lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <BANLkTimfQ=Ce9FiUxHggtOtQS0GJbKWBdg@mail.gmail.com>
Date: Mon, 13 Jun 2011 01:39:06 +0200
From: Haxxor Security <h@...r.se>
To: adam <adam@...sy.net>
Cc: secn3t@...il.com, full-disclosure@...ts.grok.org.uk
Subject: Re: POC for a simple gmail/possible code
 injection into html wich can be executed in an email,
 i will make the PoC code and explain how here and now...

Haha, holy mother of...
-=Glowing Dumb=- made my day...  To be honest, he made my whole week.

Adam, I can't thank you enough for CCing the list.


2011/6/12 adam <adam@...sy.net>

> I'm not sure how you can keep insisting that it's not a feature when it's
> clearly been shown to be one. You either need to pay more attention, or get
> a better dictionary.
>
> What you're describing is possible directly through the anchor/link
> feature. Even if it weren't, you could just as easily switch over to plain
> text and insert the anchor tag manually. There is no exploit involved, as
> the ability to use hyperlinks is an email isn't an *unintentional bug* but
> a very popular *feature*.
>
> On Sat, Jun 11, 2011 at 10:37 PM, -= Glowing Doom =- <secn3t@...il.com>wrote:
>
>> there is ANOTHER method idiot....
>>
>> ut, you wont figue it :)
>>
>> and how ?
>> what if made a damn email with ALL text as a bad-link...and, say you open
>> it, and, just happen to accidnetally hover and, click.. wich, many ppl do...
>> it is not some spam email with a link, and NO it is NOT a feature.. idiot
>> again.
>>
>>
>>
>> On 12 June 2011 13:34, adam <adam@...sy.net> wrote:
>>
>>> #1 - No one has replied since I reproduced your "proof of concept."
>>>
>>> #2 - Even if they had, you're replying directly to me - not the list.
>>>
>>> #3 - None of that is necessary. Type in text, highlight it and then click
>>> the anchor/link icon. From there, you can insert the target URL (and use the
>>> text of your choice). This is possible across most (all?) mail clients, as
>>> well as forums. It's an intentional feature that let's you specify anchor
>>> text.
>>>
>>> Assuming you're using a mail client that doesn't allow that (which I'd
>>> find very hard to believe that it has an anchor/link icon and doesn't have
>>> that feature) but even if that were the case: who is really vulnerable here
>>> (and to what? specifying anchor text != code injection).
>>>
>>> On Sat, Jun 11, 2011 at 10:29 PM, -= Glowing Doom =- <secn3t@...il.com>wrote:
>>>
>>>> now, you guys loose.... see why you should NOT flame people...
>>>> now, try find the REAL problem, wich, exists NOt in server...
>>>> anyhow.. have fun flaming ppl...
>>>> you finally work it out, then your all nice...
>>>> screw you.
>>>> and, screw your domain.
>>>>
>>>>
>>>>
>>>> On 12 June 2011 13:28, -= Glowing Doom =- <secn3t@...il.com> wrote:
>>>>
>>>>> This is what i tried to explain...
>>>>>
>>>>> enter text, darken it, and then link , i said this 3 times..yet one
>>>>> person managed to finally do it, after having tospell it.
>>>>> no , i am, not a smartarse. and the other method, i should just have
>>>>> left out.
>>>>> now, nomore fd for me,.
>>>>> thanks,.
>>>>>
>>>>>
>>>>>
>>>>> On 12 June 2011 13:25, adam <adam@...sy.net> wrote:
>>>>>
>>>>>> The reason why no one understood your ground-breaking vulnerability
>>>>>> (broken English aside) is because it's a *feature*. Whether you're
>>>>>> being a smartass right now or not is irrelevant, being that my email
>>>>>> generated the exact same thing as yours did (view source on both of them).
>>>>>> The difference is, you're doing some backspace *trick* whereas I'm
>>>>>> entering text, highlighting it and then clicking the link icon.
>>>>>>
>>>>>> Congratulations on wasting everyone's time, they were right to have
>>>>>> abandoned this thread from the start.
>>>>>>
>>>>>>
>>>>>> On Sat, Jun 11, 2011 at 10:20 PM, -= Glowing Doom =- <
>>>>>> secn3t@...il.com> wrote:
>>>>>>
>>>>>>> wow, ONE person finally can do it, after only having top basically
>>>>>>> SPELL it for you.. why did you not do it from the start >????
>>>>>>> Lame team.
>>>>>>>
>>>>>>> Sorry but, have fun.. I wont be cc'd, I will just filter all of the
>>>>>>> fd :)
>>>>>>> BYE!
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 12 June 2011 13:16, adam <adam@...sy.net> wrote:
>>>>>>>
>>>>>>>> You do realize you're still going to be CC'd, don't you?<http://www.google.com/>
>>>>>>>>
>>>>>>>> And OH MY GOD, my text somehow became a clickable link. Did you guys
>>>>>>>> see that? Did you see my ground breaking exploit? I demand your respect
>>>>>>>> right this second!@
>>>>>>>>
>>>>>>>>
>>>>>>>> On Sat, Jun 11, 2011 at 10:13 PM, -= Glowing Doom =- <
>>>>>>>> secn3t@...il.com> wrote:
>>>>>>>>
>>>>>>>>> done.. bye!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 12 June 2011 13:12, -= Glowing Doom =- <secn3t@...il.com>wrote:
>>>>>>>>>
>>>>>>>>>> Yet i now stop... enjoy your pathetic,useless luist.. i will now
>>>>>>>>>> unsubscribe :)
>>>>>>>>>> thanks.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 12 June 2011 13:09, -= Glowing Doom =- <secn3t@...il.com>wrote:
>>>>>>>>>>
>>>>>>>>>>> Here again....
>>>>>>>>>>>
>>>>>>>>>>> I will write a sentence now, and, i will just copy, so it is
>>>>>>>>>>> 'darkened' text , then with NO backspace just leave the text darkened, and
>>>>>>>>>>> goto 'link' , and enter a link.. the text will turn to red.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> (this is the easiest way to reproduce it...)<http://www.haxxor-NOT.bs>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 12 June 2011 13:07, -= Glowing Doom =- <secn3t@...il.com>wrote:
>>>>>>>>>>>
>>>>>>>>>>>> I should have said just 'copy, then hit link... because the
>>>>>>>>>>>> other one, is actually VERY hard to explain..but yes... backspace... has a
>>>>>>>>>>>> bug with emails. Is this so hard for 500000 ppl to understand ?
>>>>>>>>>>>> I am really shocked at the brubbish talk i have copped from
>>>>>>>>>>>> this.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 12 June 2011 13:06, -= Glowing Doom =- <secn3t@...il.com>wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Do the research... then call yourself a 'team'...please :s
>>>>>>>>>>>>>
>>>>>>>>>>>>> The PoC, is easy as hell to reproduce. I am shocked a team,
>>>>>>>>>>>>> cannot do it..
>>>>>>>>>>>>>
>>>>>>>>>>>>> even the easy one wich is just copy/backspace, and, hit link
>>>>>>>>>>>>> and enter a link!
>>>>>>>>>>>>> simple ?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 12 June 2011 12:52, Haxxor Security <h@...r.se> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> As I (painfully tried to) understand it, secn3t can fool his
>>>>>>>>>>>>>> own email client to create malformed links by pressing backspace...
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2011/6/12 adam <adam@...sy.net>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> At the end of the day, you're going to be treated like a
>>>>>>>>>>>>>>> child as long as you continue to type like one.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The entertaining part for me is how each of your replies
>>>>>>>>>>>>>>> contradicts a previous one. According to you, this *
>>>>>>>>>>>>>>> vulnerability* *has existed for years*. And also according
>>>>>>>>>>>>>>> to you, the reason why the original email was filled with spelling errors is
>>>>>>>>>>>>>>> because it *was rushed out due to you being "awake" at 6AM.* Do
>>>>>>>>>>>>>>> you see the inconsistency between those two statements? Your response to
>>>>>>>>>>>>>>> Christian also indicated that you* **didn't just discover
>>>>>>>>>>>>>>> this*.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> IF this is an old vulnerability and IF you've known about it
>>>>>>>>>>>>>>> for an extended period of time - WHY did you have to post it right when you
>>>>>>>>>>>>>>> did? It's old, you've known about it for a while, it's existed for years,
>>>>>>>>>>>>>>> yet it couldn't wait until later in the day? It couldn't wait until you had
>>>>>>>>>>>>>>> time to skim over the email and correct any spelling/grammar mistakes? It
>>>>>>>>>>>>>>> absolutely had to be posted right then and there?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Sat, Jun 11, 2011 at 9:14 PM, -= Glowing Doom =- <
>>>>>>>>>>>>>>> secn3t@...il.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thats why i the people who do understand it, can see that it
>>>>>>>>>>>>>>>> is there... yes, VERY hard to expalin, id LOVE to see you try.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 12 June 2011 12:11, adam <adam@...sy.net> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Furthermore, pretending that we [the readers] are somehow
>>>>>>>>>>>>>>>>> at fault here (for not understanding) isn't going to get you very far. The
>>>>>>>>>>>>>>>>> only thing consistent in this entire thread is that people
>>>>>>>>>>>>>>>>> *kind of* want to know what you're talking about, but
>>>>>>>>>>>>>>>>> aren't able to due to the poor writing style and spelling/grammar errors.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> It should be noted that no one is being anal about typos, I
>>>>>>>>>>>>>>>>> fully understand that people make mistakes. The difference is that it
>>>>>>>>>>>>>>>>> appears you didn't even so much as proof read the original email.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Sat, Jun 11, 2011 at 9:04 PM, phocean <0x90@...cean.net
>>>>>>>>>>>>>>>>> > wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hi n3td3v... oops!... secn3t (that is close),
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Sorry but I don't understand anything to this thread.
>>>>>>>>>>>>>>>>>> Each of your emails is such a pain to read, that I stop at
>>>>>>>>>>>>>>>>>> the first
>>>>>>>>>>>>>>>>>> sentence.
>>>>>>>>>>>>>>>>>> We are all busy and don't want to take 20 min to decipher
>>>>>>>>>>>>>>>>>> your writing
>>>>>>>>>>>>>>>>>> with the risk that it is not deserving it.
>>>>>>>>>>>>>>>>>> Please clarify and give consistent technical facts.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Le 12/06/2011 03:33, -= Glowing Doom =- a écrit :
>>>>>>>>>>>>>>>>>> > This is NOT coded..  the PoC i am explaining, is
>>>>>>>>>>>>>>>>>> possible with simply
>>>>>>>>>>>>>>>>>> > copyying text,then using a sequence of keys, to make the
>>>>>>>>>>>>>>>>>> actual
>>>>>>>>>>>>>>>>>> > sentence/s, appear.
>>>>>>>>>>>>>>>>>> > This code is not what shows up when it is dissected.
>>>>>>>>>>>>>>>>>> > It shows up with many x41 all over the email when it is
>>>>>>>>>>>>>>>>>> done properly .
>>>>>>>>>>>>>>>>>> > Regards.
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> > On 12 June 2011 11:29, Christian Sciberras <
>>>>>>>>>>>>>>>>>> uuf6429@...il.com
>>>>>>>>>>>>>>>>>> > <mailto:uuf6429@...il.com>> wrote:
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >     For those lazy enough to search:
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> https://www.owasp.org/index.php/The_CSRSS_Backspace_Bug_still_works_in_windows_2003_sp1
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >     Excerpt:
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >     Basicaly just compile this and you will get a 100%
>>>>>>>>>>>>>>>>>> processor usage
>>>>>>>>>>>>>>>>>> >     by the compiled exploit and Csrss.exe
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >     #include <stdio.h>
>>>>>>>>>>>>>>>>>> >     int main(void)
>>>>>>>>>>>>>>>>>> >     {
>>>>>>>>>>>>>>>>>> >     while(1)
>>>>>>>>>>>>>>>>>> >     printf("\t\t\b\b\b\b\b\b");
>>>>>>>>>>>>>>>>>> >     return 0;
>>>>>>>>>>>>>>>>>> >     }
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >     How this helps in sending spam is beyond me.
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >     On Sun, Jun 12, 2011 at 3:18 AM, Jeffrey Walton <
>>>>>>>>>>>>>>>>>> noloader@...il.com
>>>>>>>>>>>>>>>>>> >     <mailto:noloader@...il.com>> wrote:
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >         On Sat, Jun 11, 2011 at 9:06 PM, -= Glowing Doom
>>>>>>>>>>>>>>>>>> =-
>>>>>>>>>>>>>>>>>> >         <secn3t@...il.com <mailto:secn3t@...il.com>>
>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >         > It is now, over 1yr old atleast and exists in
>>>>>>>>>>>>>>>>>> riched20.dll.
>>>>>>>>>>>>>>>>>> >         > This PoC info is over for me also.
>>>>>>>>>>>>>>>>>> >         Microsoft had problems with a backspace in the
>>>>>>>>>>>>>>>>>> past. Search for
>>>>>>>>>>>>>>>>>> >         "CSRSS
>>>>>>>>>>>>>>>>>> >         Backspace Bug".
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >         > [SNIP
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >         Jeff
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >         _______________________________________________
>>>>>>>>>>>>>>>>>> >         Full-Disclosure - We believe in it.
>>>>>>>>>>>>>>>>>> >         Charter:
>>>>>>>>>>>>>>>>>> http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>>>>>>>>>> >         Hosted and sponsored by Secunia -
>>>>>>>>>>>>>>>>>> http://secunia.com/
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>>>>> > _______________________________________________
>>>>>>>>>>>>>>>>>> > Full-Disclosure - We believe in it.
>>>>>>>>>>>>>>>>>> > Charter:
>>>>>>>>>>>>>>>>>> http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>>>>>>>>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> phocean
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>>>>>>>>>>> Charter:
>>>>>>>>>>>>>>>>>> http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>>>>>>>>>> Charter:
>>>>>>>>>>>>>>>>> http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>>>>>>>> Charter:
>>>>>>>>>>>>>>> http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>>>>>>> Charter:
>>>>>>>>>>>>>> http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ