Mailing List Archive

Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
> The thread read Google vulnerabilities with PoC. From my understanding it was a RFI vulnerability on YouTube, and I voiced my support that this is a vulnerability.

I don't think this is accurate, at least based on the standard
definition of RFI: a server-side scripting language - usually PHP -
accidentally executing a script fetched from a remote server because
it passed an attacker-controlled string to an API that allows both
local file paths and remote URLs.

The report talks about a different behavior: the ability for users to
upload video and non-video content using legitimate functionality of
the site, without a way to make the server do anything interesting
with the received data. This may or may not be interesting on its own
merit, but I think it's pretty far from RFI.

> I also explained a JSON Hijacking case as a follow up, and you said you didn't follow.

Yup, I am genuinely not familiar with the attack vector that *I think*
you are describing, or why it would matter in this context. My earlier
message in this thread explains my reasoning (in essence, there are
certain conditions that have to be met for a typical XSSI bug, and I
don't think they are met here), but if my understanding is wrong, I'd
really like to learn about the proposed attack.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
On 16 Mar 2014 23:36, "T Imbrahim" <TImbrahim@techemail.com> wrote:
>
> The thread read Google vulnerabilities with PoC. From my understanding
it was a RFI vulnerability on YouTube, and I voiced my support that this
is a vulnerability.
>
> I also explained a JSON Hijacking case as a follow up, and you said you
didn't follow. So I am just saying that treating security that way, there
are other parties like NSA who welcome them happily.
>

I think these guys - Alfred, Kirschbaum and Imbrahim are the OP's sock
puppets.

They are all first time posters from unusual free email providers jumping
to defend the OP out of nowhere. If you search Google for their emails you
only find references to this thread.

They present similar (false and /or incorrect) arguments, talk about their
extensive work experience, bash Google and its security team and send
repeated emails with exactly the same text.

This is turning into a madhouse... I hope this guy doesn't have access to a
gun.

Regards
Pedro
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
What drugs are you on Pedro Ribeiro I wonder ...? I express my views, if you don't like don't watch them. You responses so far have only been assy speculations so don't tell me Im wrong , and please don't say thing like that. I don't know who the other people is, but what is true in security I support. Why you would Google my name ... ? Is the English language causing you ill effects?
--- pedrib@gmail.com wrote:

From: Pedro Ribeiro <pedrib@gmail.com>
To: TImbrahim@techemail.com
Cc: full-disclosure@lists.grok.org.uk, Michal Zalewski <lcamtuf@coredump.cx>, mvilas@gmail.com, gynvael@coldwind.pl
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Mon, 17 Mar 2014 09:24:08 +0000




On 16 Mar 2014 23:36, "T Imbrahim" <TImbrahim@techemail.com> wrote:
>
> The thread read Google vulnerabilities with PoC. From my understanding it was a RFI vulnerability on YouTube, and I voiced my support that this is a vulnerability.
>
> I also explained a JSON Hijacking case as a follow up, and you said you didn't follow. So I am just saying that treating security that way, there are other parties like NSA who welcome them happily.
>

I think these guys - Alfred, Kirschbaum and Imbrahim are the OP's sock puppets.

They are all first time posters from unusual free email providers jumping to defend the OP out of nowhere. If you search Google for their emails you only find references to this thread.

They present similar (false and /or incorrect) arguments, talk about their extensive work experience, bash Google and its security team and send repeated emails with exactly the same text.

This is turning into a madhouse... I hope this guy doesn't have access to a gun.

Regards
Pedro



Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Please stop changing hats, it's embarrasing.


On Sat, Mar 15, 2014 at 7:36 PM, T Imbrahim <TImbrahim@techemail.com> wrote:

> Is this treated with the same way that says that Remote File Inclusion is
> not a security issue ?
>
> You don't follow? Implying ?
>
> I understand why nobody likes Google. If I 've found a vulnerability and
> been treated like that for trying to help, I would rather sell it to the
> black market or to some government.
>
> The NSA maybe is happy to buy a RFI on Google, im sure they could make
> good use of that. Google is very deceptive in security matters.
>
> --- lcamtuf@coredump.cx wrote:
>
> From: Michal Zalewski <lcamtuf@coredump.cx>
> To: TImbrahim@techemail.com
> Cc: pr0ix@yahoo.co.uk, full-disclosure <full-disclosure@lists.grok.org.uk>
> Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
> Date: Sat, 15 Mar 2014 10:59:40 -0700
>
> > A hacker exploits a JSON (javascript) object that has information of
> interest for example holding some values for cookies. A lot of times that
> exploits the same policy origin. The JSON object returned from a server can
> be forged over writing javascript function that create the object. This
> happens because of the same origin policy problem in browsers that cannot
> say if js execution it different for two different sites.
>
> To be honest, I'm not sure I follow, but I'm fairly confident that my
> original point stands. If you believe that well-formed JSON objects
> without padding can be read across origins within the browser, I would
> love to see more information about that. (In this particular case, it
> still wouldn't matter because the response doesn't contain secrets,
> but it would certainly break a good chunk of the Internet.) JSONP is a
> different animal.
>
> /mz
>
>
>
>
> _____________________________________________________________
> Are you a Techie? Get Your Free Tech Email Address Now! Visit
> http://www.TechEmail.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
ROFL

[image: Inline image 1]


On Mon, Mar 17, 2014 at 11:07 AM, T Imbrahim <TImbrahim@techemail.com>wrote:

> What drugs are you on Pedro Ribeiro I wonder ...?
>
> I express my views, if you don't like don't watch them. You responses so
> far have only been assy speculations so don't tell me Im wrong , and please
> don't say thing like that. I don't know who the other people is, but what
> is true in security I support. Why you would Google my name ... ?
>
> Is the English language causing you ill effects?
>
> --- pedrib@gmail.com wrote:
>
> From: Pedro Ribeiro <pedrib@gmail.com>
> To: TImbrahim@techemail.com
> Cc: full-disclosure@lists.grok.org.uk, Michal Zalewski <
> lcamtuf@coredump.cx>, mvilas@gmail.com, gynvael@coldwind.pl
>
> Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
> Date: Mon, 17 Mar 2014 09:24:08 +0000
>
>
> On 16 Mar 2014 23:36, "T Imbrahim" <TImbrahim@techemail.com> wrote:
> >
> > The thread read Google vulnerabilities with PoC. From my understanding
> it was a RFI vulnerability on YouTube, and I voiced my support that this
> is a vulnerability.
> >
> > I also explained a JSON Hijacking case as a follow up, and you said you
> didn't follow. So I am just saying that treating security that way, there
> are other parties like NSA who welcome them happily.
> >
>
> I think these guys - Alfred, Kirschbaum and Imbrahim are the OP's sock
> puppets.
>
> They are all first time posters from unusual free email providers jumping
> to defend the OP out of nowhere. If you search Google for their emails you
> only find references to this thread.
>
> They present similar (false and /or incorrect) arguments, talk about their
> extensive work experience, bash Google and its security team and send
> repeated emails with exactly the same text.
>
> This is turning into a madhouse... I hope this guy doesn't have access to
> a gun.
>
> Regards
> Pedro
>
>
> ------------------------------
> Are you a Techie? Get Your Free Tech Email Address Now! Visit
> http://www.TechEmail.com
>



--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Ooh goodie, where and what happened to N3td3v, he used to crack me up :D :D








On 3/17/14, Mario Vilas <mvilas@gmail.com> wrote:
> ROFL
>
> [image: Inline image 1]
>
>
> On Mon, Mar 17, 2014 at 11:07 AM, T Imbrahim
> <TImbrahim@techemail.com>wrote:
>
>> What drugs are you on Pedro Ribeiro I wonder ...?
>>
>> I express my views, if you don't like don't watch them. You responses so
>> far have only been assy speculations so don't tell me Im wrong , and
>> please
>> don't say thing like that. I don't know who the other people is, but
>> what
>> is true in security I support. Why you would Google my name ... ?
>>
>> Is the English language causing you ill effects?
>>
>> --- pedrib@gmail.com wrote:
>>
>> From: Pedro Ribeiro <pedrib@gmail.com>
>> To: TImbrahim@techemail.com
>> Cc: full-disclosure@lists.grok.org.uk, Michal Zalewski <
>> lcamtuf@coredump.cx>, mvilas@gmail.com, gynvael@coldwind.pl
>>
>> Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
>> Date: Mon, 17 Mar 2014 09:24:08 +0000
>>
>>
>> On 16 Mar 2014 23:36, "T Imbrahim" <TImbrahim@techemail.com> wrote:
>> >
>> > The thread read Google vulnerabilities with PoC. From my understanding
>> it was a RFI vulnerability on YouTube, and I voiced my support that this
>> is a vulnerability.
>> >
>> > I also explained a JSON Hijacking case as a follow up, and you said you
>> didn't follow. So I am just saying that treating security that way,
>> there
>> are other parties like NSA who welcome them happily.
>> >
>>
>> I think these guys - Alfred, Kirschbaum and Imbrahim are the OP's sock
>> puppets.
>>
>> They are all first time posters from unusual free email providers jumping
>> to defend the OP out of nowhere. If you search Google for their emails
>> you
>> only find references to this thread.
>>
>> They present similar (false and /or incorrect) arguments, talk about
>> their
>> extensive work experience, bash Google and its security team and send
>> repeated emails with exactly the same text.
>>
>> This is turning into a madhouse... I hope this guy doesn't have access to
>> a gun.
>>
>> Regards
>> Pedro
>>
>>
>> ------------------------------
>> Are you a Techie? Get Your Free Tech Email Address Now! Visit
>> http://www.TechEmail.com
>>
>
>
>
> --
> "There's a reason we separate military and the police: one fights the enemy
> of the state, the other serves and protects the people. When the military
> becomes both, then the enemies of the state tend to become the people."
>


--
--
Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P
I.T Security Analyst and Penetration Tester
jgichuki at inbox d0t com

{FORUM}http://lists.my.co.ke/pipermail/security/
http://chuksjonia.blogspot.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Hi,

The only probable way of exploiting it I can see would be if the servers
at Google where the files are uploaded would perform some specific tasks
with such files that could result in exploiting a vulnerability in any
of the used software (and this is something the "discoverer" failed to
probe). An example: Google malware scans the uploaded file with some AV
engine and the file is actually an exploit targeting one or more AV
products. I don't think this is the case and, even in this case, there
wouldn't be any Google's vulnerability but, rather, a vulnerability in
another product from another company.

So, in short: this conversation is stupid. There is no vulnerability we
can see here and, if there is, it cannot be probed by the discoverer and
he and his buddies attach to either ad hominem arguments or to
statements like "I am XXX with YYY years of experience doing ZZZ"
mistakenly thinking it could back any of their paranoias.

What else do we need to discuss here? I think it's time to stop this
conversation. And, yes, I know that sending an e-mail to ask for
stopping a conversation on FD is stupid too.

Regards,
Joxean Koret
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Hey,

At least to me I am security paranoid. Remote File Inclusion of files to a trusted network, seems like a well backed up vulnerability. I think we are talking about Google here not your favourite's pizza website. I personally congratulate to the author for finding it, whether probing it or not. And I have nothing to do with the authors, just supporting what is right.

I definitely would patch my computer if I discovered that somebody could upload files to my computer, even thought if couldn't 'probe' them.



--- joxeankoret@yahoo.es wrote:

From: Joxean Koret <joxeankoret@yahoo.es>
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Mon, 17 Mar 2014 12:27:27 +0100

Hi,

The only probable way of exploiting it I can see would be if the servers
at Google where the files are uploaded would perform some specific tasks
with such files that could result in exploiting a vulnerability in any
of the used software (and this is something the "discoverer" failed to
probe). An example: Google malware scans the uploaded file with some AV
engine and the file is actually an exploit targeting one or more AV
products. I don't think this is the case and, even in this case, there
wouldn't be any Google's vulnerability but, rather, a vulnerability in
another product from another company.

So, in short: this conversation is stupid. There is no vulnerability we
can see here and, if there is, it cannot be probed by the discoverer and
he and his buddies attach to either ad hominem arguments or to
statements like "I am XXX with YYY years of experience doing ZZZ"
mistakenly thinking it could back any of their paranoias.

What else do we need to discuss here? I think it's time to stop this
conversation. And, yes, I know that sending an e-mail to ask for
stopping a conversation on FD is stupid too.

Regards,
Joxean Koret



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_____________________________________________________________
Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Especially considering that all three use Tor to post on the list. I wonder why.
Other header/content details can be interesting as well...


2014-03-17 10:24 GMT+01:00 Pedro Ribeiro <pedrib@gmail.com>:
>
> On 16 Mar 2014 23:36, "T Imbrahim" <TImbrahim@techemail.com> wrote:
>>
>> The thread read Google vulnerabilities with PoC. From my understanding it
>> was a RFI vulnerability on YouTube, and I voiced my support that this is a
>> vulnerability.
>>
>> I also explained a JSON Hijacking case as a follow up, and you said you
>> didn't follow. So I am just saying that treating security that way, there
>> are other parties like NSA who welcome them happily.
>>
>
> I think these guys - Alfred, Kirschbaum and Imbrahim are the OP's sock
> puppets.
>
> They are all first time posters from unusual free email providers jumping to
> defend the OP out of nowhere. If you search Google for their emails you only
> find references to this thread.
>
> They present similar (false and /or incorrect) arguments, talk about their
> extensive work experience, bash Google and its security team and send
> repeated emails with exactly the same text.
>
> This is turning into a madhouse... I hope this guy doesn't have access to a
> gun.
>
> Regards
> Pedro
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
On Mon, Mar 17, 2014 at 2:25 PM, T Imbrahim <TImbrahim@techemail.com> wrote:

> I definitely would patch my computer if I discovered that somebody could
> upload files to my computer, even thought if couldn't 'probe' them.


1) I don't think you understood the meaning of the word "probe" in this
context, Nikolas,
2) Does that mean you believe Dropbox is vulnerable to remote file upload
too?


--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
On 17 Mar 2014 13:39, "Źmicier Januszkiewicz" <gauri@tut.by> wrote:
>
> Especially considering that all three use Tor to post on the list. I
wonder why.
> Other header/content details can be interesting as well...
>

Good catch, I didn't even remember checking the headers.
Have a look at the comments posted in the softpedia article - I can smell
more dirty socks in there.

And for even more fun read his interview:
http://m.softpedia.com/softpedia-interview-nicholas-lemonias-on-satellite-communication-vulnerabilities-420589.html

He even posted it to this list but no one noticed it:
http://marc.info/?l=full-disclosure&m=139076233105401&w=2

>
> 2014-03-17 10:24 GMT+01:00 Pedro Ribeiro <pedrib@gmail.com>:
> >
> > On 16 Mar 2014 23:36, "T Imbrahim" <TImbrahim@techemail.com> wrote:
> >>
> >> The thread read Google vulnerabilities with PoC. From my understanding
it
> >> was a RFI vulnerability on YouTube, and I voiced my support that this
is a
> >> vulnerability.
> >>
> >> I also explained a JSON Hijacking case as a follow up, and you said you
> >> didn't follow. So I am just saying that treating security that way,
there
> >> are other parties like NSA who welcome them happily.
> >>
> >
> > I think these guys - Alfred, Kirschbaum and Imbrahim are the OP's sock
> > puppets.
> >
> > They are all first time posters from unusual free email providers
jumping to
> > defend the OP out of nowhere. If you search Google for their emails you
only
> > find references to this thread.
> >
> > They present similar (false and /or incorrect) arguments, talk about
their
> > extensive work experience, bash Google and its security team and send
> > repeated emails with exactly the same text.
> >
> > This is turning into a madhouse... I hope this guy doesn't have access
to a
> > gun.
> >
> > Regards
> > Pedro
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
Let's try some scenarios and if those can be pulled out then I'd say it's
safe to assume this is an issue:

1. Upload a webshell (in a war, php, asp[x], jsp or similar file) and have
it executed by YouTube;
2. Upload a malicious file (pdf, swf, jar or similar file which exploits a
known or unknown vulnerability in the respective aps) and have it served by
YouTube;
3. Upload a file which alters the behavior of the YouTube application
(i.e., a configuration file, HTML or Javascript template, even a UI image).

Otherwise you just uploaded a file which went into a bitbucket, but you
have no way of pulling this file out of said bitbucket in a way that can
cause harm to either the application or its users.

Should YouTube restrict file uploads to known valid mime types? Sure, but
that's only how you got the data in there to begin with. It's what happens
after the data is in that will make all the difference.



On Mon, Mar 17, 2014 at 10:47 AM, Mario Vilas <mvilas@gmail.com> wrote:

>
> On Mon, Mar 17, 2014 at 2:25 PM, T Imbrahim <TImbrahim@techemail.com>wrote:
>
>> I definitely would patch my computer if I discovered that somebody could
>> upload files to my computer, even thought if couldn't 'probe' them.
>
>
> 1) I don't think you understood the meaning of the word "probe" in this
> context, Nikolas,
> 2) Does that mean you believe Dropbox is vulnerable to remote file upload
> too?
>
>
> --
> “There's a reason we separate military and the police: one fights
> the enemy of the state, the other serves and protects the people. When
> the military becomes both, then the enemies of the state tend to become the
> people.”
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



--
“If debugging is the process of removing software bugs, then programming
must be the process of putting them in.” - *Edsger Dijkstra*
Re: Fwd: Google vulnerabilities with PoC [ In reply to ]
On Mon, Mar 17, 2014 at 3:11 PM, Ulisses Montenegro <
ulisses.montenegro@gmail.com> wrote:

> Should YouTube restrict file uploads to known valid mime types? Sure, but
> that's only how you got the data in there to begin with. It's what happens
> after the data is in that will make all the difference.


At this point I'm not even sure the data isn't being restricted - it just
may be that the data type is checked again after it gets pulled out of the
queue for processing, and if it's not a video it gets discarded.


--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”

1 2 3 4  View All