[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAJB2Jzv4Sy1rH-59yTJ3CSXhRz7kgP_SeFGbWmyNZwM6GQ8eBQ@mail.gmail.com>
Date: Fri, 14 Mar 2014 23:53:22 +0100
From: Mario Vilas <mvilas@...il.com>
To: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Fwd: Google vulnerabilities with PoC
[image: Inline image 1]
On Fri, Mar 14, 2014 at 7:07 PM, Nicholas Lemonias. <
lem.nikolas@...glemail.com> wrote:
> Quite funnily, most erratic comments originate from a @gmail.com host.
> Does that mean that Google and Co are attacking the researcher ?
>
>
> On Fri, Mar 14, 2014 at 6:06 PM, Nicholas Lemonias. <
> lem.nikolas@...glemail.com> wrote:
>
>> Quite funnily, most erratic comments originate from a @gmail.com host.
>> Does that mean that Google and Co are attacking the researcher ?
>>
>>
>>
>>
>> On Fri, Mar 14, 2014 at 6:04 PM, Mike Hale <eyeronic.design@...il.com>wrote:
>>
>>> No, you're saying something's a vulnerability without showing any
>>> indication of how it can be abused.
>>>
>>> On Fri, Mar 14, 2014 at 11:00 AM, Nicholas Lemonias.
>>> <lem.nikolas@...glemail.com> wrote:
>>> > The full-disclosure mailing list has really changed. It's full of
>>> lamers
>>> > nowdays aiming high.
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On Fri, Mar 14, 2014 at 5:58 PM, Nicholas Lemonias.
>>> > <lem.nikolas@...glemail.com> wrote:
>>> >>
>>> >> Says the script kiddie... Beg for some publicity. My customers are
>>> FTSE
>>> >> 100.
>>> >>
>>> >> ---------- Forwarded message ----------
>>> >> From: Nicholas Lemonias. <lem.nikolas@...glemail.com>
>>> >> Date: Fri, Mar 14, 2014 at 5:58 PM
>>> >> Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
>>> >> To: antisnatchor <antisnatchor@...il.com>
>>> >>
>>> >>
>>> >> Says the script kiddie... Beg for some publicity. My customers are
>>> FTSE
>>> >> 100.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> On Fri, Mar 14, 2014 at 5:55 PM, antisnatchor <antisnatchor@...il.com
>>> >
>>> >> wrote:
>>> >>>
>>> >>> LOL you're hopeless.
>>> >>> Good luck with your business. Brave customers!
>>> >>>
>>> >>> Cheers
>>> >>> antisnatchor
>>> >>>
>>> >>> Nicholas Lemonias. wrote:
>>> >>>
>>> >>>
>>> >>> People can read the report if they like. Can't you even do basic
>>> things
>>> >>> like reading a vulnerability report?
>>> >>>
>>> >>> Can't you see that the advisory is about writing arbitrary files. If
>>> I
>>> >>> was your boss I would fire you.
>>> >>> ---------- Forwarded message ----------
>>> >>> From: Nicholas Lemonias. <lem.nikolas@...glemail.com>
>>> >>> Date: Fri, Mar 14, 2014 at 5:43 PM
>>> >>> Subject: Re: [Full-disclosure] Google vulnerabilities with PoC
>>> >>> To: Mario Vilas <mvilas@...il.com>
>>> >>>
>>> >>>
>>> >>> People can read the report if they like. Can't you even do basic
>>> things
>>> >>> like reading a vulnerability report?
>>> >>>
>>> >>> Can't you see that the advisory is about writing arbitrary files. If
>>> I
>>> >>> was your boss I would fire you, with a good kick outta the door.
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>> On Fri, Mar 14, 2014 at 3:55 PM, Mario Vilas <mvilas@...il.com>
>>> wrote:
>>> >>>>
>>> >>>> On Fri, Mar 14, 2014 at 12:38 PM, Nicholas Lemonias.
>>> >>>> <lem.nikolas@...glemail.com> wrote:
>>> >>>>>
>>> >>>>> Jerome of Mcafee has made a very valid point on revisiting
>>> separation
>>> >>>>> of duties in this security instance.
>>> >>>>>
>>> >>>>> Happy to see more professionals with some skills. Some others have
>>> >>>>> also mentioned the feasibility for Denial of Service attacks.
>>> Remote code
>>> >>>>> execution by Social Engineering is also a prominent scenario.
>>> >>>>
>>> >>>>
>>> >>>> Actually, people have been pointing out exactly the opposite. But
>>> if you
>>> >>>> insist on believing you can DoS an EC2 by uploading files, good
>>> luck to you
>>> >>>> then...
>>> >>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> If you can't tell that that is a vulnerability (probably coming
>>> from a
>>> >>>>> bunch of CEH's), I feel sorry for those consultants.
>>> >>>>
>>> >>>>
>>> >>>> You're the only one throwing around certifications here. I can no
>>> longer
>>> >>>> tell if you're being serious or this is a massive prank.
>>> >>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> Nicholas.
>>> >>>>>
>>> >>>>>
>>> >>>>> On Fri, Mar 14, 2014 at 10:45 AM, Nicholas Lemonias.
>>> >>>>> <lem.nikolas@...glemail.com> wrote:
>>> >>>>>>
>>> >>>>>> We are on a different level perhaps. We do certainly disagree on
>>> those
>>> >>>>>> points.
>>> >>>>>> I wouldn't hire you as a consultant, if you can't tell if that is
>>> a
>>> >>>>>> valid vulnerability..
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> Best Regards,
>>> >>>>>> Nicholas Lemonias.
>>> >>>>>>
>>> >>>>>> On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas <mvilas@...il.com>
>>> >>>>>> wrote:
>>> >>>>>>>
>>> >>>>>>> But do you have all the required EH certifications? Try this one
>>> from
>>> >>>>>>> the Institute for
>>> >>>>>>> Certified Application Security Specialists:
>>> http://www.asscert.com/
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>> On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias.
>>> >>>>>>> <lem.nikolas@...glemail.com> wrote:
>>> >>>>>>>>
>>> >>>>>>>> Thanks Michal,
>>> >>>>>>>>
>>> >>>>>>>> We are just trying to improve Google's security and contribute
>>> to
>>> >>>>>>>> the research community after all. If you are still on EFNet
>>> give me a shout
>>> >>>>>>>> some time.
>>> >>>>>>>>
>>> >>>>>>>> We have done so and consulted to hundreds of clients including
>>> >>>>>>>> Microsoft, Nokia, Adobe and some of the world's biggest
>>> corporations. We are
>>> >>>>>>>> also strict supporters of the ACM code of conduct.
>>> >>>>>>>>
>>> >>>>>>>> Regards,
>>> >>>>>>>> Nicholas Lemonias.
>>> >>>>>>>> AISec
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>> On Fri, Mar 14, 2014 at 6:29 AM, Nicholas Lemonias.
>>> >>>>>>>> <lem.nikolas@...glemail.com> wrote:
>>> >>>>>>>>>
>>> >>>>>>>>> Hi Jerome,
>>> >>>>>>>>>
>>> >>>>>>>>> Thank you for agreeing on access control, and separation of
>>> duties.
>>> >>>>>>>>>
>>> >>>>>>>>> However successful exploitation permits arbitrary write() of
>>> any
>>> >>>>>>>>> file of choice.
>>> >>>>>>>>>
>>> >>>>>>>>> I could release an exploit code in C Sharp or Python that
>>> permits
>>> >>>>>>>>> multiple file uploads of any file/types, if the Google
>>> security team feels
>>> >>>>>>>>> that this would be necessary. This is unpaid work, so we are
>>> not so keen on
>>> >>>>>>>>> that job.
>>> >>>>>>>>>
>>> >>>>>>>>>
>>> >>>>>>>>>
>>> >>>>>>>>> On Fri, Mar 14, 2014 at 6:04 AM, Jerome Athias
>>> >>>>>>>>> <athiasjerome@...il.com> wrote:
>>> >>>>>>>>>>
>>> >>>>>>>>>> Hi
>>> >>>>>>>>>>
>>> >>>>>>>>>> I concur that we are mainly discussing a terminology problem.
>>> >>>>>>>>>>
>>> >>>>>>>>>> In the context of a Penetration Test or WAPT, this is a
>>> Finding.
>>> >>>>>>>>>> Reporting this finding makes sense in this context.
>>> >>>>>>>>>>
>>> >>>>>>>>>> As a professional, you would have to explain if/how this
>>> finding
>>> >>>>>>>>>> is a
>>> >>>>>>>>>> Weakness*, a Violation (/Regulations, Compliance, Policies or
>>> >>>>>>>>>> Requirements[1])
>>> >>>>>>>>>> * I would say Weakness + Exposure = Vulnerability.
>>> Vulnerability +
>>> >>>>>>>>>> Exploitability (PoC) = Confirmed Vulnerability that needs
>>> Business
>>> >>>>>>>>>> Impact and Risk Analysis
>>> >>>>>>>>>>
>>> >>>>>>>>>> So I would probably have reported this Finding as a Weakness
>>> (and
>>> >>>>>>>>>> not
>>> >>>>>>>>>> Vulnerability. See: OWASP, WASC-TC, CWE), explaining that it
>>> is
>>> >>>>>>>>>> not
>>> >>>>>>>>>> Best Practice (your OWASP link and Cheat Sheets), and even if
>>> >>>>>>>>>> mitigative/compensative security controls (Ref Orange Book),
>>> >>>>>>>>>> security
>>> >>>>>>>>>> controls like white listing (or at least black listing. see
>>> also
>>> >>>>>>>>>> ESAPI) should be 1) part of the [1]security requirements of a
>>> >>>>>>>>>> proper
>>> >>>>>>>>>> SDLC (Build security in) as per Defense-in-Depth security
>>> >>>>>>>>>> principles
>>> >>>>>>>>>> and 2) used and implemented correctly.
>>> >>>>>>>>>> NB: A simple Threat Model (i.e. list of CAPEC) would be a
>>> solid
>>> >>>>>>>>>> support to your report
>>> >>>>>>>>>> This would help to evaluate/measure the risk (e.g. CVSS).
>>> >>>>>>>>>> Helping the decision/actions around this risk
>>> >>>>>>>>>>
>>> >>>>>>>>>> PS: interestingly, in this case, I'm not sure that the
>>> Separation
>>> >>>>>>>>>> of
>>> >>>>>>>>>> Duties security principle was applied correctly by Google in
>>> term
>>> >>>>>>>>>> of
>>> >>>>>>>>>> Risk Acceptance (which could be another Finding)
>>> >>>>>>>>>>
>>> >>>>>>>>>> So in few words, be careful with the terminology. (don't
>>> always
>>> >>>>>>>>>> say
>>> >>>>>>>>>> vulnerability like the media say hacker, see RFC1392) Use a
>>> CWE ID
>>> >>>>>>>>>> (e.g. CWE-434, CWE-183, CWE-184 vs. CWE-616)
>>> >>>>>>>>>>
>>> >>>>>>>>>> My 2 bitcents
>>> >>>>>>>>>> Sorry if it is not edible :)
>>> >>>>>>>>>> Happy Hacking!
>>> >>>>>>>>>>
>>> >>>>>>>>>> /JA
>>> >>>>>>>>>> https://github.com/athiasjerome/XORCISM
>>> >>>>>>>>>>
>>> >>>>>>>>>> 2014-03-14 7:19 GMT+03:00 Michal Zalewski <
>>> lcamtuf@...edump.cx>:
>>> >>>>>>>>>> > Nicholas,
>>> >>>>>>>>>> >
>>> >>>>>>>>>> > I remember my early years in the infosec community - and
>>> sadly,
>>> >>>>>>>>>> > so do
>>> >>>>>>>>>> > some of the more seasoned readers of this list :-) Back
>>> then, I
>>> >>>>>>>>>> > thought that the only thing that mattered is the ability to
>>> find
>>> >>>>>>>>>> > bugs.
>>> >>>>>>>>>> > But after some 18 years in the industry, I now know that
>>> there's
>>> >>>>>>>>>> > an
>>> >>>>>>>>>> > even more important and elusive skill.
>>> >>>>>>>>>> >
>>> >>>>>>>>>> > That skill boils down to having a robust mental model of
>>> what
>>> >>>>>>>>>> > constitutes a security flaw - and being able to explain your
>>> >>>>>>>>>> > thinking
>>> >>>>>>>>>> > to others in a precise and internally consistent manner that
>>> >>>>>>>>>> > convinces
>>> >>>>>>>>>> > others to act. We need this because the security of a system
>>> >>>>>>>>>> > can't be
>>> >>>>>>>>>> > usefully described using abstract terms: even the academic
>>> >>>>>>>>>> > definitions
>>> >>>>>>>>>> > ultimately boil down to saying "the system is secure if it
>>> >>>>>>>>>> > doesn't do
>>> >>>>>>>>>> > the things we *really* don't want it to do".
>>> >>>>>>>>>> >
>>> >>>>>>>>>> > In this spirit, the term "vulnerability" is generally
>>> reserved
>>> >>>>>>>>>> > for
>>> >>>>>>>>>> > behaviors that meet all of the following criteria:
>>> >>>>>>>>>> >
>>> >>>>>>>>>> > 1) The behavior must have negative consequences for at
>>> least one
>>> >>>>>>>>>> > of
>>> >>>>>>>>>> > the legitimate stakeholders (users, service owners, etc),
>>> >>>>>>>>>> >
>>> >>>>>>>>>> > 2) The consequences must be widely seen as unexpected and
>>> >>>>>>>>>> > unacceptable,
>>> >>>>>>>>>> >
>>> >>>>>>>>>> > 3) There must be a realistic chance of such a negative
>>> outcome,
>>> >>>>>>>>>> >
>>> >>>>>>>>>> > 4) The behavior must introduce substantial new risks that go
>>> >>>>>>>>>> > beyond
>>> >>>>>>>>>> > the previously accepted trade-offs.
>>> >>>>>>>>>> >
>>> >>>>>>>>>> > If we don't have that, we usually don't have a case, no
>>> matter
>>> >>>>>>>>>> > how
>>> >>>>>>>>>> > clever the bug is.
>>> >>>>>>>>>> >
>>> >>>>>>>>>> > Cheers (and happy hunting!),
>>> >>>>>>>>>> > /mz
>>> >>>>>>>>>> >
>>> >>>>>>>>>> > _______________________________________________
>>> >>>>>>>>>> > Full-Disclosure - We believe in it.
>>> >>>>>>>>>> > Charter:
>>> http://lists.grok.org.uk/full-disclosure-charter.html
>>> >>>>>>>>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>> >>>>>>>>>
>>> >>>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>> _______________________________________________
>>> >>>>>>>> Full-Disclosure - We believe in it.
>>> >>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> >>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>> --
>>> >>>>>>> "There's a reason we separate military and the police: one
>>> fights the
>>> >>>>>>> enemy of the state, the other serves and protects the people.
>>> When the
>>> >>>>>>> military becomes both, then the enemies of the state tend to
>>> become the
>>> >>>>>>> people."
>>> >>>>>>>
>>> >>>>>>> _______________________________________________
>>> >>>>>>> Full-Disclosure - We believe in it.
>>> >>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> >>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>> >>>>>>
>>> >>>>>>
>>> >>>>>
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> --
>>> >>>> "There's a reason we separate military and the police: one fights
>>> the
>>> >>>> enemy of the state, the other serves and protects the people. When
>>> the
>>> >>>> military becomes both, then the enemies of the state tend to become
>>> the
>>> >>>> people."
>>> >>>
>>> >>>
>>> >>>
>>> >>> _______________________________________________
>>> >>> Full-Disclosure - We believe in it.
>>> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> >>> Hosted and sponsored by Secunia - http://secunia.com/
>>> >>>
>>> >>>
>>> >>> --
>>> >>> Cheers
>>> >>> Michele
>>> >>>
>>> >>
>>> >>
>>> >
>>> >
>>> > _______________________________________________
>>> > Full-Disclosure - We believe in it.
>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>>> --
>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>>
>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists