Archive for September, 2007

Thursday, September 20th, 2007

BK for Mayor of Oak Tree View

I’m excited about Google Docs…. although there is NO WAY you could convince me to upload my sensitive documents to a Google Server, I’m still very interested in seeing how Google’s Engineers tackle the security issues with online document sharing.  Security for online collaboration tools is TOUGH, every online collaboration tool I’ve ever assessed has had major issues. 

    
So I made my way to docs.google.com to see what the hype is all about.  I found the link for “Watch a Video” on the login page.  I like Google’s videos and this one did not disappoint.  About half way through the video (1:60), I saw something that made me put my beer down… a link to a Google Document.

   

   Link to Google Doc

Being the curious sort, I entered the link into my browser address bar.  I was surprised to see the following document:

   

Oak Tree View

    

Now, being able to view someone else’s document is pretty bad… but this is a demo… maybe they WANT everyone to see this document… that’s understandable.  So what happened next REALLY surprised me…  I clicked on the “Edit this page” link, entered my creds… and lo and behold…  I had full rights to edit/modify the Oak Tree View newsletter! 

   

      Full Edit Rights

I was planning on using the Oak Tree View newsletter to launch my campaign for Mayor of Oak Tree View, but I decided against modifying the page, as I’m not interested in pwning Sam’s pretty little newsletter.  I’m sure she’s not interested in what I have to say about Oak Tree View….

 Access Control?

Posted by xssniper | Filed in Security, Web Application Security | 5 Comments »

 

Tuesday, September 18th, 2007

The Old Dog and his Old Tricks (Part I)

Lets say I found a CSRF that allows me to hijack your Gmail account to send an email from you to another Gmail user… would you consider it a risk?  Well, the good news is I don’t have a CSRF to send out email from your Gmail account, but the bad news is I don’t need CSRF (or any other exploit) to send an email from your Gmail account.

    
Using Google’s SMTP servers, I can send an email from any Gmail (or @google.com) account to any other Gmail email address.  The process is simple… and is shown in the images below (addresses masked to slow the kiddies).

telnet-to-google-smtp-sanitized.jpgmail-message-sanitized.jpgemail.jpgheaders.jpg

   

This is NOT a vulnerability in Google’s infrastructure… it’s merely how SMTP was DESIGNED to work.  This same procedure works on other SMTP servers as well.  Many of the old protocols (like SMTP) that we continue to use everyday are inherently insecure.  My favorites are DNS, SMTP, and ARP.  Many of the exploits based on these protocols aren’t really even exploits… they are simply an abuse of functionality intentionally built into the protocol!

    

How could we let things get so bad?  Why should I be ALLOWED to send an email on your behalf, sending colorful messages to other Gmail users?  Honestly….  I don’t know… what I do know… is instead of fixing the underlying protocol (which is painful, costly, and resource intensive) we’ve “bolted on” temporary fixes like spam filters to help us “fix” the issues with the underlying protocol.  After a while… we get used to having these “bolt on” and the temporary fixes become permanent fixes and the underlying protocol remains vulnerable to simple attacks like this one.

    

I know what you’re saying…. “SMTP was created in the wild wild west… times have changed… that will NEVER happen again!”  The sad thing is… we’re starting to see the same things happening to HTTP.  Just as SMTP Admins have turned to Spam filters and other appliances to make up for the shortcomings of SMTP, we are now seeing that many are turning to Application Firewalls to make up for the shortcomings of HTTP and poor coding practices.  There are some that claim that application firewalls are a great “temporary fix”, and they probably they are!  Just as Spam filters were a temporary fix for SMTP abuses!

      

Posted by xssniper | Filed in Security | 14 Comments »

 

Monday, September 10th, 2007

HITB 2007!

I’m back from HITB in Malaysia!  HITB was held in Kuala Lumpur, Malaysia from September 3rd – 6th.  The conference was AWESOME.  Dhillon really out did himself this year.  The talks were awesome and the company was second to none.  You can find the slides for all the talks (including our slides on DNS rebinding with Java Applets) here.  Dhillon will be posting links to the VIDEOS in December!

   

It was a truly amazing experience to sit down and have a beer (or two) with the likes of Phiber Optik, Emmanuel Goldstein, Window Snyder, Andrew Cushman, Mikko, Lance Spitzner, fx and many many others.   

   
All the talks I attended were great, but I particularly enjoyed:

  • Rise and Fall of Info Sec in the Western World – Phiber Optik - Listening to Phiber Optik talk about pwning a major corporation live for the audience during conference he was speaking at was sweet. 
  • The Evolution of Hacking – Emmanuel Goldstein - Listening to some old skool hacks is always fun and brings back memories of 300 baud modems and wildcat bbses…
  • SCADA (in)Security – Raoul and Alessio - I’m EXTEMELY interested in SCADA systems and the security surrounding them.  There are basically a handful of SCADA security experts around the world and Raoul and Alessio are two of the best.
  • Exploiting the Intranet with a Webpage – Martin Johns - It was nice to hear about DNS rebinding from the guy who basically brought DNS rebinding back from dead!
  • Locks, Lies, and Liability – Mark Tobias and the TOOOL USA - Watching these guys pick apart “high security” locks was pretty scary… especially when I saw a few locks we used in the Marine Corps in the speaker slides!
  • Online Crime and Crime online – Mikko Hypponen - It seems that Mikko is VERY well connected to the underground.  Not only did he describe (in crystal clear detail) how the general Internet population is getting pwnd, he showed exactly where all the action is taking place!

During our talk, we mentioned that we would post the details of a recent Picasa URI vulnerability (which will be patched in next version of Picasa).  We’ll have the details, screenshots, and a dedicated POST up in a few days.

  

In closing, I would like to thank Dhillon for inviting me out to HITB 2007 and the wonderful country of Malaysia.  It was an amazing experience and everyone (including the street vendors in China Town) were such gracious hosts!

Posted by xssniper | Filed in Security | 3 Comments »