lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Mar 2014 17:10:11 +0000
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: Julius Kivimäki <julius.kivimaki@...il.com>, 
 full-disclosure@...ts.grok.org.uk
Subject: Re: Google vulnerabilities with PoC

Hello Julius,

I appreciate your interest to learn more. OWASP is quite credible, and has
gained some international recognition. It is a benchmark for many vendors.
I suggest you to read on OSI/7-Layer Model. A website may disallow uploads
of certain file types for security reasons, and let's assume at the
application layer. If we manage to get past the security controls, that
means  we can write unrestrictedly any type of file to the remote network.
That also means that we get past their firewall, since the communication is
through HTTP (port 80). CDN nodes are deployed to multiple colocation
(thousands of nodes and thousands of servers across the world). The files
(let's say a self-executing encrypted virus like Cryptolocker? ) are cached
deeply in the network across thousands of servers.


On Thu, Mar 13, 2014 at 5:07 PM, Nicholas Lemonias. <
lem.nikolas@...glemail.com> wrote:

> Hello Julius,
>
> I appreciate your interest to learn more. OWASP is quite credible, and has
> gained some international recognition. It is a benchmark for many vendors.
> I suggest you to read on OSI/7-Layer Model. A website may disallow uploads
> of certain file types for security reasons, and let's assume at the
> application layer. If we manage to get past the security controls, that
> means  we can write unrestrictedly any type of file to the remote network.
> That also means that we get past their firewall, since the communication is
> through HTTP (port 80). CDN nodes are deployed to multiple colocation
> (thousands of nodes and thousands of servers across the world). The files
> are cached deep in the network structures to thousands of servers.
>
>
> On Thu, Mar 13, 2014 at 4:20 PM, Julius Kivimäki <
> julius.kivimaki@...il.com> wrote:
>
>> OWASP is recognized worldwide, so is CEH and a bunch of other morons.
>> That doesn't mean their publications are worth anything. Now tell me, why
>> would arbitrary file upload on a CDN lead to code execution (Besides for
>> HTML, which you have been unable to confirm)?
>>
>>
>> 2014-03-13 18:16 GMT+02:00 Nicholas Lemonias. <lem.nikolas@...glemail.com
>> >:
>>
>> *You are wrong about accessing the files. What has not been confirmed is
>>> remote code execution. We are working on it.*
>>> *And please, OWASP is recognised worldwide... *
>>>
>>> *Files can be accessed through Google Take out with a little bit of
>>> skills.*
>>>
>>> *https://www.google.com/settings/takeout
>>> <https://www.google.com/settings/takeout> *
>>>
>>>
>>>
>>>
>>> On Thu, Mar 13, 2014 at 4:09 PM, Julius Kivimäki <
>>> julius.kivimaki@...il.com> wrote:
>>>
>>>> Did you even read that article? (Not that OWASP has any sort of
>>>> credibility anyways). From what I saw in your previous post you are both
>>>> unable to execute the files or even access them and thus unable to
>>>> manipulate the content-type the files are returned with, therefore there is
>>>> no vulnerability (According to the article you linked.).
>>>>
>>>> BTW, you should look for more cool vulnerabilities in amazons EC2, I'm
>>>> sure you will find some "Unrestricted File Upload" holes.
>>>>
>>>>
>>>> 2014-03-13 16:18 GMT+02:00 Nicholas Lemonias. <
>>>> lem.nikolas@...glemail.com>:
>>>>
>>>> Here is your answer.
>>>>> https://www.owasp.org/index.php/Unrestricted_File_Upload
>>>>>
>>>>>
>>>>> On Thu, Mar 13, 2014 at 1:39 PM, Julius Kivimäki <
>>>>> julius.kivimaki@...il.com> wrote:
>>>>>
>>>>>> When did the ability to upload files of arbitrary types become a
>>>>>> security issue? If the file doesn't get executed, it's really not a
>>>>>> problem. (Besides from potentially breaking site layout standpoint.)
>>>>>>
>>>>>>
>>>>>> 2014-03-13 12:43 GMT+02:00 Nicholas Lemonias. <
>>>>>> lem.nikolas@...glemail.com>:
>>>>>>
>>>>>>> Google vulnerabilities uncovered...
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> http://news.softpedia.com/news/Expert-Finds-File-Upload-Vulnerability-in-YouTube-Google-Denies-It-s-a-Security-Issue-431489.shtml
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists