1Likes
LinkBack URL
About LinkBacks-
03-09-2012, 03:14 PM #1InfoSec Consultant
- Join Date
- Jul 2010
- Location
- Pune
- Posts
- 302
- Thanks
- 31
- Thanked 82 Times in 37 Posts
Gmail XSS vulnerability through Content Sniffing
Hi all,
a few months before i found this vulnerability which was reported to google and patched (Basically my way to google hall of fame).
Product: Gmail.com
Setup: Windows XP SP3 with IE 7.0 (Google Chrome frame installed)
Vulnerability: XSS possible using malicious Image as attachment(works for IE6/7)
Introduction:
The vulnerability was in www.gmail.com which can be used to send Emails. We can send images as attachments to any user. By creating malicious image file and attaching it to mail attacker can exploit this vulnerability which can lead to complete compromise of account by stealing mail receiver cookies.
Gmail was not validating contents of uploaded image files which can lead to XSS by including java scripts in image files. Following are screen shots which demonstrates complete attack vector.
basically firstly this attack was limited for IE 6/7 but after some research i was able to bypass the IE8/9/10 protection which we presented in NullCon 2012. detail paper for same will be published soon here on g4h.amolnaik4 likes this.
-
The Following 8 Users Say Thank You to 41.w4r10r For This Useful Post:
"vinnu" (03-14-2012), abhaythehero (03-13-2012), amolnaik4 (03-09-2012), b0nd (03-09-2012), fb1h2s (03-09-2012), neo (03-12-2012), prashant_uniyal (03-09-2012), [s] (03-13-2012)
-
03-09-2012, 05:45 PM #2Security Researcher
- Join Date
- Jul 2010
- Location
- India
- Posts
- 600
- Blog Entries
- 23
- Thanks
- 279
- Thanked 151 Times in 76 Posts
On of the very critical Vulnerabilities since it was affecting Webmails, and a cool discovery
.
Hacking Is a Matter of Time Knowledge and Patience
-
03-09-2012, 06:38 PM #3Security Analyst
- Join Date
- Jul 2010
- Location
- localhost
- Posts
- 501
- Blog Entries
- 8
- Thanks
- 249
- Thanked 105 Times in 55 Posts
Simply awesome !!
And a critical one. Great work by 4N1L bro
The three great essentials to achieve anything worth while are: Hard work, Stick-to-itiveness, and Common sense. - Thomas A. Edison
__________________________________________________ _____________________
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
-
03-09-2012, 09:29 PM #4Garage Newcomer
- Join Date
- Feb 2012
- Posts
- 2
- Thanks
- 1
- Thanked 0 Times in 0 Posts
great..................!! Gud1
-
03-13-2012, 02:24 PM #5Security Researcher
![[s]'s Avatar](http://www.garage4hackers.com/avatars/%5Bs%5D.gif?dateline=1333021046 "[s]'s Avatar")
- Join Date
- Nov 2010
- Posts
- 187
- Blog Entries
- 2
- Thanks
- 63
- Thanked 53 Times in 30 Posts
I am seriously asking to admin when we are making Section called as Google Advisories :P ...
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
-
03-13-2012, 03:47 PM #6Web Security Consultant
- Join Date
- Jul 2011
- Location
- webr00t
- Posts
- 269
- Blog Entries
- 3
- Thanks
- 24
- Thanked 181 Times in 100 Posts
And here comes the most awaited PoC ...Gmail Content Sniffing ByPass.
Nice work, Anil.
Cheers,
AMol NAik
-
03-13-2012, 07:27 PM #7Security Researcher
- Join Date
- Jul 2010
- Location
- India
- Posts
- 600
- Blog Entries
- 23
- Thanks
- 279
- Thanked 151 Times in 76 Posts
[S] yea man we should seriously have that, will set it up by tonight .
Hacking Is a Matter of Time Knowledge and Patience
-
03-14-2012, 06:58 PM #8Network Security Administrator
- Join Date
- Apr 2011
- Location
- /india/ap/hyd
- Posts
- 98
- Thanks
- 1
- Thanked 84 Times in 37 Posts
Good one Anil.
Microsoft should have learned about file processing with IE7 itself, which they failed to, but managed to process appropreatly type of file the browser encounters with IE9.
check --> Text File Redirection [All versions below IE9] doesn't process type of file correctly."Free software" is a matter of liberty, not price. To understand the concept, you should think of "free" as in "free speech," not as in "free beer."
"Microsoft is not the answer. Microsoft is the question. NO (or Linux) is the answer."
"Ubuntu - Linux For Human Beings."
Currently reading books:
CCIE Security v3.0, Configuration Practice Labs -- by Yusuf Bhaiji
Network Flow Analysis -- by Michael W. Lucas
Reply With QuoteLinkBacks (?)
-
XSS through content-sniffing: good case for CSP sandbox directive from Hill, Brad on 2012-03-13 ([email protected] from March 2012)
Refback This thread02-25-2013, 06:46 PM -
11-28-2012, 11:03 PM
-
09-05-2012, 11:52 PM
-
Re: XSS through content-sniffing: good case for CSP sandbox directive from Adam Barth on 2012-03-13 ([email protected] from March 2012)
Refback This thread05-15-2012, 04:52 AM -
04-07-2012, 08:04 PM
-
04-03-2012, 04:29 PM
-
03-15-2012, 08:25 AM
-
LongURL | Expand URL
Refback This thread03-13-2012, 02:46 PM -
03-13-2012, 09:01 AM
-
03-13-2012, 05:32 AM
-
Jester - Comments
Refback This thread03-13-2012, 04:48 AM -
03-12-2012, 11:37 PM
-
ux.nu - ??URL????
Refback This thread03-12-2012, 07:45 PM -
03-10-2012, 03:26 AM
-
03-09-2012, 06:01 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
Poizon Web Exploiter 2.0
Yesterday, 10:34 PM in Tools & Scripts