[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCvwp556z8qsGsjxD10LecrfK5fH6Dwf1LM-3ASkeWQpTnvSA@mail.gmail.com>
Date: Sun, 4 Dec 2011 08:09:12 +1100
From: xD 0x41 <secn3t@...il.com>
To: Michele Orru <antisnatchor@...il.com>,
Michal Zalewski <lcamtuf@...edump.cx>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: fast and somewhat reliable cache timing
Yea, is interesting, i tested it on Firefox v8 windowsXP platform and
it did not find anything, mind you i use 'private browsing' for *all*
browsing... so i am wondering if that maybe helps keeping my cache
secure... i also noticed that it returned no results, when in fact i
had just been redirected from gmail to there, wich would mean
google.com would have shown... so, private-browsing must be a safer
way to browse.. very awesome PoC, i do recall also some botnet source
codes in .cpp codes of bots wich can dump caches of upto i think FF4
or so now..when the dlls were used to store things possibly... i have
not kept up with it, but that was in alot of bots, just called
pstore.cpp and similarly the cmd could be done with .pstore
website.com ,and that would do a cache search, for abut 5-6 browsers
in one.. it managed to work with IE and FF anyhow, i tested srcs of
120- and nzmbot and they were able to extract infos they shouldnt
have...
Your eBook is definately on my to read list, and i am already l;ooking
at the chapter.3 you give away free on your blog, actually, i know
*anything* you write about, is going to be good :)
cheers mate.
d
On 3 December 2011 22:50, Michele Orru <antisnatchor@...il.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Great PoC Michal,
>
> I tested the "orig" PoC on Chrome 15, Opera 11.52 and FF 8.1 on Mac OSX
> 10.6.8 and is reliable.
>
> I'm certainly adding it to the BeEF project.
>
> Cheers
> antisnatchor
>
> Michal Zalewski wrote:
>> Evening,
>>
>> This party trick is not particularly exciting, but hopefully
>> highlights a vaguely interesting point:
>>
>> http://lcamtuf.coredump.cx/cachetime/
>>
>> In essence, in the past few years, browser vendors have severely
>> crippled CSS :visited selectors in order to prevent CSS-based history
>> snooping that made the headlines not long ago (see, for example,
>> http://wtikay.com). Although it's fairly obvious that other privacy
>> side channels, such as cache timing, theoretically disclose comparable
>> data, the attacks demonstrated so far offered, at best, vaguely
>> probabilistic results (say,
>> http://www.cs.princeton.edu/sip/pub/webtiming.pdf). On top of that,
>> cache probing was considered destructive, which significantly limited
>> its usability.
>>
>> Consequently, an argument was made that CSS :visited offered unique
>> performance and reliability benefits and needed to be addressed
>> separately, while no serious work takes place on the remaining
>> vectors.
>>
>> My PoC exploits cache timing in Firefox in what appears to be a fairly
>> fast and reliable way. It is a crude hack, so it will probably fail
>> for some of you - but it's probably still interesting. The key point
>> is that to probe for cached content without immediately polluting the
>> cache, we abort navigation before the HTTP request is made. We also
>> work around setTimeout / setInterval clamps by leveraging event
>> delivery.
>>
>> PS. If this is even remotely interesting, you may also enjoy
>> http://lcamtuf.coredump.cx/tangled/
>>
>> Cheers,
>> /mz
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJO2gzyAAoJEBgl8Z+oSxe4Gs8H/jgNmbiKwxSsisCuyN51bIbW
> C/8seFbSOtmUu15UghUvunHNTDcINC6DE9MCpW8NisgHKlc6GAgdrU+2kLBy94bR
> 7RVhvbO0ok9MoII4iJqbl392tscWzJ07HCfZEOOwgy4JoI8/lla6LNPhUBepcayX
> 50gZclVxRreBbbb+W9Oboz50u8rcfJCu/zopLPbrhNDdL7G+ORD9pO0FRc3+jsgm
> 11/Bbs9bwRTJGIOsm+TILvb2lpDHS6Ax6jbjj+9udqBW3oQfBtveb8aAFtDg7+vk
> Vz8aODJ78V6bcqCLn+I1WcedD0/cEHvkKi2E+UcBLdF2OQp5+mUIMiN8pnluvBE=
> =nUp+
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists