Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Fwd: Google vulnerabilities with PoC
From: "J. Tozo" <juniorbsd () gmail com>
Date: Fri, 14 Mar 2014 21:25:40 -0300

Hey dude just give up!

You can convince a lot of journalists without professional skills but if
you cant convince Google or at least the community, so you doing it wrong.
by the way you can upload everything to youtube just tricking the file's
magic number but you cant retrieve it back. so what?

How can you assure that your "proof" isnt just a log for the application?

If you have the expertise you said, i have a challenge to you:

http://upload.youtube.com/?authuser=0&upload_id=AEnB2Uox6eWMN_LyrVQZdsCdQkDezvvNwpthROQn1SRe7idjqRFiez7SKVMd1t-rkCb7_CalkGc2oOJmdrnfxho2FNQt5aIjQw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw

Its not a 3gp file, just has the magic number. if you retrieve the contents
of its file and show it to us. i will start agreeing with you that it can
be security issue.
otherwise stop annoyin everyone, get back to your desk and do your job.



On Fri, Mar 14, 2014 at 5:27 PM, Nicholas Lemonias. <
lem.nikolas () googlemail com> wrote:

In my expertise, that is a vulnerability.

Now if Google doesn't want to fix patch that, it's their choice. However I
have already disclosed that to them.




On Fri, Mar 14, 2014 at 8:25 PM, Nicholas Lemonias. <
lem.nikolas () googlemail com> wrote:

So where do you think that information is coming from? The metadata and
tags, and headers are contained in a database.

The files are stored persistently , since they can be quoted. So the API
works both ways. The main thing here is that the files are there, otherwise
there metadata information would be deleted from the db aswell.

http://gdata.youtube.com/demo/index.html?utm_source=
twitterfeed&utm_medium=twitter

Youtube DATA API is unique.. the commands can be send through that
interface... So we do definitely know that that is coming from a database.
That same video id can be queried through the above link. Having done so, I
confirmed that the information originate from a direct connection to the
db, where the data are stored.


On Fri, Mar 14, 2014 at 8:20 PM, Nicholas Lemonias. <
lem.nikolas () googlemail com> wrote:

So where do you think that information is coming from? The metadata and
tags, and headers are contained in a database.

The files are stored persistently , since they can be quoted. So the API
works both ways. The main thing here is that the files are there, otherwise
there metadata information would be deleted from the db aswell.


http://gdata.youtube.com/demo/index.html?utm_source=twitterfeed&utm_medium=twitter

Youtube DATA API is unique.. the commands can be send through that
interface... So we do definitely know that that is coming from a database.


On Fri, Mar 14, 2014 at 8:16 PM, Chris Thompson <christhom7851 () gmail com
wrote:

Hi Nicholas,

Again, you hypothesize that you are getting a response from the
database, but you really don't know that. You have no idea when the code is
doing behind the endpoint.

upload.youtube.com is simple an endpoint that you are sending a
request to and getting a response from -

Can you upload a ZIP file for example and then get that same ZIP file
from another machine? If you can do that, then who can question your bug.

Again, i'm not trying to be a dick - just trying to help!

Cheers...



On Fri, Mar 14, 2014 at 4:08 PM, Nicholas Lemonias. <
lem.nikolas () googlemail com> wrote:

My claim is now verified....

Cheers!


On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <
lem.nikolas () googlemail com> wrote:

http://upload.youtube.com/?authuser=0&upload_id=
AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--
uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=
CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8t
dXBsb2Fkcw

That information can be queried from the db, where the metadata are
saved. The files are being saved persistently , as per the above example.


On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <
lem.nikolas () googlemail com> wrote:


http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw

That information can be queried from the db, where the metadata are
saved. The files are being saved persistently , as per the above example.


On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson <
christhom7851 () gmail com> wrote:

Hi Nikolas,

Please do read (and understand) my entire email before responding -
I understand your frustration trying to get your message across but maybe
this will help.

Please put aside professional pride for the time being - I know how
it feels to be passionate about something yet have others simply not
understand.

Let me try and bring some sanity to the discussion and explain to
you why people maybe not agreeing with you.

You (rightly so) highlighted what you believe to be an issue in a
Youtube whereby it appears (to you) than you can upload an arbitrary file.
If you can indeed do this as you suspect then your points are valid and you
"may" be able to cause various issues associated with it such as DOS etc -
especially if the uploaded files cannot or are not tracked.

However...

Consider than you are talking to an API and what you are getting
back (the JSON response) in your example is simply a response from the API
to say the file you uploaded has been received and saved.

Now, as you no doubt know, when you upload a regular movie to
YouTube, once uploaded it goes away and does some post-processing,
converting it to flash for example. What's to say that there isn't some
verification aspect to this post-processing that checks if the file is
intact a valid movie and if not removes it.

If you could for example demonstrate that the file was indeed
persistent, by being able to retrieve it for example then again, you would
have solid ground to claim an issue however your claims at this point are
based on an assumption.... Let me explain.

1. You have demonstrated than you can send "any" file to an API and
the API returned an acknowledgment of receiving (and saving) the file.

2. You / we don't know what Google do with files once they have
been received from the API - maybe they process them and validate them - we
simply don't know.

3. You have hypothesized that you can retrieve the file by
manipulating tokens etc and you may be right, but you have not demonstrated
it as such.

Because of this, you seem to have made a CLAIM that you can upload
arbitrary files to Google however SHOWN that you can simply send files to
an API and an API responds in a certain way.

I am NOT saying you haven't found an issue, what I am saying is
that you need to demonstrate that the issue is real and thus can be abused.
If the Google service simply verifies all uploaded files once they are
uploaded and discards them if invalid, then you haven't really found
anything.

If you were to prove that you were able to retrieve this uploaded
file then how could anyone dispute your bug.

Hope this helps....

Cheers!









_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




-- 
Grato,

J. Tozo
     _
   °v°
  /(S)\    SLACKWARE
   ^ ^           Linux
_____________________
         because it works
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault