lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 14 Mar 2014 18:03:10 +0000
From: antisnatchor <antisnatchor@...il.com>
To: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Google vulnerabilities with PoC

Ahah, I don't want to loose my time with public bug bounties, it's not
even cost-effective.

Sei proprio un nabbo

Nicholas Lemonias. wrote:
> You can't even find a cross site scripting on google.
>  
> Find a vuln on Google seems like a dream to some script kiddies.
>
>
> On Fri, Mar 14, 2014 at 6:00 PM, Nicholas Lemonias.
> <lem.nikolas@...glemail.com <mailto:lem.nikolas@...glemail.com>> wrote:
>
>     The full-disclosure mailing list has really changed. It's full of
>     lamers nowdays aiming high.
>      
>      
>      
>
>
>     On Fri, Mar 14, 2014 at 5:58 PM, Nicholas Lemonias.
>     <lem.nikolas@...glemail.com <mailto:lem.nikolas@...glemail.com>>
>     wrote:
>
>         Says the script kiddie... Beg for some publicity. My customers
>         are FTSE 100.
>
>         ---------- Forwarded message ----------
>         From: *Nicholas Lemonias.* <lem.nikolas@...glemail.com
>         <mailto:lem.nikolas@...glemail.com>>
>         Date: Fri, Mar 14, 2014 at 5:58 PM
>         Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities
>         with PoC
>         To: antisnatchor <antisnatchor@...il.com
>         <mailto:antisnatchor@...il.com>>
>
>
>         Says the script kiddie... Beg for some publicity. My customers
>         are FTSE 100.
>          
>          
>
>
>         On Fri, Mar 14, 2014 at 5:55 PM, antisnatchor
>         <antisnatchor@...il.com <mailto:antisnatchor@...il.com>> wrote:
>
>             LOL you're hopeless.
>             Good luck with your business. Brave customers!
>
>             Cheers
>             antisnatchor
>
>             Nicholas Lemonias. wrote:
>>
>>             People can read the report if they like. Can't you even
>>             do basic things like reading a vulnerability report?
>>              
>>             Can't you see that the advisory is about writing
>>             arbitrary files. If I was your boss I would fire you.
>>             ---------- Forwarded message ----------
>>             From: *Nicholas Lemonias.* <lem.nikolas@...glemail.com
>>             <mailto:lem.nikolas@...glemail.com>>
>>             Date: Fri, Mar 14, 2014 at 5:43 PM
>>             Subject: Re: [Full-disclosure] Google vulnerabilities
>>             with PoC
>>             To: Mario Vilas <mvilas@...il.com <mailto:mvilas@...il.com>>
>>
>>
>>             People can read the report if they like. Can't you even
>>             do basic things like reading a vulnerability report?
>>              
>>             Can't you see that the advisory is about writing
>>             arbitrary files. If I was your boss I would fire you,
>>             with a good kick outta the door.
>>              
>>              
>>              
>>              
>>
>>
>>             On Fri, Mar 14, 2014 at 3:55 PM, Mario Vilas
>>             <mvilas@...il.com <mailto:mvilas@...il.com>> wrote:
>>
>>                 On Fri, Mar 14, 2014 at 12:38 PM, Nicholas Lemonias.
>>                 <lem.nikolas@...glemail.com
>>                 <mailto:lem.nikolas@...glemail.com>> wrote:
>>
>>                     Jerome of Mcafee has made a very valid point on
>>                     revisiting  separation of duties in this security
>>                     instance.
>>                      
>>                     Happy to see more professionals with some
>>                     skills.  Some others have also mentioned the
>>                     feasibility for Denial of Service attacks. Remote
>>                     code execution by Social Engineering is also a
>>                     prominent scenario.
>>
>>
>>                 Actually, people have been pointing out exactly the
>>                 opposite. But if you insist on believing you can DoS
>>                 an EC2 by uploading files, good luck to you then...
>>                  
>>
>>                      
>>                     If you can't tell that that is a vulnerability
>>                     (probably coming from a bunch of CEH's), I feel
>>                     sorry for those consultants.
>>
>>
>>                 You're the only one throwing around certifications
>>                 here. I can no longer tell if you're being serious or
>>                 this is a massive prank.
>>                  
>>
>>                      
>>                     Nicholas.
>>
>>
>>                     On Fri, Mar 14, 2014 at 10:45 AM, Nicholas
>>                     Lemonias. <lem.nikolas@...glemail.com
>>                     <mailto:lem.nikolas@...glemail.com>> wrote:
>>
>>                         We are on a different level perhaps. We do
>>                         certainly disagree on those points.
>>                         I wouldn't hire you as a consultant, if you
>>                         can't tell if that is a valid vulnerability..
>>                          
>>                          
>>                         Best Regards,
>>                         Nicholas Lemonias.
>>                          
>>                         On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas
>>                         <mvilas@...il.com <mailto:mvilas@...il.com>>
>>                         wrote:
>>
>>                             But do you have all the required EH
>>                             certifications? Try this one from the
>>                             Institute for 
>>                             Certified Application Security
>>                             Specialists: http://www.asscert.com/
>>
>>
>>                             On Fri, Mar 14, 2014 at 7:41 AM, Nicholas
>>                             Lemonias. <lem.nikolas@...glemail.com
>>                             <mailto:lem.nikolas@...glemail.com>> wrote:
>>
>>                                 Thanks Michal,
>>                                  
>>                                 We are just trying to improve
>>                                 Google's security and contribute to
>>                                 the research community after all. If
>>                                 you are still on EFNet give me a
>>                                 shout some time.
>>                                  
>>                                  We have done so and consulted to
>>                                 hundreds of clients including
>>                                 Microsoft, Nokia, Adobe and some of
>>                                 the world's biggest corporations. We
>>                                 are also strict supporters of the ACM
>>                                 code of conduct.
>>                                  
>>                                 Regards,
>>                                 Nicholas Lemonias.
>>                                 AISec
>>
>>
>>                                 On Fri, Mar 14, 2014 at 6:29 AM,
>>                                 Nicholas Lemonias.
>>                                 <lem.nikolas@...glemail.com
>>                                 <mailto:lem.nikolas@...glemail.com>>
>>                                 wrote:
>>
>>                                     Hi Jerome,
>>                                      
>>                                     Thank you for agreeing on access
>>                                     control, and separation of duties.
>>                                      
>>                                     However successful exploitation
>>                                     permits arbitrary write() of any
>>                                     file of choice.
>>                                      
>>                                     I could release an exploit code
>>                                     in C Sharp or Python that permits
>>                                     multiple file uploads of any
>>                                     file/types, if the Google
>>                                     security team feels that this
>>                                     would be necessary. This is
>>                                     unpaid work, so we are not so
>>                                     keen on that job. 
>>                                     || 
>>
>>
>>                                     On Fri, Mar 14, 2014 at 6:04 AM,
>>                                     Jerome Athias
>>                                     <athiasjerome@...il.com
>>                                     <mailto:athiasjerome@...il.com>>
>>                                     wrote:
>>
>>                                         Hi
>>
>>                                         I concur that we are mainly
>>                                         discussing a terminology problem.
>>
>>                                         In the context of a
>>                                         Penetration Test or WAPT,
>>                                         this is a Finding.
>>                                         Reporting this finding makes
>>                                         sense in this context.
>>
>>                                         As a professional, you would
>>                                         have to explain if/how this
>>                                         finding is a
>>                                         Weakness*, a Violation
>>                                         (/Regulations, Compliance,
>>                                         Policies or
>>                                         Requirements[1])
>>                                         * I would say Weakness +
>>                                         Exposure = Vulnerability.
>>                                         Vulnerability +
>>                                         Exploitability (PoC) =
>>                                         Confirmed Vulnerability that
>>                                         needs Business
>>                                         Impact and Risk Analysis
>>
>>                                         So I would probably have
>>                                         reported this Finding as a
>>                                         Weakness (and not
>>                                         Vulnerability. See: OWASP,
>>                                         WASC-TC, CWE), explaining
>>                                         that it is not
>>                                         Best Practice (your OWASP
>>                                         link and Cheat Sheets), and
>>                                         even if
>>                                         mitigative/compensative
>>                                         security controls (Ref Orange
>>                                         Book), security
>>                                         controls like white listing
>>                                         (or at least black listing.
>>                                         see also
>>                                         ESAPI) should be 1) part of
>>                                         the [1]security requirements
>>                                         of a proper
>>                                         SDLC (Build security in) as
>>                                         per Defense-in-Depth security
>>                                         principles
>>                                         and 2) used and implemented
>>                                         correctly.
>>                                         NB: A simple Threat Model
>>                                         (i.e. list of CAPEC) would be
>>                                         a solid
>>                                         support to your report
>>                                         This would help to
>>                                         evaluate/measure the risk
>>                                         (e.g. CVSS).
>>                                         Helping the decision/actions
>>                                         around this risk
>>
>>                                         PS: interestingly, in this
>>                                         case, I'm not sure that the
>>                                         Separation of
>>                                         Duties security principle was
>>                                         applied correctly by Google
>>                                         in term of
>>                                         Risk Acceptance (which could
>>                                         be another Finding)
>>
>>                                         So in few words, be careful
>>                                         with the terminology. (don't
>>                                         always say
>>                                         vulnerability like the media
>>                                         say hacker, see RFC1392) Use
>>                                         a CWE ID
>>                                         (e.g. CWE-434, CWE-183,
>>                                         CWE-184 vs. CWE-616)
>>
>>                                         My 2 bitcents
>>                                         Sorry if it is not edible :)
>>                                         Happy Hacking!
>>
>>                                         /JA
>>                                         https://github.com/athiasjerome/XORCISM
>>
>>                                         2014-03-14 7:19 GMT+03:00
>>                                         Michal Zalewski
>>                                         <lcamtuf@...edump.cx
>>                                         <mailto:lcamtuf@...edump.cx>>:
>>                                         > Nicholas,
>>                                         >
>>                                         > I remember my early years
>>                                         in the infosec community -
>>                                         and sadly, so do
>>                                         > some of the more seasoned
>>                                         readers of this list :-) Back
>>                                         then, I
>>                                         > thought that the only thing
>>                                         that mattered is the ability
>>                                         to find bugs.
>>                                         > But after some 18 years in
>>                                         the industry, I now know that
>>                                         there's an
>>                                         > even more important and
>>                                         elusive skill.
>>                                         >
>>                                         > That skill boils down to
>>                                         having a robust mental model
>>                                         of what
>>                                         > constitutes a security flaw
>>                                         - and being able to explain
>>                                         your thinking
>>                                         > to others in a precise and
>>                                         internally consistent manner
>>                                         that convinces
>>                                         > others to act. We need this
>>                                         because the security of a
>>                                         system can't be
>>                                         > usefully described using
>>                                         abstract terms: even the
>>                                         academic definitions
>>                                         > ultimately boil down to
>>                                         saying "the system is secure
>>                                         if it doesn't do
>>                                         > the things we *really*
>>                                         don't want it to do".
>>                                         >
>>                                         > In this spirit, the term
>>                                         "vulnerability" is generally
>>                                         reserved for
>>                                         > behaviors that meet all of
>>                                         the following criteria:
>>                                         >
>>                                         > 1) The behavior must have
>>                                         negative consequences for at
>>                                         least one of
>>                                         > the legitimate stakeholders
>>                                         (users, service owners, etc),
>>                                         >
>>                                         > 2) The consequences must be
>>                                         widely seen as unexpected and
>>                                         unacceptable,
>>                                         >
>>                                         > 3) There must be a
>>                                         realistic chance of such a
>>                                         negative outcome,
>>                                         >
>>                                         > 4) The behavior must
>>                                         introduce substantial new
>>                                         risks that go beyond
>>                                         > the previously accepted
>>                                         trade-offs.
>>                                         >
>>                                         > If we don't have that, we
>>                                         usually don't have a case, no
>>                                         matter how
>>                                         > clever the bug is.
>>                                         >
>>                                         > Cheers (and happy hunting!),
>>                                         > /mz
>>                                         >
>>                                         >
>>                                         _______________________________________________
>>                                         > Full-Disclosure - We
>>                                         believe in it.
>>                                         > Charter:
>>                                         http://lists.grok.org.uk/full-disclosure-charter.html
>>                                         > Hosted and sponsored by
>>                                         Secunia - http://secunia.com/
>>
>>
>>
>>
>>                                 _______________________________________________
>>                                 Full-Disclosure - We believe in it.
>>                                 Charter:
>>                                 http://lists.grok.org.uk/full-disclosure-charter.html
>>                                 Hosted and sponsored by Secunia -
>>                                 http://secunia.com/
>>
>>
>>
>>
>>                             -- 
>>                             "There's a reason we separate military
>>                             and the police: one fights the enemy of
>>                             the state, the other serves and protects
>>                             the people. When the military becomes
>>                             both, then the enemies of the state tend
>>                             to become the people."
>>
>>                             _______________________________________________
>>                             Full-Disclosure - We believe in it.
>>                             Charter:
>>                             http://lists.grok.org.uk/full-disclosure-charter.html
>>                             Hosted and sponsored by Secunia -
>>                             http://secunia.com/
>>
>>
>>
>>
>>
>>
>>                 -- 
>>                 "There's a reason we separate military and the
>>                 police: one fights the enemy of the state, the other
>>                 serves and protects the people. When the military
>>                 becomes both, then the enemies of the state tend to
>>                 become the people."
>>
>>
>>
>>             _______________________________________________
>>             Full-Disclosure - We believe in it.
>>             Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>             Hosted and sponsored by Secunia - http://secunia.com/
>
>             -- 
>             Cheers
>             Michele
>
>
>
>
>

-- 
Cheers
Michele


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists