24.05 20120

HitB2012AMS: Killing a Bug Bounty Program ‐ TWICE

By: Frank Breedijk Categories:Events and Conferences, Security
spacer

Oops! – A CC image by Neal.

By Itzhak ‘zuk’ Avraham (Founder, zimperium) & Nir Goldshlager (Senior Researcher, zimperium)

If you are trying to find bugs in standard services with standard tools, you will not ba able to success, because somebody else probably did it before you. This talk is about how to find the bugs other people did not find before you.

There are several bug bounty programs:

  • 1995 – Netscape
  • 2004 – Firefox
  • 2005 – ZDI
  • 2007 – Pwn2Own
  • 2010 – Google
  • 2011 – Facebook

First step to find good bugs which are worth a bounty is “Know you enimy”. Both the system you are trying to find the bug in and your fellow bug hunters.

Look for things like untested services and multi-vector vulnerabilities.

A good place to start is technology that was recently purchased by Google. New services are tested less then the established services. And last year, Google purchased about 1 company every week.

A lot of information about Google can be found via Google. E.g. the companies the recently took over and the error messages people got when they used Google’s services.

First new bug: Google Calander error based XSS

First the researcher created a calendar with the XSS payload into the calendar name. This is self XSS-ing. I only see it in my account, but Google allows you to share calanders. However, the XSS is only exploitable if the user deletes its calendar  1-5 times.

So how do we get a user to delete a calander? Calander SPAM. Send a user 100 calendar and he is bound to delete it multiple times.

Google Analytics – Stored XSS

In page analytics doesn’t escape incoming requests. How can this be used to own the web admins computer?

Two creative ways:

  • In page analytics – When the user logins
  • Sharing – Infecting ourselves and sharing our analytics with the victim

Both attacks are demonstrated.

Google FeedBurner Stored XSS

The feed title in FeedBurger is susceptible to XSS. At first glance it is escaped, but the title is used in multiple places. E.g. the subscribe page (not vulnerable) and the unsubscribe (vulnerable via the are you sure dialog).

Can be exploited in two ways:

  • Target subscribes and unsubscribes
  • Spamming an unsubscribe link

Google FriendConnect error based XSS

The XSS is not in the friend option, but in the delete/unfriend option. So we need to force the user to delete us as a friend.

Sequence:

  • Friend somebody
  • Change our name to AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA…. “><XSS Payload>
  • Spam the user so he hates us
  • User unfriends
  • XSS occurs in the confirmation dialog

Google Knol – Permission bypass

Normally a user can view an unpublished document, but if the user uses the Knol translator tool, the document is accessible with the (unlimited) privileges of the translator.

Google affiliate network – Stored XSS + Admin privileges

Two goals:

  • XSS an account
  • Gain Administrator privileges

First bug is simple. By changing the LinkId filed in the URL you can see and edit other people’s links. By editing the links you can execute XSS on other peoples accounts.

The second attack does not require XSS. The affiliate application allows you to manipulate the UserID and Email fields and change some other users email address. Awared with $3133,7 bounty.

Google Picnik – Local file inclusion
Picnik.com seems to be Secure.

By brute force the domain name vpn.picknik.com was found. It seems that by mistake somebody installed phpList and an old version as will , withdefault password. Using well know vulnerabilities it was possible to take over the entire server. Again awared with $3133,7 bounty.

Conclusion

It is not about 0-days, but:

  • Out of the Box thinking
  • Think difference
  • Information gathering
  • Mixed services
  • Permissions

Materials available from conference.hitb.org/hitbsecconf2012ams/materials/

Encore: Blogger HPP

An an encore, the guys demonstrated and HTTP Parameter Polution (it’s not dead) attack to get administrator rights to any blogger account.

ABOUT ITZHAK ‘ZUK’ AVRAHAM

Itzhak Avraham (Zuk) is a Security Expert who has done a wide variety of vulnerability assessments. Zuk worked at the IDF as a Security Researcher. Proud Founder of zImperium, from the creators of ANTI (Android Network Toolkit). He’s a proud holder of a SVC card that is in the possession of elite researchers such as Matt Swich and really dislikes writing about himself in the third person. Zuk can be found on his personal hacking related blog at imthezuk.blogspot.com & on Twitter as @ihackbanme

ABOUT NIR GOLDSHLAGER

Nir Goldshlager – Nir is a known security researcher with more than 12 years of extreme web applications assessments, Nir found many high vulnerabilities in every big-scale website that exists today (Google, Paypal, Ebay, Twitter, Amazon, etc), Nir also listed in Google Security Sustained Support for many bugs findings. Nir is a Senior Researcher at zImperium. Nir can be found on twitter @Nirgoldshlager and on his personal blog: www.nirgoldshlager.com

Comments are closed.

 

Search

Tag Cloud

Active Directory AutoNessus Barcelona Blackhat Black Hat BlackHatEU certificates Cisco Citrix cloud Conference confidence0902 Confidence2010 Defcon DefCon18 DNSSEC Events and Conferences Frank Breedijk har2009 HitB HitB2011AMS HitB2012AMS IPv6 Live blog Live Blogging Microsoft Networking Patching PowerShell Schuberg Philis script Seccubus Security SigINT SigINT10 SSL TechEd Troubleshooting VMWare Web Windows Windows 7 Windows 2008 Windows 2008 R2 XenDesktop

Categories

  • 100%
  • Cloud
  • DevOps
  • Events and Conferences
  • Geeky
  • Live Blogging
  • Microsoft
  • Networking
  • Security
  • Storage
  • Tips and tricks
  • Uncategorized
  • Unix
  • Virtualization
Related searches:
google security bounty zimperium delete
gipoco.com is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.