Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Google vulnerabilities with PoC

From: Julius Kivimäki <julius.kivimaki () gmail com>
Date: Fri, 14 Mar 2014 01:06:10 +0200
Look, you keep calling it a "vulnerability" with 0 evidence that it's even
exploitable. Until you can prove otherwise this is like speculating the
potential security repercussions of uploading files to EC2 (Which would
probably have potential to be much more severe than what you're discussing
here since javascript uploaded to ec2 could actually get executed by
someones browser)

You keep throwing around keywords like OWASP, OSI, "security best
practices" as if they actually make a difference here. Truth is there's no
reason to believe that what you have discovered here is exploitable. This
mostly seems like a desperate attempt of getting money off of google and
your name in some publication shitty enough to not do any fact checking
(eg. softpedia) .


2014-03-13 21:48 GMT+02:00 Nicholas Lemonias. <lem.nikolas () googlemail com>:


Julius Kivimaki, your disbelief in OWASP, CEH, Journalists and anything
you may, or may not be qualified to question amazes. But everyone's opinion
is of course respected.

I normally don't provide security lessons via e-mail and full-disclosure,
however you seem not to understand the security report fully and some core
principles. If you can't see what information security best practises, the
OSI/network model and self-automata propagation has anything to do with
arbitrary write permissions to a remote network leveraging from the
application layer, then me and you have nothing to talk about.

As for the exploitability of this vulnerability, you will never know until
you try. And we have tried it , and seem to know better.

I suggest you read the report again.

Thank you.


---------- Forwarded message ----------
From: Nicholas Lemonias. <lem.nikolas () googlemail com>
Date: Thu, Mar 13, 2014 at 7:47 PM
Subject: Re: [Full-disclosure] Google vulnerabilities with PoC
To: Julius Kivimäki <julius.kivimaki () gmail com>


Julius Kivimaki, your disbelief in OWASP, CEH, Journalists and anything
you may, or may not be qualified to question amazes. But everyone's opinion
is of course respected.

I normally don't provide security lessons via e-mail and full-disclosure,
however you seem not to understand the security report fully and some core
principles. If you can't see what information security best practises, the
OSI/network model and self-automata propagation has anything to do with
arbitrary write permissions to a remote network leveraging from the
application layer, then me and you have nothing to talk about.

As for the exploitability of this vulnerability, you will never know until
you try. And we have tried it , and seem to know better.

I suggest you read the report again.

Thank you.



On Thu, Mar 13, 2014 at 7:02 PM, Julius Kivimäki <
julius.kivimaki () gmail com> wrote:


I don't see what OSI model has to do with anything here. Why is arbitrary
file upload to youtube CDN any worse than to google drive CDN? And how will
your "self-executing encrypted virus like Cryptolocker" end up getting
executed anyways? And cryptolocker was definitely not "self-executing", but
spread via email attachments (excluding the boring USB spread
functionality).

What you have here is not a vulnerability, just give up. And stop trying
to get "journalists" like Eduard Kovacs to spread your BS.

2014-03-13 19:10 GMT+02:00 Nicholas Lemonias. <lem.nikolas () googlemail com

:


Hello Julius,


I appreciate your interest to learn more. OWASP is quite credible, and
has gained some international recognition. It is a benchmark for many
vendors. I suggest you to read on OSI/7-Layer Model. A website may disallow
uploads of certain file types for security reasons, and let's assume at the
application layer. If we manage to get past the security controls, that
means  we can write unrestrictedly any type of file to the remote network.
That also means that we get past their firewall, since the communication is
through HTTP (port 80). CDN nodes are deployed to multiple colocation
(thousands of nodes and thousands of servers across the world). The files
(let's say a self-executing encrypted virus like Cryptolocker? ) are cached
deeply in the network across thousands of servers.


On Thu, Mar 13, 2014 at 5:07 PM, Nicholas Lemonias. <
lem.nikolas () googlemail com> wrote:


Hello Julius,

I appreciate your interest to learn more. OWASP is quite credible, and
has gained some international recognition. It is a benchmark for many
vendors. I suggest you to read on OSI/7-Layer Model. A website may disallow
uploads of certain file types for security reasons, and let's assume at the
application layer. If we manage to get past the security controls, that
means  we can write unrestrictedly any type of file to the remote network.
That also means that we get past their firewall, since the communication is
through HTTP (port 80). CDN nodes are deployed to multiple colocation
(thousands of nodes and thousands of servers across the world). The files
are cached deep in the network structures to thousands of servers.


On Thu, Mar 13, 2014 at 4:20 PM, Julius Kivimäki <
julius.kivimaki () gmail com> wrote:


OWASP is recognized worldwide, so is CEH and a bunch of other morons.
That doesn't mean their publications are worth anything. Now tell me, why
would arbitrary file upload on a CDN lead to code execution (Besides for
HTML, which you have been unable to confirm)?


2014-03-13 18:16 GMT+02:00 Nicholas Lemonias. <
lem.nikolas () googlemail com>:

*You are wrong about accessing the files. What has not been confirmed

is remote code execution. We are working on it.*
*And please, OWASP is recognised worldwide... *

*Files can be accessed through Google Take out with a little bit of
skills.*

*https://www.google.com/settings/takeout
<https://www.google.com/settings/takeout> *




On Thu, Mar 13, 2014 at 4:09 PM, Julius Kivimäki <
julius.kivimaki () gmail com> wrote:


Did you even read that article? (Not that OWASP has any sort of
credibility anyways). From what I saw in your previous post you are both
unable to execute the files or even access them and thus unable to
manipulate the content-type the files are returned with, therefore there is
no vulnerability (According to the article you linked.).

BTW, you should look for more cool vulnerabilities in amazons EC2,
I'm sure you will find some "Unrestricted File Upload" holes.


2014-03-13 16:18 GMT+02:00 Nicholas Lemonias. <
lem.nikolas () googlemail com>:

Here is your answer.

https://www.owasp.org/index.php/Unrestricted_File_Upload


On Thu, Mar 13, 2014 at 1:39 PM, Julius Kivimäki <
julius.kivimaki () gmail com> wrote:


When did the ability to upload files of arbitrary types become a
security issue? If the file doesn't get executed, it's really not a
problem. (Besides from potentially breaking site layout standpoint.)


2014-03-13 12:43 GMT+02:00 Nicholas Lemonias. <
lem.nikolas () googlemail com>:


Google vulnerabilities uncovered...



http://news.softpedia.com/news/Expert-Finds-File-Upload-Vulnerability-in-YouTube-Google-Denies-It-s-a-Security-Issue-431489.shtml

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/






















_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: