Monday, August 20th, 2007

Say Cheeeeeese!

We’ve received a lot of email about the recent Slashdot article, which spoke about additional URI vulnerabilities discovered by Nate and I.  Most of the emails ask why we haven’t posted the details of the flaw… well, today is your lucky day… kinda…While we’re not going to post the exact details of the vulnerability until Google has had some time to fix the issues (they have been contacted), we will give you a high level summary of the issue.


This particular issue involves Google’s Picasa.  As you probably know, Picasa is used to organize and touch up photos by adding various effects.  What you probably didn’t know is… Picasa registers a URI (picasa://) in the Windows registry.  This URI is used to extend the functionality of Picasa in many ways and it’s this functionality that we are abusing.  By abusing the registered URI, it is possible to steal the images that have been loaded into Picasa.  For some this may not be a big deal… but for others, this may represent a HUGE privacy risk.  From a security researcher standpoint, this vulnerability is unique in that it doesn’t require ANY restricted characters to be passed in the URI.  This makes it virtually impossible for a browser to filter the URI to prevent this attack.  In fact, if the browser did somehow stop this attack, it would probably break this particular piece of functionality offered by Picasa (albeit it is really insecure functionality and should probably be removed anyway)!


Nate and I have become extremely interested in what we call “Functionality based URI exploitation”, which involves abusing the functionality intentionally placed within software that is made remotely accessible through registered URIs.  These vulnerabilities are nearly impossible to detect through automated tools and typically require an experienced blackbox effort, as most of the functionality offered by registered URIs is poorly documented and the software is typically closed source.  We’re ALWAYS up for the challenge though… 


If functionality based URI exploitation isn’t your cup of tea… you’ll probably be happy to know that Picasa also has some overflow and “cross application scripting” issues as well… These issues are VERY serious as well, but we found the functionality abuse especially interesting.


On a final note, I wanted to personally thank Rob Carter for all his work on this issue.  While Nate and I put the attack together from a conceptual standpoint and provided the foundation for the attack, Rob was the guy who basically wrote the code to make this vulnerability “real”.  The attack is fairly complicated but Rob has a solid understand of each step and it shows in the PoC!  THANKS ROB!

Posted by xssniper | Filed in Security

2 Responses to “Say Cheeeeeese!”

  1. August 20th, 2007 at 5:20 am

    Giorgio Maone said:

    Hi Billy,
    have you got any validating regular expression to be put in noscript.urivalid.picasa to prevent the cross-application scripting or the buffer overflow at least?

    If you’ve got no time for this, could you please just provide me with a sneak-peak of the PoC, so I can try to infer a validating filter?

    Many thanks :)

  2. September 21st, 2007 at 2:27 pm

    me said:

    are you going to make some details public soon or is this all a hoax?

Please leave a Comment