lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 5 Nov 2009 23:54:11 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: "Memisyazici, Aras" <arasm@...edu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Dark side of bookmarks

Hello Aras!

As correctly note S/U/N
(http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071323.html)
I wrote enough PoCs (for different browsers) at my site
(http://websecurity.com.ua/2454/), and this page can be read via Google
Translate. But Aras and S/U/N, even without reading that page with Google
Translate, but just with going by link (in my article) to that page and view
PoCs (exploits) codes, it'll be enough to see how such attacks works.

> Your "article", unless I misunderstood, is useless.

Thanks for critic. Even lame critic is still critic :-). It's lame, because
on some of your questions there were already answers in my article. You just
read it not so attentive.

> To explain further, your article lacks substance. For instance you state:
> "could be used in DoS attack for browsers" yet you provide no working
> PoC/example(s)

In my article, just in words "DoS attacks on browsers", there is a link to
my post (http://websecurity.com.ua/2454/) about DoS vulnerabilities in
Firefox, Internet Explorer and Opera with PoCs (exploits) for all these
browsers. Which I posted 19.09.2008. So everyone can read this post and see
these exploits during this time as many times as he need. This post with
these vulnerabilities in different browsers was a part of my last year
project Day of bugs in browsers (http://websecurity.com.ua/2453/). And as I
mentioned above (as also mentioned by S/U/N) this post can be translated to
English via Google Translate.

> What about mitigation? What about prevention?

I wrote some mitigation suggestions in Conclusions in article. More advanced
mitigation and prevention methods must be provided by browsers vendors, if
they will consider this threat as real.

I wrote this article without much technical details and PoCs (because PoCs
were posted at another page of my site, where I put link to), because I
planned to do so yet in summer 2008, where I decided to make such article.
It's "introduction to security problem" style (but detailed introduction),
when I'm introducing this threat to people (to the whole Internet). I have
never seen any articles and works on this subject before, so for me it's
looks like new threat (unkown to the masses).

And I didn't want to give working PoCs or exploits for bad guys (so the
article is more informational). If they interested in this subject, they
need to work by themselves to created working exploits ;-).

>>From other side, there are my exploits for DoS attacks on browsers via
bookmarks, and for all 5 attack methods (social engineering, hacking of the
sites and changing of codes in links, two variants of using of viruses,
using of attacks with active (looped) proposition to add to bookmarks) I
wrote enough descriptions. For variants of using of viruses I'll be not
releasing any working codes, and for other attacks methods the descriptions
are sufficient.

By phrase "in modern browsers" in fifth method of attack I implied, that
JS-codes which is used to add to bookmark in modern browsers, which can be
used particularly for above-mentioned DoS attacks, can be used in this
attack method. To make this more clear, I just added the link to above
mentioned article here.

> No offense but scare-tactics don't help ANYBODY...

As I said this article is designed to draw attetion of people (the whole
Internet) to the problem. There is a proverb (in Ukraine and in Russia) - if
warned, then armed.

> As a sysadmin, I would've appreciated some more details or at least some
> answers to my questions above! :)

I'll always answer at your questions. If after these answers you have any
other questions, feel free to ask.

Soon I'll release new article about threat similar to attacks via bookmarks.
It's also concerned with browsers (these two articles and the threats
themselves have similarities). And new article will be writen in similar
"introduction to security problem" style.

> look forward to your continued, hopefully improved research results!

I'm always working to improve my research results. Soon I'll release new
article, as I said above. And meanwhile you can read my other researches and
articles. Like two before-menioned articles about redirectors and Cross-Site
Scripting attacks via redirectors (http://websecurity.com.ua/3386/) and
other articles at my site (http://websecurity.com.ua/category/articles/),
some of which are translated to English.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Memisyazici, Aras" <arasm@...edu>
To: <full-disclosure@...ts.grok.org.uk>
Cc: "MustLive" <mustlive@...security.com.ua>
Sent: Monday, November 02, 2009 3:51 PM
Subject: RE: [Full-disclosure] Dark side of bookmarks


MustLive:

I really don't want to start a flame-war nor am I trying to belittle you or
your work but...

Your "article", unless I misunderstood, is useless. To explain further, your
article lacks substance. For instance you state: "could be used in DoS
attack for browsers" yet you provide no working PoC/example(s)

What about mitigation? What about prevention?

No offense but scare-tactics don't help ANYBODY... As a sysadmin, I would've
appreciated some more details or at least some answers to my questions
above! :)

In any case, thank you for putting together such an entry and look forward
to your continued, hopefully improved research results!

Sincerely,
Aras 'Russ' Memisyazici
Systems Administrator
Virginia Tech

----------------------------------------------------------------------

Date: Sat, 31 Oct 2009 23:24:50 +0200
From: "MustLive" <mustlive@...security.com.ua>
Subject: [Full-disclosure] Dark side of bookmarks
To: <full-disclosure@...ts.grok.org.uk>
Hello participants of Full-Disclosure!

After my articles about different attacks via redirectors - Redirectors: the
phantom menace (http://websecurity.com.ua/3495/) and Attacks via closed
redirectors (http://websecurity.com.ua/3531/), here is my new article. This
time about attacks via bookmarks. In article Dark side of bookmarks
(http://websecurity.com.ua/3643/) I'll tell you about risks of bookmarks in
browsers.

There are possible next attacks via bookmarks:

1. Spam.
2. Phishing.
3. Malware spreading.
4. DoS attacks.

You can read the article Dark side of bookmarks at my site:
http://websecurity.com.ua/3643/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ