>>>>>>>>>> mitigative/compensative security controls (Ref Orange Book), security
>>>>>>>>>> controls like white listing (or at least black listing. see also
>>>>>>>>>> ESAPI) should be 1) part of the [1]security requirements of a proper
>>>>>>>>>> SDLC (Build security in) as per Defense-in-Depth security principles
>>>>>>>>>> and 2) used and implemented correctly.
>>>>>>>>>> NB: A simple Threat Model (i.e. list of CAPEC) would be a solid
>>>>>>>>>> support to your report
>>>>>>>>>> This would help to evaluate/measure the risk (e.g. CVSS).
>>>>>>>>>> Helping the decision/actions around this risk
>>>>>>>>>>
>>>>>>>>>> PS: interestingly, in this case, I'm not sure that the Separation of
>>>>>>>>>> Duties security principle was applied correctly by Google in term of
>>>>>>>>>> Risk Acceptance (which could be another Finding)
>>>>>>>>>>
>>>>>>>>>> So in few words, be careful with the terminology. (don't always say
>>>>>>>>>> vulnerability like the media say hacker, see RFC1392) Use a CWE ID
>>>>>>>>>> (e.g. CWE-434, CWE-183, CWE-184 vs. CWE-616)
>>>>>>>>>>
>>>>>>>>>> My 2 bitcents
>>>>>>>>>> Sorry if it is not edible :)
>>>>>>>>>> Happy Hacking!
>>>>>>>>>>
>>>>>>>>>> /JA
>>>>>>>>>> https://github.com/athiasjerome/XORCISM
>>>>>>>>>>
>>>>>>>>>> 2014-03-14 7:19 GMT+03:00 Michal Zalewski <lcamtuf@coredump.cx>:
>>>>>>>>>> > Nicholas,
>>>>>>>>>> >
>>>>>>>>>> > I remember my early years in the infosec community - and sadly, so do
>>>>>>>>>> > some of the more seasoned readers of this list :-) Back then, I
>>>>>>>>>> > thought that the only thing that mattered is the ability to find bugs.
>>>>>>>>>> > But after some 18 years in the industry, I now know that there's an
>>>>>>>>>> > even more important and elusive skill.
>>>>>>>>>> >
>>>>>>>>>> > That skill boils down to having a robust mental model of what
>>>>>>>>>> > constitutes a security flaw - and being able to explain your thinking
>>>>>>>>>> > to others in a precise and internally consistent manner that convinces
>>>>>>>>>> > others to act. We need this because the security of a system can't be
>>>>>>>>>> > usefully described using abstract terms: even the academic definitions
>>>>>>>>>> > ultimately boil down to saying "the system is secure if it doesn't do
>>>>>>>>>> > the things we *really* don't want it to do".
>>>>>>>>>> >
>>>>>>>>>> > In this spirit, the term "vulnerability" is generally reserved for
>>>>>>>>>> > behaviors that meet all of the following criteria:
>>>>>>>>>> >
>>>>>>>>>> > 1) The behavior must have negative consequences for at least one of
>>>>>>>>>> > the legitimate stakeholders (users, service owners, etc),
>>>>>>>>>> >
>>>>>>>>>> > 2) The consequences must be widely seen as unexpected and unacceptable,
>>>>>>>>>> >
>>>>>>>>>> > 3) There must be a realistic chance of such a negative outcome,
>>>>>>>>>> >
>>>>>>>>>> > 4) The behavior must introduce substantial new risks that go beyond
>>>>>>>>>> > the previously accepted trade-offs.
>>>>>>>>>> >
>>>>>>>>>> > If we don't have that, we usually don't have a case, no matter how
>>>>>>>>>> > clever the bug is.
>>>>>>>>>> >
>>>>>>>>>> > Cheers (and happy hunting!),
>>>>>>>>>> > /mz
>>>>>>>>>> >
>>>>>>>>>> > _______________________________________________
>>>>>>>>>> > Full-Disclosure - We believe in it.
>>>>>>>>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.”
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.”
>>
>>
>>
>>
>> --
>> “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.”
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
You are too vague. Please keep this to a level.

Thank you.


*Best Regards,*
*Nicholas Lemonias*

*Advanced Information Security Corporation.*


On Sat, Mar 15, 2014 at 5:06 AM, Colette Chamberland <
cjchamberland@gmail.com> wrote:

> Omg please for the love of all things human STFU!!!
>
> Sent from my iPhone
>
> On Mar 15, 2014, at 12:43 AM, "Nicholas Lemonias." <
> lem.nikolas@googlemail.com> wrote:
>
> If you wish to talk seriously about the problem, please send me an email
> privately. And we can talk about what we have found so far, and perhaps
> present some more proof of concepts for this on going research. This is
> between the researcher and Google.
>
> People who do not have the facts have been, trying to attack the arguer,
> on the basis of their personal beliefs. We are not speaking from
> experience, but based on our findings which includes PoC media, images,
> codes - and based on academic literature and recognised practise. Please
> bear in mind that a lot of research is conducted in academia (those old
> papers you say) before finally released to the commercial markets.
>
> Regards,
>
> *Nicholas Lemonias*
> *Information Security Expert*
> *Advanced Information Security Corp.*
>
>
> On Fri, Mar 14, 2014 at 10:49 PM, Mario Vilas <mvilas@gmail.com> wrote:
>
>> Try learning how to properly send emails before critizicing anyone, pal.
>> ;)
>>
>>
>> On Fri, Mar 14, 2014 at 6:44 PM, Nicholas Lemonias. <
>> lem.nikolas@googlemail.com> wrote:
>>
>>>
>>> People can read the report if they like. Can't you even do basic things
>>> like reading a vulnerability report?
>>>
>>> Can't you see that the advisory is about writing arbitrary files. If I
>>> was your boss I would fire you.
>>> ---------- Forwarded message ----------
>>> From: Nicholas Lemonias. <lem.nikolas@googlemail.com>
>>> Date: Fri, Mar 14, 2014 at 5:43 PM
>>> Subject: Re: [Full-disclosure] Google vulnerabilities with PoC
>>> To: Mario Vilas <mvilas@gmail.com>
>>>
>>>
>>> People can read the report if they like. Can't you even do basic things
>>> like reading a vulnerability report?
>>>
>>> Can't you see that the advisory is about writing arbitrary files. If I
>>> was your boss I would fire you, with a good kick outta the door.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Mar 14, 2014 at 3:55 PM, Mario Vilas <mvilas@gmail.com> wrote:
>>>
>>>> On Fri, Mar 14, 2014 at 12:38 PM, Nicholas Lemonias. <
>>>> lem.nikolas@googlemail.com> wrote:
>>>>
>>>>> Jerome of Mcafee has made a very valid point on revisiting separation
>>>>> of duties in this security instance.
>>>>>
>>>>> Happy to see more professionals with some skills. Some others have
>>>>> also mentioned the feasibility for Denial of Service attacks. Remote code
>>>>> execution by Social Engineering is also a prominent scenario.
>>>>>
>>>>
>>>> Actually, people have been pointing out exactly the opposite. But if
>>>> you insist on believing you can DoS an EC2 by uploading files, good luck to
>>>> you then...
>>>>
>>>>
>>>>>
>>>>> If you can't tell that that is a vulnerability (probably coming from a
>>>>> bunch of CEH's), I feel sorry for those consultants.
>>>>>
>>>>
>>>> You're the only one throwing around certifications here. I can no
>>>> longer tell if you're being serious or this is a massive prank.
>>>>
>>>>
>>>>>
>>>>> Nicholas.
>>>>>
>>>>>
>>>>> On Fri, Mar 14, 2014 at 10:45 AM, Nicholas Lemonias. <
>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>
>>>>>> We are on a different level perhaps. We do certainly disagree on
>>>>>> those points.
>>>>>> I wouldn't hire you as a consultant, if you can't tell if that is a
>>>>>> valid vulnerability..
>>>>>>
>>>>>>
>>>>>> Best Regards,
>>>>>> Nicholas Lemonias.
>>>>>>
>>>>>> On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas <mvilas@gmail.com>wrote:
>>>>>>
>>>>>>> But do you have all the required EH certifications? Try this one
>>>>>>> from the Institute for
>>>>>>> Certified Application Security Specialists: http://www.asscert.com/
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias. <
>>>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>>>
>>>>>>>> Thanks Michal,
>>>>>>>>
>>>>>>>> We are just trying to improve Google's security and contribute to
>>>>>>>> the research community after all. If you are still on EFNet give me a shout
>>>>>>>> some time.
>>>>>>>>
>>>>>>>> We have done so and consulted to hundreds of clients including
>>>>>>>> Microsoft, Nokia, Adobe and some of the world's biggest corporations. We
>>>>>>>> are also strict supporters of the ACM code of conduct.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Nicholas Lemonias.
>>>>>>>> AISec
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Mar 14, 2014 at 6:29 AM, Nicholas Lemonias. <
>>>>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi Jerome,
>>>>>>>>>
>>>>>>>>> Thank you for agreeing on access control, and separation of
>>>>>>>>> duties.
>>>>>>>>>
>>>>>>>>> However successful exploitation permits arbitrary write() of any
>>>>>>>>> file of choice.
>>>>>>>>>
>>>>>>>>> I could release an exploit code in C Sharp or Python that permits
>>>>>>>>> multiple file uploads of any file/types, if the Google security team feels
>>>>>>>>> that this would be necessary. This is unpaid work, so we are not so keen on
>>>>>>>>> that job.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Mar 14, 2014 at 6:04 AM, Jerome Athias <
>>>>>>>>> athiasjerome@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi
>>>>>>>>>>
>>>>>>>>>> I concur that we are mainly discussing a terminology problem.
>>>>>>>>>>
>>>>>>>>>> In the context of a Penetration Test or WAPT, this is a Finding.
>>>>>>>>>> Reporting this finding makes sense in this context.
>>>>>>>>>>
>>>>>>>>>> As a professional, you would have to explain if/how this finding
>>>>>>>>>> is a
>>>>>>>>>> Weakness*, a Violation (/Regulations, Compliance, Policies or
>>>>>>>>>> Requirements[1])
>>>>>>>>>> * I would say Weakness + Exposure = Vulnerability. Vulnerability +
>>>>>>>>>> Exploitability (PoC) = Confirmed Vulnerability that needs Business
>>>>>>>>>> Impact and Risk Analysis
>>>>>>>>>>
>>>>>>>>>> So I would probably have reported this Finding as a Weakness (and
>>>>>>>>>> not
>>>>>>>>>> Vulnerability. See: OWASP, WASC-TC, CWE), explaining that it is
>>>>>>>>>> not
>>>>>>>>>> Best Practice (your OWASP link and Cheat Sheets), and even if
>>>>>>>>>> mitigative/compensative security controls (Ref Orange Book),
>>>>>>>>>> security
>>>>>>>>>> controls like white listing (or at least black listing. see also
>>>>>>>>>> ESAPI) should be 1) part of the [1]security requirements of a
>>>>>>>>>> proper
>>>>>>>>>> SDLC (Build security in) as per Defense-in-Depth security
>>>>>>>>>> principles
>>>>>>>>>> and 2) used and implemented correctly.
>>>>>>>>>> NB: A simple Threat Model (i.e. list of CAPEC) would be a solid
>>>>>>>>>> support to your report
>>>>>>>>>> This would help to evaluate/measure the risk (e.g. CVSS).
>>>>>>>>>> Helping the decision/actions around this risk
>>>>>>>>>>
>>>>>>>>>> PS: interestingly, in this case, I'm not sure that the Separation
>>>>>>>>>> of
>>>>>>>>>> Duties security principle was applied correctly by Google in term
>>>>>>>>>> of
>>>>>>>>>> Risk Acceptance (which could be another Finding)
>>>>>>>>>>
>>>>>>>>>> So in few words, be careful with the terminology. (don't always
>>>>>>>>>> say
>>>>>>>>>> vulnerability like the media say hacker, see RFC1392) Use a CWE ID
>>>>>>>>>> (e.g. CWE-434, CWE-183, CWE-184 vs. CWE-616)
>>>>>>>>>>
>>>>>>>>>> My 2 bitcents
>>>>>>>>>> Sorry if it is not edible :)
>>>>>>>>>> Happy Hacking!
>>>>>>>>>>
>>>>>>>>>> /JA
>>>>>>>>>> https://github.com/athiasjerome/XORCISM
>>>>>>>>>>
>>>>>>>>>> 2014-03-14 7:19 GMT+03:00 Michal Zalewski <lcamtuf@coredump.cx>:
>>>>>>>>>> > Nicholas,
>>>>>>>>>> >
>>>>>>>>>> > I remember my early years in the infosec community - and sadly,
>>>>>>>>>> so do
>>>>>>>>>> > some of the more seasoned readers of this list :-) Back then, I
>>>>>>>>>> > thought that the only thing that mattered is the ability to
>>>>>>>>>> find bugs.
>>>>>>>>>> > But after some 18 years in the industry, I now know that
>>>>>>>>>> there's an
>>>>>>>>>> > even more important and elusive skill.
>>>>>>>>>> >
>>>>>>>>>> > That skill boils down to having a robust mental model of what
>>>>>>>>>> > constitutes a security flaw - and being able to explain your
>>>>>>>>>> thinking
>>>>>>>>>> > to others in a precise and internally consistent manner that
>>>>>>>>>> convinces
>>>>>>>>>> > others to act. We need this because the security of a system
>>>>>>>>>> can't be
>>>>>>>>>> > usefully described using abstract terms: even the academic
>>>>>>>>>> definitions
>>>>>>>>>> > ultimately boil down to saying "the system is secure if it
>>>>>>>>>> doesn't do
>>>>>>>>>> > the things we *really* don't want it to do".
>>>>>>>>>> >
>>>>>>>>>> > In this spirit, the term "vulnerability" is generally reserved
>>>>>>>>>> for
>>>>>>>>>> > behaviors that meet all of the following criteria:
>>>>>>>>>> >
>>>>>>>>>> > 1) The behavior must have negative consequences for at least
>>>>>>>>>> one of
>>>>>>>>>> > the legitimate stakeholders (users, service owners, etc),
>>>>>>>>>> >
>>>>>>>>>> > 2) The consequences must be widely seen as unexpected and
>>>>>>>>>> unacceptable,
>>>>>>>>>> >
>>>>>>>>>> > 3) There must be a realistic chance of such a negative outcome,
>>>>>>>>>> >
>>>>>>>>>> > 4) The behavior must introduce substantial new risks that go
>>>>>>>>>> beyond
>>>>>>>>>> > the previously accepted trade-offs.
>>>>>>>>>> >
>>>>>>>>>> > If we don't have that, we usually don't have a case, no matter
>>>>>>>>>> how
>>>>>>>>>> > clever the bug is.
>>>>>>>>>> >
>>>>>>>>>> > Cheers (and happy hunting!),
>>>>>>>>>> > /mz
>>>>>>>>>> >
>>>>>>>>>> > _______________________________________________
>>>>>>>>>> > Full-Disclosure - We believe in it.
>>>>>>>>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> "There's a reason we separate military and the police: one fights
>>>>>>> the enemy of the state, the other serves and protects the people. When
>>>>>>> the military becomes both, then the enemies of the state tend to become the
>>>>>>> people."
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> "There's a reason we separate military and the police: one fights
>>>> the enemy of the state, the other serves and protects the people. When
>>>> the military becomes both, then the enemies of the state tend to become the
>>>> people."
>>>>
>>>
>>>
>>>
>>
>>
>> --
>> "There's a reason we separate military and the police: one fights
>> the enemy of the state, the other serves and protects the people. When
>> the military becomes both, then the enemies of the state tend to become the
>> people."
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Correct.

The mime type can be circumvented. We can confirm this to be a valid
vulnerability.

For the PoC's :

http://news.softpedia.com/news/Expert-Finds-File-Upload-Vulnerability-in-YouTube-Google-Denies-It-s-a-Security-Issue-431489.shtml

On Fri, Mar 14, 2014 at 8:40 PM, Krzysztof Kotowicz
<kkotowicz+fd@gmail.com>wrote:

>
> 2014-03-14 20:28 GMT+01:00 Nicholas Lemonias. <lem.nikolas@googlemail.com>
> :
>
> Then that also means that firewalls and IPS systems are worthless. Why
>> spend so much time protecting the network layers if a user can send any
>> file of choice to a remote network through http...
>>
>
> No, they are not worthless per se, but of course for an user content
> publishing service they need to allow file upload over HTTP/s. How far
> those files are inspected and later processed is another question - and
> that could lead to a vulnerability that you DIDN'T demonstrate.
>
> You just uploaded a .sh file. There's no harm in that as nowhere did you
> prove that that file is being executed. Similarly (and that has been
> pointed out in this thread) you could upload a PHP-GIF polyglot file to a
> J2EE application - no vulnerability in this. Prove something by overwriting
> a crucial file, tricking other user's browser to execute the file as HTML
> from an interesting domain (XSS), popping a shell, triggering XXE when the
> file is processed as XML, anything. Then that is a vulnerability. So far -
> sorry, it is not, and you've been told it repeatedly.
>
>
> As for the uploaded files being persistent, there is evidence of that.
>> For instance a remote admin could be tricked to execute some of
>> the uploaded files (Social Engineering).
>>
>
> Come on, seriously? Social Engineering can make him download this file
> from pastebin just as well. That's a real stretch.
>
> IMHO it is not a security issue. You're uploading a file to some kind of
> processing queue that does not validate a file type, but nevertheless only
> processes those files as video - there is NO reason to suspect otherwise,
> and I'd like to be proven wrong here. Proven as in PoC.
>
>
>
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
You are so incompetent.. If you want proof why don't you do it yourself?

https://www.youtube.com/watch?v=G4EkgJtjDvU - Here is proof that the file
is saved and processed. If you want to question it come up with your real
name, stop hiding behind fake emails. Are you a Google employee? What's
your motive?

Best


On Fri, Mar 14, 2014 at 8:39 PM, R D <rd.seclists@gmail.com> wrote:

> >You are trying to execute an sh script through a video player. That's an
> exec() command.
> No, it's not. That's an HTTP GET. Do you have such a poor understanding of
> how web applications work? Or did you just not read what I said?
>
> >So its the wrong way about accessing the file.
> This way, which is the standard way to access files on youtube, tells me
> the file doesn't exist. You have yet to prove the file you uploaded can be
> accessed or executed by anyone. For that matter, you have still to prove it
> can be discovered by anyone. That URL is hard to guess.
> And you have still to answer all my other questions, and most of the
> questions asked to you on this list.
> The burden of proof is on you, and you are making a fool of yourself by
> answering all the questions here with the same statements, and links to
> your PoC that doesn't proves anything, while everybody asks you for more
> evidence.
> Keep on the (good?) work,
> --Rob'
>
>
> On Fri, Mar 14, 2014 at 9:22 PM, Nicholas Lemonias. <
> lem.nikolas@googlemail.com> wrote:
>
>> You are trying to execute an sh script through a video player. That's an
>> exec() command. So its the wrong way about accessing the file.
>>
>>
>> On Fri, Mar 14, 2014 at 8:20 PM, R D <rd.seclists@gmail.com> wrote:
>>
>>> No it's not. As Chris and I are saying, you don't have proof your file
>>> is accessible to others, only that is was uploaded. Now, you see, when you
>>> upload a video to youtube, you get the adress where it will be viewable in
>>> the response. In your case :
>>>
>>> {"sessionStatus":{"state":"FINALIZED","externalFieldTransfers":[{"name":"file","status":"COMPLETED","bytesTransferred":113,"bytesTotal":113,"formPostInfo":{"url":"
>>> http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000
>>> ","cross_domain_url":"
>>> http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw"},"content_type":"text/x-sh"}],"additionalInfo":{"uploader_service.GoogleRupioAdditionalInfo":{"completionInfo":{"status":"SUCCESS","customerSpecificInfo":{"status":
>>> "ok", *"video_id": "KzKDtijwHFI"*
>>> }}}},"upload_id":"AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw"}}
>>> And what do we get when we browse to
>>> https://youtube.com/watch?v=KzKDtijwHFI ?
>>> Nothing.
>>> Can you send me a link where I can access the file content of the
>>> arbitrary file you uploaded?
>>> Are you sure this json response, or this file, will be there in a month?
>>> Or in a year? Is the fact that this json response exists a threat to
>>> youtube? Can you quantify how of a threat? How much, in dollars, does it
>>> hurt their business?
>>>
>>> --Rob
>>>
>>>
>>> On Fri, Mar 14, 2014 at 9:08 PM, Nicholas Lemonias. <
>>> lem.nikolas@googlemail.com> wrote:
>>>
>>>> My claim is now verified....
>>>>
>>>> Cheers!
>>>>
>>>>
>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <
>>>> lem.nikolas@googlemail.com> wrote:
>>>>
>>>>> http://upload.youtube.com/?authuser=0&upload_id=
>>>>> AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--
>>>>> uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=
>>>>> CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
>>>>>
>>>>> That information can be queried from the db, where the metadata are
>>>>> saved. The files are being saved persistently , as per the above example.
>>>>>
>>>>>
>>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <
>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>
>>>>>>
>>>>>> http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
>>>>>>
>>>>>> That information can be queried from the db, where the metadata are
>>>>>> saved. The files are being saved persistently , as per the above example.
>>>>>>
>>>>>>
>>>>>> On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson <
>>>>>> christhom7851@gmail.com> wrote:
>>>>>>
>>>>>>> Hi Nikolas,
>>>>>>>
>>>>>>> Please do read (and understand) my entire email before responding -
>>>>>>> I understand your frustration trying to get your message across but maybe
>>>>>>> this will help.
>>>>>>>
>>>>>>> Please put aside professional pride for the time being - I know how
>>>>>>> it feels to be passionate about something yet have others simply not
>>>>>>> understand.
>>>>>>>
>>>>>>> Let me try and bring some sanity to the discussion and explain to
>>>>>>> you why people maybe not agreeing with you.
>>>>>>>
>>>>>>> You (rightly so) highlighted what you believe to be an issue in a
>>>>>>> Youtube whereby it appears (to you) than you can upload an arbitrary file.
>>>>>>> If you can indeed do this as you suspect then your points are valid and you
>>>>>>> "may" be able to cause various issues associated with it such as DOS etc -
>>>>>>> especially if the uploaded files cannot or are not tracked.
>>>>>>>
>>>>>>> However...
>>>>>>>
>>>>>>> Consider than you are talking to an API and what you are getting
>>>>>>> back (the JSON response) in your example is simply a response from the API
>>>>>>> to say the file you uploaded has been received and saved.
>>>>>>>
>>>>>>> Now, as you no doubt know, when you upload a regular movie to
>>>>>>> YouTube, once uploaded it goes away and does some post-processing,
>>>>>>> converting it to flash for example. What's to say that there isn't some
>>>>>>> verification aspect to this post-processing that checks if the file is
>>>>>>> intact a valid movie and if not removes it.
>>>>>>>
>>>>>>> If you could for example demonstrate that the file was indeed
>>>>>>> persistent, by being able to retrieve it for example then again, you would
>>>>>>> have solid ground to claim an issue however your claims at this point are
>>>>>>> based on an assumption.... Let me explain.
>>>>>>>
>>>>>>> 1. You have demonstrated than you can send "any" file to an API and
>>>>>>> the API returned an acknowledgment of receiving (and saving) the file.
>>>>>>>
>>>>>>> 2. You / we don't know what Google do with files once they have been
>>>>>>> received from the API - maybe they process them and validate them - we
>>>>>>> simply don't know.
>>>>>>>
>>>>>>> 3. You have hypothesized that you can retrieve the file by
>>>>>>> manipulating tokens etc and you may be right, but you have not demonstrated
>>>>>>> it as such.
>>>>>>>
>>>>>>> Because of this, you seem to have made a CLAIM that you can upload
>>>>>>> arbitrary files to Google however SHOWN that you can simply send files to
>>>>>>> an API and an API responds in a certain way.
>>>>>>>
>>>>>>> I am NOT saying you haven't found an issue, what I am saying is that
>>>>>>> you need to demonstrate that the issue is real and thus can be abused. If
>>>>>>> the Google service simply verifies all uploaded files once they are
>>>>>>> uploaded and discards them if invalid, then you haven't really found
>>>>>>> anything.
>>>>>>>
>>>>>>> If you were to prove that you were able to retrieve this uploaded
>>>>>>> file then how could anyone dispute your bug.
>>>>>>>
>>>>>>> Hope this helps....
>>>>>>>
>>>>>>> Cheers!
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>
>
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 03/15/2014 02:26, Nicholas Lemonias. wrote:
> https://www.youtube.com/watch?v=G4EkgJtjDvU - Here is proof that
> the file is saved and processed.

<disclaimer>
Compared to probably most of the folks on this list, I have absolutely
no idea what I'm doing.
</disclaimer>

However, at the time I accessed your latest URL (around 2:51 AM EST, or
6:51 GMT), I got a message saying "The video is currently being
processed."

So, for all we know, the file is in some queue, waiting for Google to
notice that it's invalid, at which point it will be deleted.

Please get back to us when we are able to download your invalid file,
via YouTube, on our various machines scattered across the globe.

Also, please stop sending so many damn short emails in a row.
Consolidation is nice.

Thank you,

BW

- --
Brian M. Waters
+1 (908) 380-8214
brian@brianmwaters.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iQEcBAEBCgAGBQJTI/v3AAoJEEYNFaEjEsGopDwH/R8q9+1wWsKg0j8Wg5zIdZZr
tVNT0IIh9vyjC57WxxQ2SamKoEWsCSt4A8aQ60gup2ImT+XoRpSYMZKWAyKOwz//
yiDjKKI9fsRRdXaBT3r8uWLftWA8WzASrMqrqMhayj06HNXjRXhyonJVdxxgrg/6
h+FaZYGlYdmrGtb02pve5i7in6OoYBQj4m85KVzq+Pnvfowqo6VHzlLwfK3vaD4a
8sEm+i63N02VT6ItO9y7fCcv52pU0sjepGIoYV2aTHkIR3BaNmyxSEVaOZclDY37
6HFSdkWZP0rvkQefNY6QcUvMfBszxFfecQ5cGfIcbScx35iLChXQMYJpH9dmPao=
=Ngjk
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Just curious; what universities have hired you as a lecturer?


On Sat, Mar 15, 2014 at 1:09 AM, Nicholas Lemonias. <
lem.nikolas@googlemail.com> wrote:

> You are too vague. Please keep this to a level.
>
> Thank you.
>
>
> *Best Regards,*
> *Nicholas Lemonias*
>
> *Advanced Information Security Corporation.*
>
>
> On Sat, Mar 15, 2014 at 5:06 AM, Colette Chamberland <
> cjchamberland@gmail.com> wrote:
>
>> Omg please for the love of all things human STFU!!!
>>
>> Sent from my iPhone
>>
>> On Mar 15, 2014, at 12:43 AM, "Nicholas Lemonias." <
>> lem.nikolas@googlemail.com> wrote:
>>
>> If you wish to talk seriously about the problem, please send me an email
>> privately. And we can talk about what we have found so far, and perhaps
>> present some more proof of concepts for this on going research. This is
>> between the researcher and Google.
>>
>> People who do not have the facts have been, trying to attack the arguer,
>> on the basis of their personal beliefs. We are not speaking from
>> experience, but based on our findings which includes PoC media, images,
>> codes - and based on academic literature and recognised practise. Please
>> bear in mind that a lot of research is conducted in academia (those old
>> papers you say) before finally released to the commercial markets.
>>
>> Regards,
>>
>> *Nicholas Lemonias*
>> *Information Security Expert*
>> *Advanced Information Security Corp.*
>>
>>
>> On Fri, Mar 14, 2014 at 10:49 PM, Mario Vilas <mvilas@gmail.com> wrote:
>>
>>> Try learning how to properly send emails before critizicing anyone, pal.
>>> ;)
>>>
>>>
>>> On Fri, Mar 14, 2014 at 6:44 PM, Nicholas Lemonias. <
>>> lem.nikolas@googlemail.com> wrote:
>>>
>>>>
>>>> People can read the report if they like. Can't you even do basic things
>>>> like reading a vulnerability report?
>>>>
>>>> Can't you see that the advisory is about writing arbitrary files. If I
>>>> was your boss I would fire you.
>>>> ---------- Forwarded message ----------
>>>> From: Nicholas Lemonias. <lem.nikolas@googlemail.com>
>>>> Date: Fri, Mar 14, 2014 at 5:43 PM
>>>> Subject: Re: [Full-disclosure] Google vulnerabilities with PoC
>>>> To: Mario Vilas <mvilas@gmail.com>
>>>>
>>>>
>>>> People can read the report if they like. Can't you even do basic things
>>>> like reading a vulnerability report?
>>>>
>>>> Can't you see that the advisory is about writing arbitrary files. If I
>>>> was your boss I would fire you, with a good kick outta the door.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Fri, Mar 14, 2014 at 3:55 PM, Mario Vilas <mvilas@gmail.com> wrote:
>>>>
>>>>> On Fri, Mar 14, 2014 at 12:38 PM, Nicholas Lemonias. <
>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>
>>>>>> Jerome of Mcafee has made a very valid point on
>>>>>> revisiting separation of duties in this security instance.
>>>>>>
>>>>>> Happy to see more professionals with some skills. Some others have
>>>>>> also mentioned the feasibility for Denial of Service attacks. Remote code
>>>>>> execution by Social Engineering is also a prominent scenario.
>>>>>>
>>>>>
>>>>> Actually, people have been pointing out exactly the opposite. But if
>>>>> you insist on believing you can DoS an EC2 by uploading files, good luck to
>>>>> you then...
>>>>>
>>>>>
>>>>>>
>>>>>> If you can't tell that that is a vulnerability (probably coming from
>>>>>> a bunch of CEH's), I feel sorry for those consultants.
>>>>>>
>>>>>
>>>>> You're the only one throwing around certifications here. I can no
>>>>> longer tell if you're being serious or this is a massive prank.
>>>>>
>>>>>
>>>>>>
>>>>>> Nicholas.
>>>>>>
>>>>>>
>>>>>> On Fri, Mar 14, 2014 at 10:45 AM, Nicholas Lemonias. <
>>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>>
>>>>>>> We are on a different level perhaps. We do certainly disagree on
>>>>>>> those points.
>>>>>>> I wouldn't hire you as a consultant, if you can't tell if that is a
>>>>>>> valid vulnerability..
>>>>>>>
>>>>>>>
>>>>>>> Best Regards,
>>>>>>> Nicholas Lemonias.
>>>>>>>
>>>>>>> On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas <mvilas@gmail.com>wrote:
>>>>>>>
>>>>>>>> But do you have all the required EH certifications? Try this one
>>>>>>>> from the Institute for
>>>>>>>> Certified Application Security Specialists: http://www.asscert.com/
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias. <
>>>>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>>>>
>>>>>>>>> Thanks Michal,
>>>>>>>>>
>>>>>>>>> We are just trying to improve Google's security and contribute to
>>>>>>>>> the research community after all. If you are still on EFNet give me a shout
>>>>>>>>> some time.
>>>>>>>>>
>>>>>>>>> We have done so and consulted to hundreds of clients including
>>>>>>>>> Microsoft, Nokia, Adobe and some of the world's biggest corporations. We
>>>>>>>>> are also strict supporters of the ACM code of conduct.
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Nicholas Lemonias.
>>>>>>>>> AISec
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Mar 14, 2014 at 6:29 AM, Nicholas Lemonias. <
>>>>>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Jerome,
>>>>>>>>>>
>>>>>>>>>> Thank you for agreeing on access control, and separation of
>>>>>>>>>> duties.
>>>>>>>>>>
>>>>>>>>>> However successful exploitation permits arbitrary write() of any
>>>>>>>>>> file of choice.
>>>>>>>>>>
>>>>>>>>>> I could release an exploit code in C Sharp or Python that permits
>>>>>>>>>> multiple file uploads of any file/types, if the Google security team feels
>>>>>>>>>> that this would be necessary. This is unpaid work, so we are not so keen on
>>>>>>>>>> that job.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Fri, Mar 14, 2014 at 6:04 AM, Jerome Athias <
>>>>>>>>>> athiasjerome@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi
>>>>>>>>>>>
>>>>>>>>>>> I concur that we are mainly discussing a terminology problem.
>>>>>>>>>>>
>>>>>>>>>>> In the context of a Penetration Test or WAPT, this is a Finding.
>>>>>>>>>>> Reporting this finding makes sense in this context.
>>>>>>>>>>>
>>>>>>>>>>> As a professional, you would have to explain if/how this finding
>>>>>>>>>>> is a
>>>>>>>>>>> Weakness*, a Violation (/Regulations, Compliance, Policies or
>>>>>>>>>>> Requirements[1])
>>>>>>>>>>> * I would say Weakness + Exposure = Vulnerability. Vulnerability
>>>>>>>>>>> +
>>>>>>>>>>> Exploitability (PoC) = Confirmed Vulnerability that needs
>>>>>>>>>>> Business
>>>>>>>>>>> Impact and Risk Analysis
>>>>>>>>>>>
>>>>>>>>>>> So I would probably have reported this Finding as a Weakness
>>>>>>>>>>> (and not
>>>>>>>>>>> Vulnerability. See: OWASP, WASC-TC, CWE), explaining that it is
>>>>>>>>>>> not
>>>>>>>>>>> Best Practice (your OWASP link and Cheat Sheets), and even if
>>>>>>>>>>> mitigative/compensative security controls (Ref Orange Book),
>>>>>>>>>>> security
>>>>>>>>>>> controls like white listing (or at least black listing. see also
>>>>>>>>>>> ESAPI) should be 1) part of the [1]security requirements of a
>>>>>>>>>>> proper
>>>>>>>>>>> SDLC (Build security in) as per Defense-in-Depth security
>>>>>>>>>>> principles
>>>>>>>>>>> and 2) used and implemented correctly.
>>>>>>>>>>> NB: A simple Threat Model (i.e. list of CAPEC) would be a solid
>>>>>>>>>>> support to your report
>>>>>>>>>>> This would help to evaluate/measure the risk (e.g. CVSS).
>>>>>>>>>>> Helping the decision/actions around this risk
>>>>>>>>>>>
>>>>>>>>>>> PS: interestingly, in this case, I'm not sure that the
>>>>>>>>>>> Separation of
>>>>>>>>>>> Duties security principle was applied correctly by Google in
>>>>>>>>>>> term of
>>>>>>>>>>> Risk Acceptance (which could be another Finding)
>>>>>>>>>>>
>>>>>>>>>>> So in few words, be careful with the terminology. (don't always
>>>>>>>>>>> say
>>>>>>>>>>> vulnerability like the media say hacker, see RFC1392) Use a CWE
>>>>>>>>>>> ID
>>>>>>>>>>> (e.g. CWE-434, CWE-183, CWE-184 vs. CWE-616)
>>>>>>>>>>>
>>>>>>>>>>> My 2 bitcents
>>>>>>>>>>> Sorry if it is not edible :)
>>>>>>>>>>> Happy Hacking!
>>>>>>>>>>>
>>>>>>>>>>> /JA
>>>>>>>>>>> https://github.com/athiasjerome/XORCISM
>>>>>>>>>>>
>>>>>>>>>>> 2014-03-14 7:19 GMT+03:00 Michal Zalewski <lcamtuf@coredump.cx>:
>>>>>>>>>>> > Nicholas,
>>>>>>>>>>> >
>>>>>>>>>>> > I remember my early years in the infosec community - and
>>>>>>>>>>> sadly, so do
>>>>>>>>>>> > some of the more seasoned readers of this list :-) Back then, I
>>>>>>>>>>> > thought that the only thing that mattered is the ability to
>>>>>>>>>>> find bugs.
>>>>>>>>>>> > But after some 18 years in the industry, I now know that
>>>>>>>>>>> there's an
>>>>>>>>>>> > even more important and elusive skill.
>>>>>>>>>>> >
>>>>>>>>>>> > That skill boils down to having a robust mental model of what
>>>>>>>>>>> > constitutes a security flaw - and being able to explain your
>>>>>>>>>>> thinking
>>>>>>>>>>> > to others in a precise and internally consistent manner that
>>>>>>>>>>> convinces
>>>>>>>>>>> > others to act. We need this because the security of a system
>>>>>>>>>>> can't be
>>>>>>>>>>> > usefully described using abstract terms: even the academic
>>>>>>>>>>> definitions
>>>>>>>>>>> > ultimately boil down to saying "the system is secure if it
>>>>>>>>>>> doesn't do
>>>>>>>>>>> > the things we *really* don't want it to do".
>>>>>>>>>>> >
>>>>>>>>>>> > In this spirit, the term "vulnerability" is generally reserved
>>>>>>>>>>> for
>>>>>>>>>>> > behaviors that meet all of the following criteria:
>>>>>>>>>>> >
>>>>>>>>>>> > 1) The behavior must have negative consequences for at least
>>>>>>>>>>> one of
>>>>>>>>>>> > the legitimate stakeholders (users, service owners, etc),
>>>>>>>>>>> >
>>>>>>>>>>> > 2) The consequences must be widely seen as unexpected and
>>>>>>>>>>> unacceptable,
>>>>>>>>>>> >
>>>>>>>>>>> > 3) There must be a realistic chance of such a negative outcome,
>>>>>>>>>>> >
>>>>>>>>>>> > 4) The behavior must introduce substantial new risks that go
>>>>>>>>>>> beyond
>>>>>>>>>>> > the previously accepted trade-offs.
>>>>>>>>>>> >
>>>>>>>>>>> > If we don't have that, we usually don't have a case, no matter
>>>>>>>>>>> how
>>>>>>>>>>> > clever the bug is.
>>>>>>>>>>> >
>>>>>>>>>>> > Cheers (and happy hunting!),
>>>>>>>>>>> > /mz
>>>>>>>>>>> >
>>>>>>>>>>> > _______________________________________________
>>>>>>>>>>> > Full-Disclosure - We believe in it.
>>>>>>>>>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> "There's a reason we separate military and the police: one fights
>>>>>>>> the enemy of the state, the other serves and protects the people. When
>>>>>>>> the military becomes both, then the enemies of the state tend to become the
>>>>>>>> people."
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> "There's a reason we separate military and the police: one fights
>>>>> the enemy of the state, the other serves and protects the people. When
>>>>> the military becomes both, then the enemies of the state tend to become the
>>>>> people."
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> "There's a reason we separate military and the police: one fights
>>> the enemy of the state, the other serves and protects the people. When
>>> the military becomes both, then the enemies of the state tend to become the
>>> people."
>>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Btw, not sure if someone already mentioned it, but you are really
reaching the level
of MustLive. That's actually a big achievement. Congratz.

I'm not sure if you got what lcamtuf is saying (I'm impressed he still
takes time to reply to you),
apparently not. You're still trying to convince us that you're right.

Maybe you can create the next LOIC specifically tailored to DoS Youtube
with this serious bug, ROFL!

Cheers
antisnatchor

Nicholas Lemonias. wrote:
> If you wish to talk seriously about the problem, please send me an email
> privately. And we can talk about what we have found so far, and perhaps
> present some more proof of concepts for this on going research. This is
> between the researcher and Google.
>
> People who do not have the facts have been, trying to attack the arguer, on
> the basis of their personal beliefs. We are not speaking from experience,
> but based on our findings which includes PoC media, images, codes - and
> based on academic literature and recognised practise. Please bear in mind
> that a lot of research is conducted in academia (those old papers you
> say) before finally released to the commercial markets.
>
> Regards,
>
> *Nicholas Lemonias*
> *Information Security Expert*
> *Advanced Information Security Corp.*
>
>
> On Fri, Mar 14, 2014 at 10:49 PM, Mario Vilas <mvilas@gmail.com> wrote:
>
>> Try learning how to properly send emails before critizicing anyone, pal. ;)
>>
>>
>> On Fri, Mar 14, 2014 at 6:44 PM, Nicholas Lemonias. <
>> lem.nikolas@googlemail.com> wrote:
>>
>>> People can read the report if they like. Can't you even do basic things
>>> like reading a vulnerability report?
>>>
>>> Can't you see that the advisory is about writing arbitrary files. If I
>>> was your boss I would fire you.
>>> ---------- Forwarded message ----------
>>> From: Nicholas Lemonias. <lem.nikolas@googlemail.com>
>>> Date: Fri, Mar 14, 2014 at 5:43 PM
>>> Subject: Re: [Full-disclosure] Google vulnerabilities with PoC
>>> To: Mario Vilas <mvilas@gmail.com>
>>>
>>>
>>> People can read the report if they like. Can't you even do basic things
>>> like reading a vulnerability report?
>>>
>>> Can't you see that the advisory is about writing arbitrary files. If I
>>> was your boss I would fire you, with a good kick outta the door.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Mar 14, 2014 at 3:55 PM, Mario Vilas <mvilas@gmail.com> wrote:
>>>
>>>> On Fri, Mar 14, 2014 at 12:38 PM, Nicholas Lemonias. <
>>>> lem.nikolas@googlemail.com> wrote:
>>>>
>>>>> Jerome of Mcafee has made a very valid point on revisiting separation
>>>>> of duties in this security instance.
>>>>>
>>>>> Happy to see more professionals with some skills. Some others have
>>>>> also mentioned the feasibility for Denial of Service attacks. Remote code
>>>>> execution by Social Engineering is also a prominent scenario.
>>>>>
>>>> Actually, people have been pointing out exactly the opposite. But if you
>>>> insist on believing you can DoS an EC2 by uploading files, good luck to you
>>>> then...
>>>>
>>>>
>>>>> If you can't tell that that is a vulnerability (probably coming from a
>>>>> bunch of CEH's), I feel sorry for those consultants.
>>>>>
>>>> You're the only one throwing around certifications here. I can no longer
>>>> tell if you're being serious or this is a massive prank.
>>>>
>>>>
>>>>> Nicholas.
>>>>>
>>>>>
>>>>> On Fri, Mar 14, 2014 at 10:45 AM, Nicholas Lemonias. <
>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>
>>>>>> We are on a different level perhaps. We do certainly disagree on those
>>>>>> points.
>>>>>> I wouldn't hire you as a consultant, if you can't tell if that is a
>>>>>> valid vulnerability..
>>>>>>
>>>>>>
>>>>>> Best Regards,
>>>>>> Nicholas Lemonias.
>>>>>>
>>>>>> On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas <mvilas@gmail.com>wrote:
>>>>>>
>>>>>>> But do you have all the required EH certifications? Try this one from
>>>>>>> the Institute for
>>>>>>> Certified Application Security Specialists: http://www.asscert.com/
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias. <
>>>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>>>
>>>>>>>> Thanks Michal,
>>>>>>>>
>>>>>>>> We are just trying to improve Google's security and contribute to
>>>>>>>> the research community after all. If you are still on EFNet give me a shout
>>>>>>>> some time.
>>>>>>>>
>>>>>>>> We have done so and consulted to hundreds of clients including
>>>>>>>> Microsoft, Nokia, Adobe and some of the world's biggest corporations. We
>>>>>>>> are also strict supporters of the ACM code of conduct.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Nicholas Lemonias.
>>>>>>>> AISec
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Mar 14, 2014 at 6:29 AM, Nicholas Lemonias. <
>>>>>>>> lem.nikolas@googlemail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi Jerome,
>>>>>>>>>
>>>>>>>>> Thank you for agreeing on access control, and separation of duties.
>>>>>>>>>
>>>>>>>>> However successful exploitation permits arbitrary write() of any
>>>>>>>>> file of choice.
>>>>>>>>>
>>>>>>>>> I could release an exploit code in C Sharp or Python that permits
>>>>>>>>> multiple file uploads of any file/types, if the Google security team feels
>>>>>>>>> that this would be necessary. This is unpaid work, so we are not so keen on
>>>>>>>>> that job.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Mar 14, 2014 at 6:04 AM, Jerome Athias <
>>>>>>>>> athiasjerome@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi
>>>>>>>>>>
>>>>>>>>>> I concur that we are mainly discussing a terminology problem.
>>>>>>>>>>
>>>>>>>>>> In the context of a Penetration Test or WAPT, this is a Finding.
>>>>>>>>>> Reporting this finding makes sense in this context.
>>>>>>>>>>
>>>>>>>>>> As a professional, you would have to explain if/how this finding
>>>>>>>>>> is a
>>>>>>>>>> Weakness*, a Violation (/Regulations, Compliance, Policies or
>>>>>>>>>> Requirements[1])
>>>>>>>>>> * I would say Weakness + Exposure = Vulnerability. Vulnerability +
>>>>>>>>>> Exploitability (PoC) = Confirmed Vulnerability that needs Business
>>>>>>>>>> Impact and Risk Analysis
>>>>>>>>>>
>>>>>>>>>> So I would probably have reported this Finding as a Weakness (and
>>>>>>>>>> not
>>>>>>>>>> Vulnerability. See: OWASP, WASC-TC, CWE), explaining that it is not
>>>>>>>>>> Best Practice (your OWASP link and Cheat Sheets), and even if
>>>>>>>>>> mitigative/compensative security controls (Ref Orange Book),
>>>>>>>>>> security
>>>>>>>>>> controls like white listing (or at least black listing. see also
>>>>>>>>>> ESAPI) should be 1) part of the [1]security requirements of a
>>>>>>>>>> proper
>>>>>>>>>> SDLC (Build security in) as per Defense-in-Depth security
>>>>>>>>>> principles
>>>>>>>>>> and 2) used and implemented correctly.
>>>>>>>>>> NB: A simple Threat Model (i.e. list of CAPEC) would be a solid
>>>>>>>>>> support to your report
>>>>>>>>>> This would help to evaluate/measure the risk (e.g. CVSS).
>>>>>>>>>> Helping the decision/actions around this risk
>>>>>>>>>>
>>>>>>>>>> PS: interestingly, in this case, I'm not sure that the Separation
>>>>>>>>>> of
>>>>>>>>>> Duties security principle was applied correctly by Google in term
>>>>>>>>>> of
>>>>>>>>>> Risk Acceptance (which could be another Finding)
>>>>>>>>>>
>>>>>>>>>> So in few words, be careful with the terminology. (don't always say
>>>>>>>>>> vulnerability like the media say hacker, see RFC1392) Use a CWE ID
>>>>>>>>>> (e.g. CWE-434, CWE-183, CWE-184 vs. CWE-616)
>>>>>>>>>>
>>>>>>>>>> My 2 bitcents
>>>>>>>>>> Sorry if it is not edible :)
>>>>>>>>>> Happy Hacking!
>>>>>>>>>>
>>>>>>>>>> /JA
>>>>>>>>>> https://github.com/athiasjerome/XORCISM
>>>>>>>>>>
>>>>>>>>>> 2014-03-14 7:19 GMT+03:00 Michal Zalewski <lcamtuf@coredump.cx>:
>>>>>>>>>>> Nicholas,
>>>>>>>>>>>
>>>>>>>>>>> I remember my early years in the infosec community - and sadly,
>>>>>>>>>> so do
>>>>>>>>>>> some of the more seasoned readers of this list :-) Back then, I
>>>>>>>>>>> thought that the only thing that mattered is the ability to find
>>>>>>>>>> bugs.
>>>>>>>>>>> But after some 18 years in the industry, I now know that there's
>>>>>>>>>> an
>>>>>>>>>>> even more important and elusive skill.
>>>>>>>>>>>
>>>>>>>>>>> That skill boils down to having a robust mental model of what
>>>>>>>>>>> constitutes a security flaw - and being able to explain your
>>>>>>>>>> thinking
>>>>>>>>>>> to others in a precise and internally consistent manner that
>>>>>>>>>> convinces
>>>>>>>>>>> others to act. We need this because the security of a system
>>>>>>>>>> can't be
>>>>>>>>>>> usefully described using abstract terms: even the academic
>>>>>>>>>> definitions
>>>>>>>>>>> ultimately boil down to saying "the system is secure if it
>>>>>>>>>> doesn't do
>>>>>>>>>>> the things we *really* don't want it to do".
>>>>>>>>>>>
>>>>>>>>>>> In this spirit, the term "vulnerability" is generally reserved
>>>>>>>>>> for
>>>>>>>>>>> behaviors that meet all of the following criteria:
>>>>>>>>>>>
>>>>>>>>>>> 1) The behavior must have negative consequences for at least one
>>>>>>>>>> of
>>>>>>>>>>> the legitimate stakeholders (users, service owners, etc),
>>>>>>>>>>>
>>>>>>>>>>> 2) The consequences must be widely seen as unexpected and
>>>>>>>>>> unacceptable,
>>>>>>>>>>> 3) There must be a realistic chance of such a negative outcome,
>>>>>>>>>>>
>>>>>>>>>>> 4) The behavior must introduce substantial new risks that go
>>>>>>>>>> beyond
>>>>>>>>>>> the previously accepted trade-offs.
>>>>>>>>>>>
>>>>>>>>>>> If we don't have that, we usually don't have a case, no matter
>>>>>>>>>> how
>>>>>>>>>>> clever the bug is.
>>>>>>>>>>>
>>>>>>>>>>> Cheers (and happy hunting!),
>>>>>>>>>>> /mz
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>> _______________________________________________
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> "There's a reason we separate military and the police: one fights
>>>>>>> the enemy of the state, the other serves and protects the people. When
>>>>>>> the military becomes both, then the enemies of the state tend to become the
>>>>>>> people."
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>> --
>>>> "There's a reason we separate military and the police: one fights
>>>> the enemy of the state, the other serves and protects the people. When
>>>> the military becomes both, then the enemies of the state tend to become the
>>>> people."
>>>>
>>>
>> --
>> "There's a reason we separate military and the police: one fights
>> the enemy of the state, the other serves and protects the people. When
>> the military becomes both, then the enemies of the state tend to become the
>> people."
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

--
Cheers
Michele
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
On Sat, Mar 15, 2014 at 5:43 AM, Nicholas Lemonias. <
lem.nikolas@googlemail.com> wrote:

> People who do not have the facts have been, trying to attack the arguer,
> on the basis of their personal beliefs.


Wow. I seriously can't tell if you're trolling or unbelievably narcissistic.

Your work has serious flaws, and have been pointed out with facts over and
over - but you think they're ad-hominem attacks based on the tone of their
replies. Zalewski here is just trying to be nice and patient with you - but
you somehow seem to believe he agrees with you based on the tone of his
replies.

You're either faking it and pulling a massive prank on all of us, or you're
so self absorbed you can't get past your own emotional responses to people
pointing out your mistakes. The actual contents of what they tell you are
irrelevant to you, all that matters is if people praise or criticize you.

I'm beginning to think you may have issues and we should all back off for a
while.

--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
That is not what this email says. You can't reply "correct" to criticism
and pretend it's praise.


On Sat, Mar 15, 2014 at 6:11 AM, Nicholas Lemonias. <
lem.nikolas@googlemail.com> wrote:

> Correct.
>
> The mime type can be circumvented. We can confirm this to be a valid
> vulnerability.
>
> For the PoC's :
>
>
> http://news.softpedia.com/news/Expert-Finds-File-Upload-Vulnerability-in-YouTube-Google-Denies-It-s-a-Security-Issue-431489.shtml
>
> On Fri, Mar 14, 2014 at 8:40 PM, Krzysztof Kotowicz <
> kkotowicz+fd@gmail.com> wrote:
>
>>
>> 2014-03-14 20:28 GMT+01:00 Nicholas Lemonias. <lem.nikolas@googlemail.com
>> >:
>>
>> Then that also means that firewalls and IPS systems are worthless. Why
>>> spend so much time protecting the network layers if a user can send any
>>> file of choice to a remote network through http...
>>>
>>
>> No, they are not worthless per se, but of course for an user content
>> publishing service they need to allow file upload over HTTP/s. How far
>> those files are inspected and later processed is another question - and
>> that could lead to a vulnerability that you DIDN'T demonstrate.
>>
>> You just uploaded a .sh file. There's no harm in that as nowhere did you
>> prove that that file is being executed. Similarly (and that has been
>> pointed out in this thread) you could upload a PHP-GIF polyglot file to a
>> J2EE application - no vulnerability in this. Prove something by overwriting
>> a crucial file, tricking other user's browser to execute the file as HTML
>> from an interesting domain (XSS), popping a shell, triggering XXE when the
>> file is processed as XML, anything. Then that is a vulnerability. So far -
>> sorry, it is not, and you've been told it repeatedly.
>>
>>
>> As for the uploaded files being persistent, there is evidence of that.
>>> For instance a remote admin could be tricked to execute some of
>>> the uploaded files (Social Engineering).
>>>
>>
>> Come on, seriously? Social Engineering can make him download this file
>> from pastebin just as well. That's a real stretch.
>>
>> IMHO it is not a security issue. You're uploading a file to some kind of
>> processing queue that does not validate a file type, but nevertheless only
>> processes those files as video - there is NO reason to suspect otherwise,
>> and I'd like to be proven wrong here. Proven as in PoC.
>>
>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Some of the replies in this thread are very unfair to the original poster. I have read the news story and have thoroughly read the proof of concepts which in my opinion indicate that this is surely a security vulnerability. I have worked for Lumension as a security consultant for more than a decade. I have never thought that Google would have gone that far. Quite scary if you ask me... Do not be discouraged, as a security researcher I have also been getting that. I can certainly certify that this is a security problem, no doubts about that. Big Al


Get your free email @
http://www.xtcmail.com
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
> As a professional penetration tester, [...]
> The JSON service responds to GET requests , and there is a good chance that
> the service is also vulnerable to JSON Hijacking attacks.

That's... not how XSSI works.

To have a script inclusion vulnerability, you need to have a vanilla
GET response that contains some user-specific secrets that are
returned to the caller based on HTTP cookies (or, less likely, other
"ambient" credentials). For example, a script response that discloses
the contents of your mailbox or the list of private contacts would be
of concern.

Further, the response must be in a format that can be not only loaded,
but also inspected by another site opened in your browser; most types
of JSONP fall into this category, but JSON generally does not,
essentially because of how the meaning of "{" is overloaded in JS
depending on where it appears in a block of code.

Last but not least, the final piece of the puzzle is that the response
must be served at a URL that can be guessed by third parties who don't
have access to your account.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Hello,

I am a security professional and risk manager in UAE. I support that the remote file upload on YouTube is a vulnerability, and I am sure about this. Not the slightest doubts...

There is a different between a vulnerability and an exploit. The vulnerability here is the lack of any file extension checks, content type verification “$_FILES['uploadedfile']['type']” holds the value of the MIME type. A hacker can easily upload files using a script that allows the sending or tampering of HTTP POST requests.

e.g:

<?php
//Demo1.php
if($_FILES['uploadedfile']['type'] != "image/gif") {
echo "Sorry, we only allow uploading GIF images";
exit;
}
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['uploadedfile']['name']);
if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.n";
} else {
echo "File uploading failed.n";
}
?>
Read this for more info if you like: http://resources.infosecinstitute.com/file-upload-vulnerabilities/

if not (rwx) and only (w) to a temporary file even, the spread of malware is real no matter if the file is executed at the time is upload.

For the JSON reply:

A hacker exploits a JSON (javascript) object that has information of interest for example holding some values for cookies. A lot of times that exploits the same policy origin. The JSON object returned from a server can be forged over writing javascript function that create the object. This happens because of the same origin policy problem in browsers that cannot say if js execution it different for two different sites.


Sincerely ,
T. Imbrahim


--- lcamtuf@coredump.cx wrote:

From: Michal Zalewski <lcamtuf@coredump.cx>
To: M Kirschbaum <pr0ix@yahoo.co.uk>
Cc: "full-disclosure@lists.grok.org.uk" <full-disclosure@lists.grok.org.uk>
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Sat, 15 Mar 2014 09:46:27 -0700

> As a professional penetration tester, [...]
> The JSON service responds to GET requests , and there is a good chance that
> the service is also vulnerable to JSON Hijacking attacks.

That's... not how XSSI works.

To have a script inclusion vulnerability, you need to have a vanilla
GET response that contains some user-specific secrets that are
returned to the caller based on HTTP cookies (or, less likely, other
"ambient" credentials). For example, a script response that discloses
the contents of your mailbox or the list of private contacts would be
of concern.

Further, the response must be in a format that can be not only loaded,
but also inspected by another site opened in your browser; most types
of JSONP fall into this category, but JSON generally does not,
essentially because of how the meaning of "{" is overloaded in JS
depending on where it appears in a block of code.

Last but not least, the final piece of the puzzle is that the response
must be served at a URL that can be guessed by third parties who don't
have access to your account.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_____________________________________________________________
Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
> A hacker exploits a JSON (javascript) object that has information of interest for example holding some values for cookies. A lot of times that exploits the same policy origin. The JSON object returned from a server can be forged over writing javascript function that create the object. This happens because of the same origin policy problem in browsers that cannot say if js execution it different for two different sites.

To be honest, I'm not sure I follow, but I'm fairly confident that my
original point stands. If you believe that well-formed JSON objects
without padding can be read across origins within the browser, I would
love to see more information about that. (In this particular case, it
still wouldn't matter because the response doesn't contain secrets,
but it would certainly break a good chunk of the Internet.) JSONP is a
different animal.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Is this treated with the same way that says that Remote File Inclusion is not a security issue ?

You don't follow? Implying ?

I understand why nobody likes Google. If I 've found a vulnerability and been treated like that for trying to help, I would rather sell it to the black market or to some government.

The NSA maybe is happy to buy a RFI on Google, im sure they could make good use of that. Google is very deceptive in security matters.

--- lcamtuf@coredump.cx wrote:

From: Michal Zalewski <lcamtuf@coredump.cx>
To: TImbrahim@techemail.com
Cc: pr0ix@yahoo.co.uk, full-disclosure <full-disclosure@lists.grok.org.uk>
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Sat, 15 Mar 2014 10:59:40 -0700

> A hacker exploits a JSON (javascript) object that has information of interest for example holding some values for cookies. A lot of times that exploits the same policy origin. The JSON object returned from a server can be forged over writing javascript function that create the object. This happens because of the same origin policy problem in browsers that cannot say if js execution it different for two different sites.

To be honest, I'm not sure I follow, but I'm fairly confident that my
original point stands. If you believe that well-formed JSON objects
without padding can be read across origins within the browser, I would
love to see more information about that. (In this particular case, it
still wouldn't matter because the response doesn't contain secrets,
but it would certainly break a good chunk of the Internet.) JSONP is a
different animal.

/mz




_____________________________________________________________
Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
> Is this treated with the same way that says that Remote File Inclusion is not a security issue ?

I'm not sure how RFI came into play on this thread - the original
report wasn't about RFI.

I don't have an agenda here; I'm just trying to get to the bottom of
it and make sure that we converge on a common understanding of the
issue. As in any argument, it's fairly likely that one of us is wrong,
and I accept that it could very well be me - I have been wrong quite a
few times in my life, and it's always a valuable learning opportunity.

I think it's unfortunate that the thread has devolved into various
accusations and credential-slinging, because it reduces the likelihood
of such a productive outcome. Please feel free to ping me directly any
time, though - I'm happy to chat.

Cheers,
/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
The thread read Google vulnerabilities with PoC. From my understanding it was a RFI vulnerability on YouTube, and I voiced my support that this is a vulnerability.

I also explained a JSON Hijacking case as a follow up, and you said you didn't follow. So I am just saying that treating security that way, there are other parties like NSA who welcome them happily.



--- lcamtuf@coredump.cx wrote:

From: Michal Zalewski <lcamtuf@coredump.cx>
To: TImbrahim@techemail.com
Cc: M Kirschbaum <pr0ix@yahoo.co.uk>, full-disclosure <full-disclosure@lists.grok.org.uk>
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Sat, 15 Mar 2014 11:47:19 -0700

> Is this treated with the same way that says that Remote File Inclusion is not a security issue ?

I'm not sure how RFI came into play on this thread - the original
report wasn't about RFI.

I don't have an agenda here; I'm just trying to get to the bottom of
it and make sure that we converge on a common understanding of the
issue. As in any argument, it's fairly likely that one of us is wrong,
and I accept that it could very well be me - I have been wrong quite a
few times in my life, and it's always a valuable learning opportunity.

I think it's unfortunate that the thread has devolved into various
accusations and credential-slinging, because it reduces the likelihood
of such a productive outcome. Please feel free to ping me directly any
time, though - I'm happy to chat.

Cheers,
/mz




_____________________________________________________________
Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

1 2 3 4  View All