[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CA+CewVDWpe=mZhmHjbNMR=djZ+E6+H1=rZMTFKt9eNhSN0dM-g@mail.gmail.com>
Date: Wed, 5 Mar 2014 08:58:04 +0000
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Google's (YouTube) Arbitrary File Upload
Vulnerability Report with PoC
_____ .___ _________
/ _ \ | |/ _____/
/ /_\ \| |\_____ \
/ | \ |/ \
\____|__ /___/_______ /
\/ \/ Corporation
Google's YouTube Arbitrary File Upload Vulnerability Report
================================================
Author: Mr Nicholas Lemonias. (Information Security Specialist)
Date of Publish: 27/02/ 2014
Credits: Advanced Information Security Corporation, (USA)
Type: Web Application / Unrestricted File Upload
(Upload of other file-formats not supported by default function)
Vendor Overview
========================
Google INC is an American multinational corporation specializing in
Internet-related services and products. These include search, cloud
computing, software, and online advertising technologies. Google was
founded by Larry Page and Sergey Brin while they were Ph.D. students at
Stanford University. They incorporated Google as a privately held company
on September 4, 1998. An initial public offering followed on August 19,
2004.
Its mission statement from the outset was "to organize the world's
information and make it universally accessible and useful", and its
unofficial slogan was "Don't be evil".
Service Overview
=======================
YouTube is a video-sharing website, created by three former PayPal
employees in February 2005 and owned by Google since late 2006, on which
users can upload, view and share videos. The company is based in San Bruno,
California, and uses Adobe Flash Video and HTML5 technology to display a
wide variety of user-generated video
content, including video clips, TV clips, and music videos, and amateur
content such as video blogging, short original videos, and educational
videos. Most of the content on YouTube has been uploaded by individuals,
but media corporations
including CBS, the BBC, Vevo, Hulu, and other organizations offer some of
their material via YouTube, as part of the YouTube partnership program.
Unregistered users can watch videos, and registered users can upload an
unlimited number of videos.. YouTube, LLC was acquired by Google for
US$1.65 billion in November 2006 and now operates as a Google subsidiary.
Description
=========================
A security report was made to Google Inc. on the 26th of February, in
reference to Google's coordinated security reward program that encourages
responsible disclosure. The security issue presented, allowed circumvention
of web-based control handlers used by the YouTube API, which determined the
file-types permitted to be written on YouTube's store-servers. The
validation occurred at the application-layer, through a web-based form;
Therefore a user could tamper with the Http data, in order to bypass any
web-based file-type validation checks,
and consequently to upload, any file of choice to the remote storage
network. However it is pertinent to note that remote code execution has not
been confirmed in this report.
Impact to QoS and Security
=====================
Unrestricted file-upload ; Upload of any file of choice to the remote
storage network. The impact is also to the integrity of the service, in
which successful circumvention of the application's information flow,
allows upload of any file and file-type of choice to the remote storage
networks.
Background on Storage Networks
===========================
YouTube.com populates and distributes stored files to multiple servers
through a CDN (Content Delivery Architecture), where each video uses more
than one machine (hosted by a cluster). Less populated video files are
normally stored in various colocation sites. The YouTube architecture uses
databases for storing metadata information of all uploaded files.
Proof(s) of Concept for QoS and Security
================================
http://dl.packetstormsecurity.net/1403-exploits/Google-Report2702.pdf
Coordinated Vulnerability Disclosure Timeline
====================
[+] 26th of February 2014 - Contacted Vendor regarding the realisation.
[+] 27th of February 2014 - Confirmation of Unrestricted File Uploads
issue; Problem Mitigation.
* This realisation was reported to the relevant security teams which acted
immediately to remediate the issues.
** The vendor did not award a bug bounty.
Disclaimer
****************************
The views expressed in the publications do not imply endorsement. Advanced
Information Security Corporation is not responsible, and will not be held
liable for any damages results from the use or distribution of
such information in any way. All information are posted on an " AS IS "
condition, under the FOI.
All material on these pages, including without limitation text, logos,
icons, photographs and all other artwork, is copyright material of
Advanced Information Security Corporation, unless otherwise stated.
Unauthorised copy, distribution or reproduction of information, contained
in this report, is strictly prohibited.
Therefore use of this material may only be made with the express, prior
written permission of Advanced Information Security Corporation who is the
author of this advisory;
Material provided by any third party, including material obtained through
links to other websites, is likely to be the copyright material of the
author. Permission to copy or otherwise use such material must be obtained
from the author.
Advanced Information Security seeks to ensure that information contained in
these pages is accurate at all times.
However, no liability or responsibility is accepted arising from reliance
upon the information contained in these pages or any other information
accessed via this site, including without limitation for information
reached via links on this site to external sites.
This vulnerability report is always posted for the wider benefit of the
security community, to help mature the practise and for education
purposes, again on an "AS IS" condition and without any warranties.
Advanced Information Security disclaims all warranties, including the
warranty of merchantability and capability fit for a particular purpose;
Please note that information contained are posted under the FOI, on an 'AS
IS condition', and as per best security practise.
================================================================
* Copyrights Advanced Information Security Corp (c), 2014 *
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists