lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+CewVCAS2z6+JczS6FFFXrKAsCxuwUxEgPuh=n-MtAyiCgjOg@mail.gmail.com>
Date: Sat, 15 Mar 2014 02:48:06 +0000
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: R D <rd.seclists@...il.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Google vulnerabilities with PoC

Go to sleep. You have absolutely no understanding of the vulnerability, nor
you have the facts.

If you want a full report ask Softpedia, because we aint releasing them.


On Fri, Mar 14, 2014 at 8:39 PM, R D <rd.seclists@...il.com> wrote:

> >You are trying to execute an sh script through a video player. That's an
> exec() command.
> No, it's not. That's an HTTP GET. Do you have such a poor understanding of
> how web applications work? Or did you just not read what I said?
>
> >So its the wrong way about accessing the file.
> This way, which is the standard way to access files on youtube, tells me
> the file doesn't exist. You have yet to prove the file you uploaded can be
> accessed or executed by anyone. For that matter, you have still to prove it
> can be discovered by anyone. That URL is hard to guess.
> And you have still to answer all my other questions, and most of the
> questions asked to you on this list.
> The burden of proof is on you, and you are making a fool of yourself by
> answering all the questions here with the same statements, and links to
> your PoC that doesn't proves anything, while everybody asks you for more
> evidence.
> Keep on the (good?) work,
> --Rob'
>
>
> On Fri, Mar 14, 2014 at 9:22 PM, Nicholas Lemonias. <
> lem.nikolas@...glemail.com> wrote:
>
>> You are trying to execute an sh script through a video player. That's an
>> exec() command. So its the wrong way about accessing the file.
>>
>>
>> On Fri, Mar 14, 2014 at 8:20 PM, R D <rd.seclists@...il.com> wrote:
>>
>>> No it's not. As Chris and I are saying, you don't have proof your file
>>> is accessible to others, only that is was uploaded. Now, you see, when you
>>> upload a video to youtube, you get the adress where it will be viewable in
>>> the response. In your case :
>>>
>>> {"sessionStatus":{"state":"FINALIZED","externalFieldTransfers":[{"name":"file","status":"COMPLETED","bytesTransferred":113,"bytesTotal":113,"formPostInfo":{"url":"
>>> http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000
>>> ","cross_domain_url":"
>>> http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw"},"content_type":"text/x-sh"}],"additionalInfo":{"uploader_service.GoogleRupioAdditionalInfo":{"completionInfo":{"status":"SUCCESS","customerSpecificInfo":{"status":
>>> "ok", *"video_id": "KzKDtijwHFI"*
>>> }}}},"upload_id":"AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw"}}
>>> And what do we get when we browse to
>>> https://youtube.com/watch?v=KzKDtijwHFI ?
>>> Nothing.
>>> Can you send me a link where I can access the file content of the
>>> arbitrary file you uploaded?
>>> Are you sure this json response, or this file, will be there in a month?
>>> Or in a year? Is the fact that this json response exists a threat to
>>> youtube? Can you quantify how of a threat? How much, in dollars, does it
>>> hurt their business?
>>>
>>> --Rob
>>>
>>>
>>> On Fri, Mar 14, 2014 at 9:08 PM, Nicholas Lemonias. <
>>> lem.nikolas@...glemail.com> wrote:
>>>
>>>> My claim is now verified....
>>>>
>>>> Cheers!
>>>>
>>>>
>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <
>>>> lem.nikolas@...glemail.com> wrote:
>>>>
>>>>> http://upload.youtube.com/?authuser=0&upload_id=
>>>>> AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--
>>>>> uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=
>>>>> CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
>>>>>
>>>>> That information can be queried from the db, where the metadata are
>>>>> saved. The files are being saved persistently , as per the above example.
>>>>>
>>>>>
>>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <
>>>>> lem.nikolas@...glemail.com> wrote:
>>>>>
>>>>>>
>>>>>> http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
>>>>>>
>>>>>> That information can be queried from the db, where the metadata are
>>>>>> saved. The files are being saved persistently , as per the above example.
>>>>>>
>>>>>>
>>>>>> On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson <
>>>>>> christhom7851@...il.com> wrote:
>>>>>>
>>>>>>> Hi Nikolas,
>>>>>>>
>>>>>>> Please do read (and understand) my entire email before responding -
>>>>>>> I understand your frustration trying to get your message across but maybe
>>>>>>> this will help.
>>>>>>>
>>>>>>> Please put aside professional pride for the time being - I know how
>>>>>>> it feels to be passionate about something yet have others simply not
>>>>>>> understand.
>>>>>>>
>>>>>>> Let me try and bring some sanity to the discussion and explain to
>>>>>>> you why people maybe not agreeing with you.
>>>>>>>
>>>>>>> You (rightly so) highlighted what you believe to be an issue in a
>>>>>>> Youtube whereby it appears (to you) than you can upload an arbitrary file.
>>>>>>> If you can indeed do this as you suspect then your points are valid and you
>>>>>>> "may" be able to cause various issues associated with it such as DOS etc -
>>>>>>> especially if the uploaded files cannot or are not tracked.
>>>>>>>
>>>>>>> However...
>>>>>>>
>>>>>>> Consider than you are talking to an API and what you are getting
>>>>>>> back (the JSON response) in your example is simply a response from the API
>>>>>>> to say the file you uploaded has been received and saved.
>>>>>>>
>>>>>>> Now, as you no doubt know, when you upload a regular movie to
>>>>>>> YouTube, once uploaded it goes away and does some post-processing,
>>>>>>> converting it to flash for example. What's to say that there isn't some
>>>>>>> verification aspect to this post-processing that checks if the file is
>>>>>>> intact a valid movie and if not removes it.
>>>>>>>
>>>>>>> If you could for example demonstrate that the file was indeed
>>>>>>> persistent, by being able to retrieve it for example then again, you would
>>>>>>> have solid ground to claim an issue however your claims at this point are
>>>>>>> based on an assumption.... Let me explain.
>>>>>>>
>>>>>>> 1. You have demonstrated than you can send "any" file to an API and
>>>>>>> the API returned an acknowledgment of receiving (and saving) the file.
>>>>>>>
>>>>>>> 2. You / we don't know what Google do with files once they have been
>>>>>>> received from the API - maybe they process them and validate them - we
>>>>>>> simply don't know.
>>>>>>>
>>>>>>> 3. You have hypothesized that you can retrieve the file by
>>>>>>> manipulating tokens etc and you may be right, but you have not demonstrated
>>>>>>> it as such.
>>>>>>>
>>>>>>> Because of this, you seem to have made a CLAIM that you can upload
>>>>>>> arbitrary files to Google however SHOWN that you can simply send files to
>>>>>>> an API and an API responds in a certain way.
>>>>>>>
>>>>>>> I am NOT saying you haven't found an issue, what I am saying is that
>>>>>>> you need to demonstrate that the issue is real and thus can be abused. If
>>>>>>> the Google service simply verifies all uploaded files once they are
>>>>>>> uploaded and discards them if invalid, then you haven't really found
>>>>>>> anything.
>>>>>>>
>>>>>>> If you were to prove that you were able to retrieve this uploaded
>>>>>>> file then how could anyone dispute your bug.
>>>>>>>
>>>>>>> Hope this helps....
>>>>>>>
>>>>>>> Cheers!
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ