[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAJB2JzsR-ap1=5wPtz4p+7WpksSSjsHwcRJPfDpgR6PA9XFwrg@mail.gmail.com>
Date: Fri, 14 Mar 2014 10:37:11 +0100
From: Mario Vilas <mvilas@...il.com>
To: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Google vulnerabilities with PoC
On Thu, Mar 13, 2014 at 10:30 PM, Nicholas Lemonias. <
lem.nikolas@...glemail.com> wrote:
> We confirm this to be a valid vulnerability for the following reasons.
>
> The access control subsystem is defeated, resulting to arbitrary write
> access of any file of choice.
>
> 1. You Tube defines which file types are permitted to be uploaded.
>
And...?
>
> 2. Exploitation is achieved by circumvention of web-based security
> controls (namely http forms, which is a weak security measure). However,
> exploitation of the issue results to unrestricted file uploads (any file of
> choice ). Remote code execution may be possible either through social
> engineering , or by stochastically rewriting an existing file-structure in
> the CDN.
>
So in ohter words, you haven't proven it. The upload in itself is not a
vulnerability (and if you understood that it is, please read again that
OWASP document).
>
> 3. This directly impacts the integrity of the service since modification
> of information occurs by circumvention. Renaming the uploaded files can be
> achieved through YouTube's inherent video manager.
>
How does it impact the integrity? Again, unexpected functionality does not
necessarily equal exploitation.
>
> 4. Denial of Service attacks are feasible since we bypass all security
> restrictions. This directly impacts the availability of the service.
>
Not proven either. At this point I feel you're just making stuff up. All
you did was upload stuff you can't download afterwards.
>
> 5. Malware propagation is possible, if the planted code get's executed
> through social engineering or by re-writing a valid file system structure.
>
>
Again, you need to be able to download the stuff you uploaded, and have it
executed directly. Otherwise you could do the same thing more efficiently
with Google Drive.
>
> 6) All uploaded files can be downloaded through Google Take Out, if past
> the Content ID filtering algorithm (through file header obfuscation and
> encryption).
>
You need to explain how that is an attack vector.
>
>
> Best Regards,
> Nicholas Lemonias
> Advanced Information Security Corp.
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists