[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAJB2JzvvbdJQO-47YvcsJEzK5agiF+CJJkXUGdg3Qq24MaZ_Xg@mail.gmail.com>
Date: Sat, 15 Mar 2014 00:17:33 +0100
From: Mario Vilas <mvilas@...il.com>
To: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Fwd: Google vulnerabilities with PoC
Please provide an attack scenario. Can you do that?
On Fri, Mar 14, 2014 at 9:23 PM, Nicholas Lemonias. <
lem.nikolas@...glemail.com> wrote:
> Are you sure this json response, or this file, will be there in a month?
> Or in a year? Is the fact that this json response exists a threat to
> youtube? Can you quantify how of a threat? How much, in dollars, does it
> hurt their business?
>
> This file may be here if the admins don't delete it. Now they may do ;@)
>
>
> So where do you think that information is coming from? The metadata and
> tags, and headers are contained in a database.
>
> The files are stored persistently , since they can be quoted. So the API
> works both ways. The main thing here is that the files are there, otherwise
> there metadata information would be deleted from the db aswell.
>
> http://gdata.youtube.com/demo/index.html?utm_source=
> twitterfeed&utm_medium=twitter
>
> Youtube DATA API is unique.. the commands can be send through that
> interface... So we do definitely know that that is coming from a database.
>
>
> On Fri, Mar 14, 2014 at 8:22 PM, Nicholas Lemonias. <
> lem.nikolas@...glemail.com> wrote:
>
>> You are trying to execute an sh script through a video player. That's an
>> exec() command. So its the wrong way about accessing the file.
>>
>>
>> On Fri, Mar 14, 2014 at 8:20 PM, R D <rd.seclists@...il.com> wrote:
>>
>>> No it's not. As Chris and I are saying, you don't have proof your file
>>> is accessible to others, only that is was uploaded. Now, you see, when you
>>> upload a video to youtube, you get the adress where it will be viewable in
>>> the response. In your case :
>>>
>>> {"sessionStatus":{"state":"FINALIZED","externalFieldTransfers":[{"name":"file","status":"COMPLETED","bytesTransferred":113,"bytesTotal":113,"formPostInfo":{"url":"
>>> http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000
>>> ","cross_domain_url":"
>>> http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw"},"content_type":"text/x-sh"}],"additionalInfo":{"uploader_service.GoogleRupioAdditionalInfo":{"completionInfo":{"status":"SUCCESS","customerSpecificInfo":{"status":
>>> "ok", *"video_id": "KzKDtijwHFI"*
>>> }}}},"upload_id":"AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw"}}
>>> And what do we get when we browse to
>>> https://youtube.com/watch?v=KzKDtijwHFI ?
>>> Nothing.
>>> Can you send me a link where I can access the file content of the
>>> arbitrary file you uploaded?
>>> Are you sure this json response, or this file, will be there in a month?
>>> Or in a year? Is the fact that this json response exists a threat to
>>> youtube? Can you quantify how of a threat? How much, in dollars, does it
>>> hurt their business?
>>>
>>> --Rob
>>>
>>>
>>> On Fri, Mar 14, 2014 at 9:08 PM, Nicholas Lemonias. <
>>> lem.nikolas@...glemail.com> wrote:
>>>
>>>> My claim is now verified....
>>>>
>>>> Cheers!
>>>>
>>>>
>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <
>>>> lem.nikolas@...glemail.com> wrote:
>>>>
>>>>> http://upload.youtube.com/?authuser=0&upload_id=
>>>>> AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--
>>>>> uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=
>>>>> CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
>>>>>
>>>>> That information can be queried from the db, where the metadata are
>>>>> saved. The files are being saved persistently , as per the above example.
>>>>>
>>>>>
>>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <
>>>>> lem.nikolas@...glemail.com> wrote:
>>>>>
>>>>>>
>>>>>> http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
>>>>>>
>>>>>> That information can be queried from the db, where the metadata are
>>>>>> saved. The files are being saved persistently , as per the above example.
>>>>>>
>>>>>>
>>>>>> On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson <
>>>>>> christhom7851@...il.com> wrote:
>>>>>>
>>>>>>> Hi Nikolas,
>>>>>>>
>>>>>>> Please do read (and understand) my entire email before responding -
>>>>>>> I understand your frustration trying to get your message across but maybe
>>>>>>> this will help.
>>>>>>>
>>>>>>> Please put aside professional pride for the time being - I know how
>>>>>>> it feels to be passionate about something yet have others simply not
>>>>>>> understand.
>>>>>>>
>>>>>>> Let me try and bring some sanity to the discussion and explain to
>>>>>>> you why people maybe not agreeing with you.
>>>>>>>
>>>>>>> You (rightly so) highlighted what you believe to be an issue in a
>>>>>>> Youtube whereby it appears (to you) than you can upload an arbitrary file.
>>>>>>> If you can indeed do this as you suspect then your points are valid and you
>>>>>>> "may" be able to cause various issues associated with it such as DOS etc -
>>>>>>> especially if the uploaded files cannot or are not tracked.
>>>>>>>
>>>>>>> However...
>>>>>>>
>>>>>>> Consider than you are talking to an API and what you are getting
>>>>>>> back (the JSON response) in your example is simply a response from the API
>>>>>>> to say the file you uploaded has been received and saved.
>>>>>>>
>>>>>>> Now, as you no doubt know, when you upload a regular movie to
>>>>>>> YouTube, once uploaded it goes away and does some post-processing,
>>>>>>> converting it to flash for example. What's to say that there isn't some
>>>>>>> verification aspect to this post-processing that checks if the file is
>>>>>>> intact a valid movie and if not removes it.
>>>>>>>
>>>>>>> If you could for example demonstrate that the file was indeed
>>>>>>> persistent, by being able to retrieve it for example then again, you would
>>>>>>> have solid ground to claim an issue however your claims at this point are
>>>>>>> based on an assumption.... Let me explain.
>>>>>>>
>>>>>>> 1. You have demonstrated than you can send "any" file to an API and
>>>>>>> the API returned an acknowledgment of receiving (and saving) the file.
>>>>>>>
>>>>>>> 2. You / we don't know what Google do with files once they have been
>>>>>>> received from the API - maybe they process them and validate them - we
>>>>>>> simply don't know.
>>>>>>>
>>>>>>> 3. You have hypothesized that you can retrieve the file by
>>>>>>> manipulating tokens etc and you may be right, but you have not demonstrated
>>>>>>> it as such.
>>>>>>>
>>>>>>> Because of this, you seem to have made a CLAIM that you can upload
>>>>>>> arbitrary files to Google however SHOWN that you can simply send files to
>>>>>>> an API and an API responds in a certain way.
>>>>>>>
>>>>>>> I am NOT saying you haven't found an issue, what I am saying is that
>>>>>>> you need to demonstrate that the issue is real and thus can be abused. If
>>>>>>> the Google service simply verifies all uploaded files once they are
>>>>>>> uploaded and discards them if invalid, then you haven't really found
>>>>>>> anything.
>>>>>>>
>>>>>>> If you were to prove that you were able to retrieve this uploaded
>>>>>>> file then how could anyone dispute your bug.
>>>>>>>
>>>>>>> Hope this helps....
>>>>>>>
>>>>>>> Cheers!
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists