lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 25 May 2011 22:17:38 +0200
From: Rosario Valotta <valotta.rosario@...il.com>
To: Владимир Воронцов <vladimir.vorontsov@...ec.ru>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Cookiejacking attack technique

Hi Vladimir,
using my approach only files in the Cookies folder can be accessed, being
them cookies or not.
You cannot escape that sandbox.
About IE9 I've tested it on the same version and it works, MS has confirmed
the vuln by the way ;-)
About opening arbitrary files, pay attention to 2 issues:
1- one thing is displaying a file in a frame, a different thing is accessing
them, that's why drag&drop is needed...have a look at my slides ;-)
2- not any file, just files in the cookies folder

regards
Rosario

2011/5/25 Владимир Воронцов <vladimir.vorontsov@...ec.ru>

> Great work!
>
> Technique can be used to stealing any data.
> In example, content from remote iframes.
> And from any local file, i.e. browser cache, configs and other.
>
> But there is problem to open urls in file:// zone from http:// zone.
> Recently i founded Chrome vuln, which provide that.
> See https://docs.google.com/present/view?id=dcm4kmp7_18w8945rdw slides
> 20-23.
>
> In your work, you say about redirect in IE9, but it is didn't work for me
> (9.0.8112.16421).
>
> If it is possible to open file:// from http:// in IE9, then possible to
> stealing any local file without user actions :)
>
> On Wed, 25 May 2011 00:17:21 +0200, Rosario Valotta
> <valotta.rosario@...il.com> wrote:
> > Hi,
> > last week, in two security conferences I showed a new attack technique
> > called Cookiejacking that allows to steal session cookies without any
> XSS
> > vulnerability.
> >
> > https://www.swisscyberstorm.com/speakers/valotta
> > http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388
> >
> > All previous approaches on the same topic used at least an XSS or a Man
> in
> > the middle attack (eg Firesheep) to steal cookies.
> > In this approach I use a 0-day vulnerabilty affecting all versions of IE
> on
> > every Windows OS and an advanced Clickjacking attack in order to trick
> > users
> > in dragging & dropping their cookies.
> >
> > You can steal any cookie (http only, secure cookies, whatever the
> website)
> > of every Win user!
> >
> > If it is interesting, on my blog you can find a writeup and a couple of
> > videos.
> > https://sites.google.com/site/tentacoloviola/cookiejacking
> >
> > Regards
> >
> > Rosario Valotta
>
> --
> Best regards,
> Vladimir Vorontsov
> ONsec security expert
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ