lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 13 Nov 2012 22:56:07 +0100
From: Thierry Zoller <Thierry@...ler.lu>
To: 'full-disclosure@...ts.grok.org.uk' <full-disclosure@...ts.grok.org.uk>, 
	'bugtraq@...urityfocus.com' <bugtraq@...urityfocus.com>
Subject: GOOD for Enterprise (GMA) below 2.0.2 vulnerable
	to MITM


RANT
----
The  world  of  mobile  applications  appear to have become one where vulnerability
disclosure    and   awareness  are  not  necessary.  Until  there  are fully automated
updates  and  refusal  of  service for outdated applications I see the
need for disclosure.

Who will start monitoring "Appstores" updates for signs of vulnerabilities ?

Note  to  vulnerability  researches : GMA appears to be a nice fuzzing target and
in general for browser security assessments.(see below on rationale)

Description
-----------
GMA is known as "Good™ Mobile Access" and part of "Good for Enteprise"
"The secure browser is integrated into the Good for Enterprise application, delivering a safe,
intelligent user experience. Employees can launch Good’s browser directly from the Good launcher bar,
as well as through links included in emails. Links to public websites will automatically launch
the native browser."

Title : GOOD for Enterprise GMA below 2.0.2 vulnerable to MITM
URL : http://www-staging.good.com/products/good-mobile-access.php
Root Cause: GMA failed to validate server authenticity when connecting through HTTPS

I  spotted  what  appears  to  be  an  undisclosed vulnerability in an
enterprise mobile device management system.

https://itunes.apple.com/us/app/good-for-enterprise/id333202351?mt=8

Excerpt from above :

What's New in Version 2.0.2
This release addresses the following
[..]- GMA now validates server authenticity when connecting through HTTPS.
[..]

This would imply GMA to have been vulnerable to MITM prior to version 2.0.2

Disclosure Timeline :
=====================
- GOOD disclosed over iTunes on the 02.08.2012

-- 
http://blog.zoller.lu
Thierry Zoller


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ