Full Disclosure mailing list archives
Re: Google vulnerabilities with PoC
From: Mario Vilas <mvilas () gmail com>
Date: Fri, 14 Mar 2014 10:37:11 +0100
On Thu, Mar 13, 2014 at 10:30 PM, Nicholas Lemonias. < lem.nikolas () googlemail com> wrote:
We confirm this to be a valid vulnerability for the following reasons. The access control subsystem is defeated, resulting to arbitrary write access of any file of choice. 1. You Tube defines which file types are permitted to be uploaded.
And...?
2. Exploitation is achieved by circumvention of web-based security controls (namely http forms, which is a weak security measure). However, exploitation of the issue results to unrestricted file uploads (any file of choice ). Remote code execution may be possible either through social engineering , or by stochastically rewriting an existing file-structure in the CDN.
So in ohter words, you haven't proven it. The upload in itself is not a vulnerability (and if you understood that it is, please read again that OWASP document).
3. This directly impacts the integrity of the service since modification of information occurs by circumvention. Renaming the uploaded files can be achieved through YouTube's inherent video manager.
How does it impact the integrity? Again, unexpected functionality does not necessarily equal exploitation.
4. Denial of Service attacks are feasible since we bypass all security restrictions. This directly impacts the availability of the service.
Not proven either. At this point I feel you're just making stuff up. All you did was upload stuff you can't download afterwards.
5. Malware propagation is possible, if the planted code get's executed through social engineering or by re-writing a valid file system structure.
Again, you need to be able to download the stuff you uploaded, and have it executed directly. Otherwise you could do the same thing more efficiently with Google Drive.
6) All uploaded files can be downloaded through Google Take Out, if past the Content ID filtering algorithm (through file header obfuscation and encryption).
You need to explain how that is an attack vector.
Best Regards, Nicholas Lemonias Advanced Information Security Corp. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.”
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Google vulnerabilities with PoC, (continued)
- Re: Google vulnerabilities with PoC Michal Zalewski (Mar 13)
- Re: Google vulnerabilities with PoC Mario Vilas (Mar 14)
- Re: Google vulnerabilities with PoC Alfredo Ortega (Mar 14)
- Re: Google vulnerabilities with PoC Pedro Ribeiro (Mar 13)
- Re: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 13)
- Re: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 13)
- Re: Google vulnerabilities with PoC Pedro Ribeiro (Mar 14)
- Re: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 13)
- Re: Google vulnerabilities with PoC Gichuki John Chuksjonia (Mar 15)
- Re: Google vulnerabilities with PoC Mario Vilas (Mar 14)
- Message not available
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Chris Thompson (Mar 14)
- Message not available
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC J. Tozo (Mar 14)