lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 19 Jan 2010 19:01:36 -0600
From: Rohit Patnaik <quanticle@...il.com>
To: dramacrat <yirimyah@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: NSOADV-2010-002: Google Wave Design Bugs

Yeah, no kidding.  Surprise! Untrusted files can be malicious.  If you
accept files from those whom you do not trust, whether its via e-mail,
instant message, Google Wave, or physical media, you well and truly deserve
the virus that'll eventually infect your machine.

-- Rohit Patnaik

On Tue, Jan 19, 2010 at 7:11 AM, dramacrat <yirimyah@...il.com> wrote:

> This is the stupidest advisory I have read on this list in at least two
> months.
>
> 2010/1/19 NSO Research <nso-research@...iriu.de>
>
> _________________________________________
>> Security Advisory NSOADV-2010-002
>> _________________________________________
>> _________________________________________
>>
>>
>>  Title:                  Google Wave Design Bugs
>>  Severity:               Low
>>  Advisory ID:            NSOADV-2010-002
>>  Found Date:             16.11.2009
>>  Date Reported:          18.11.2009
>>  Release Date:           19.01.2010
>>  Author:                 Nikolas Sotiriu (lofi)
>>  Mail:                   nso-research at sotiriu.de
>>  URL:                    http://sotiriu.de/adv/NSOADV-2010-002.txt
>>  Vendor:                 Google (http://www.google.com/)
>>  Affected Products:      Google Wave Preview (Date: =< 14.01.2010)
>>  Not Affected Component: Google Wave Preview (Date: >= 14.01.2010)
>>  Remote Exploitable:     Yes
>>  Local Exploitable:      No
>>  Patch Status:           partially patched
>>  Discovered by:          Nikolas Sotiriu
>>  Disclosure Policy:      http://sotiriu.de/policy.html
>>  Thanks to:              Thierry Zoller: For the permission to use his
>>                                          Policy
>>
>>
>>
>> Background:
>> ===========
>>
>> Google Wave is an online tool for real-time communication and
>> collaboration. A wave can be both a conversation and a document where
>> people can discuss and work together using richly formatted text,
>> photos, videos, maps, and more.
>>
>> (Product description from Google Website)
>>
>>
>>
>> Description:
>> ============
>>
>> All this possible attacks are the result of playing 4 hours with Google
>> Wave. I didn't check all the funny stuff, which is possible with the Wave.
>>
>>
>>
>> 1. Gadget phishing attack:
>> --------------------------
>>
>> The Google Wave Gadget API can be used for phishing attacks.
>>
>> An attacker can build his own phishing Gadget, share it with his Google
>> Wave contacts an hopefully get the login credentials from a user.
>>
>> This behavior is normal. The Problem is, that this "bug" makes it easier
>> to steal logins.
>>
>>
>> 2. Virus spreading attack:
>> --------------------------
>>
>> Uploads Files are not scanned for malicious code.
>>
>> An attacker could upload his malware to a wave and share it to his
>> Google Wave contacts.
>>
>>
>>
>> Proof of Concept :
>> ==================
>>
>> A proof of concept gadget can be found here:
>> http://sotiriu.de/demos/phgadget.xml
>>
>>
>>
>> Solution:
>> =========
>>
>> 1. No changes made here.
>>   Workaround: Don't trust Waves.
>>
>> 2. Google builds in AV scanning.
>>
>>
>>
>> Disclosure Timeline (YYYY/MM/DD):
>> =================================
>>
>> 2009.11.16: Vulnerability found
>> 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure
>>            date (2009.12.03) to Vendor
>> 2009.11.23: Vendor response
>> 2009.12.01: Ask for a status update, because the planned release date is
>>            2009.12.03.
>> 2009.12.03: Google Security Team asks for 2 more week to patch.
>> 2009.12.03: Changed release date to 2009.12.17.
>> 2009.12.15: Ask for a status update, because the planned release date is
>>            2009.12.17. => No Response
>> 2009.12.21: Ask for a status update.
>> 2009.12.29: Google Security Team informs me, that there are no changes
>>            made before 2010.01.03.
>> 2010.01.14: Google Security Team informs me, that uploaded files will be
>>            now scanned for malware. Google Gadgets will be not updated.
>> 2010.01.19: Release of this Advisory
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ