Google Chrome close() issue

Tuesday, July 07, 2009
##############################
Google Chrome close() issue
VENDOR: http://www.google.com/chrome/
article =http://lostmon.blogspot.com/
2009/07/google-chrome-close-issue.html
##############################

Chrome Version : 2.0.172.33 (Build oficial )
URLs (if applicable) :
Other browsers tested:
Safari 4: OK
Firefox 3.x:OK
IE 7: OK
IE 8: OK

What steps will reproduce the problem?

1 - open a web page
2 - navigate to ther page.

Google chrome automatic closes the tab and if we have
only one tab , it closes the process chrome.

What is the expected result?

google chrome don´t close or prompt for close.

What happens instead?

Google chrome closes the tab or if we have only
one tab it closse too without any confirmation.

###########
Abstract
###########

for test all of this need a instaled web server,
and some patience XDD

#############
tesst 1
#############

Create a new html document and write in:

<html><body onload='close()'></body></html>
save it as test1.html in c:\test\ for testing.

1.1 - Open google Chrome and open it with file handler like
file:///c:/test/test1.html
Chrome does not close the window and nothing apears...

1.2 - Open The file in a trust intranet zone via
htttp://localhost/test/test1.html or via ip
http://192.168.1.100/test/test1.html
Chrome does not close the window and nothing apears...


1.3 - Open hard disk and select c:\test\test1.html rigth
click and open with Google Chrome.
Chrome open and close auth.

if we change to other even like onblur ,with onfocus event
it´s interesting because if we try to use inspector to view
the source code, we click in body tag , and we close inspector
the tab is close too,this only aparently afects,wen we open the
html document with test mode 1.3

so this issue aparently can´t exploit in a remote scenario.

###############
test 2
###############

create a new html file and wirte inside , and save it as
test2.html in the test folder.

<html>

<head></head>
<title>.:[-Google Chrome close() issue PoC By Lostmon-]:.</title>
<body>
<script>
try { CloseCrome(); } catch(e) {
setTimeout("location.reload();",20);
close(); }
</script>
<h2>.:[-Google Chrome close() issue PoC By Lostmon-]:.</h2>

<p>Google Chrome :2.0.172.33 (Build oficial )<br>
WebKit 530.5<br>V8 1.1.10.13<br>
User Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)<br>
AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.33 Safari/530.5</p>
</body>

</html>

2.1 - Open it via file protocol handler file:///c:/test/test2.html ,
Chrome does not close the window and nothing aparently apears.
but if we try to navigate to other site like www.google.com
the tab closes auth.

2.2 - Open it in trust web server http://localhost/test/test2.html ,
or http://192.168.1.100/test/test2.html Chrome does not close
the window and nothing aparently apears ;but if we try to navigate
to other site like www.google.com the tab closes auth.

2.3 - Open hard disk and select c:\test\test2.html rigth
click and open with Google Chrome.
Chrome open and close auth.

##############
conclusion
##############

This issue can be a vulnerability , and this can be used for
example to built malwares that can be tramp the browser in a
determinate location and if the user try to look the code
(onfocus)or try to navigate to other site (test2.html)or other
event,the window can close without interaction,them if a
malware or a malicious web page or a browser hijacker can
load as a default web page and them this can be a
Denial Of Service Condition


atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Patch for Yogurt writemessage.php original Parameter SQL Injection

Saturday, June 27, 2009
###################################
Patch for Yogurt writemessage.php
original Parameter SQL Injection
vendor url:http://sourceforge.net/tracker/?group_id=112452
####################################

This is a manual fix for the last discovered sql
injection vulnerability in yogurt social network


#########################
vulnerability references:
#########################

http://osvdb.org/show/osvdb/55098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2034
http://www.milw0rm.com/exploits/8932

####################
SQL injection PoC
####################

http://localhost/yogurt/system/writemessage.php?original=
-1+union+select+1,concat_ws(0x3a,username,password),3,4,5,
6,7,8+from+users--

###############
Specific vendor
###############

http://sourceforge.net/tracker/?func=detail&aid=
2813318&group_id=112452&atid=663715

###########
MANUAL FIX
###########

open writemessage.php and look this code =>

Line 79: if (isset($_GET['original']))
Line 81: $rs = mysql_query("SELECT * FROM messages WHERE id=" .
$_GET['original'], $db)

###############
change
################

Line 81: $rs = mysql_query("SELECT * FROM messages WHERE id=" .
intval($_GET['original']), $db)

####################€nd ########################

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Comtrend HG536+ poligon firmware tftp vuln

Monday, June 15, 2009
##########################################
Comtrend HG536+ poligon firmware tftp vuln
Vendor url: www.comtrend.com
Vendor: www.adslzone.net/firmware-adslzone-poligon.html
Advisore Url:http://lostmon.blogspot.com/2009/06/
comtrend-hg536-poligon-firmware-tftp.html
Vendor notify: NO Exploit: see explanation.
#########################################

##############
History
##############

This is a extended research from those vulns =>

http://lostmon.blogspot.com/2009/04/comtrend-hg536-vulnerabilities.html

And =>

http://www.securityfocus.com/bid/32975

poligon firmware have all the same flaws.

#####################
Description By vendor
Comtrend
#####################

The HG536+ is an 802.11g (54Mbps) wireless and wired
Local Area Network (WLAN) ADSL router. Four 10/100
Base-T Ethernet ports provide wired LAN connectivity
with an integrated 802.11g WiFi WLAN Access Point for
wireless connectivity.

###################
Description poligon
firmware by adslzone
####################

Poligon ADSLzone comes from several firmwares manufacturers
and suppliers that use Internet (Asus, U.S. Robotics, Comm Net
, Broadcom, Deutsche Telekom, Alice Italy, Pirelli (Italy),
Bungury (Russia) and Vodafone (Thailand).

################
Vulnerabilities
################

This firmware have a flaw in tftp
service ,if a user have enable lan access
to tftp server and/or access from Wan ,
this router is prone vulnerable to a DoS
condition.

in the configuration file we can look for
services enabled at this line =>

---------------------------------------------------
srvCtrlList ftp="lan" http="lan" icmp="lan"
snmp="disable" ssh="disable" telnet="lan" tftp="lan"
----------------------------------------------------

in this case we have enabled tftp access from lan

oks create a new html file for example tweaking.html
(this file exists in poligon firmwares but you can use other
that´s have in yopur router in the /webs folder).

let´s try to upload it from my machine to /webs router folder

tftp -i 192.168.1.1 PUT c:\tweaking.html /webs

the file is aparently upload and the tftp server is configured
for reboot the router after upload finished.

Them i make the same test via Wan access and i have
the same result the router is reboot...

This can cause a DoS to a user , because a atacker
can force to reset all time, the victim´s router.

###############
versions
###############

Comtrend HG536+ router with this firmwares:

firmware Comtrend A101-302JAZ-C01_R05

firmware A101-302JAZ-C03_R14.A2pB021g.d15h

firmware Poligon, Release.0810b_1525 ADSLZONE v.1.10.08.11b (tftp issue)

##############
Solution
#############

No solution was available at this time.

by default this router is configured for
denied the access from WAN connections
But this style attack can be done if any
user is inside the LAN or if enable the
access from WAN for tftp service.

Configure to disable tftp and
Grant access to device ,only to trust users.

################# €nd #############

Thnx To Brink for test with me and for
his patience wen i reboot his router :P
Brinkxd@gmail.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Caja Granada ha Parcheado Su web

Wednesday, June 10, 2009
###################################
Caja Granada ha Parcheado Su web
vendor Url:http://caja.caja-granada.es/
###################################

La web de La entidad bancaria Caja granada bajo uno
de sus diferentes dominios,se vio afectada por una
serie de errores de validacion de tipo Cross-site
scripting (XSS) y de tipo (CSRF)

Estas vulnerabilidades fueron descubiertas y
estudiadas por mi hasta descubrir las vulnerabilidades
o vectores de ataque, en la parte externa de la web;es
decir en la parte no autentificada de la web.

Las vulnerabilidades fueron reportados al equipo de seguridad
logica de La entidad, y al servicio de atencion al cliente,
despues del intercambio de unos mails, ha quedado parcheada
la parte mas critica de estas vulnerabilidades, la cual
permitia la inclusion de todo un sitio web bajo un frame
sobe el dominio principal de la entidad.



Caja Granada vuelve a ser segura en esos puntos reportados.
Ningun cliente de Caja granada pudo verse afectado , ya que
las comunicaciones se produjeron con absoluta discreccion
por ambas partes.

En el caso de la inclusion del sitio, ademas de haber sido
corregido , se nos muestra un mensage advirtiendonos de si
de verdad hemos accedido a esa url atraves del dominio de
caja Granada.



No se da ninguna prueba de cocepto por motivos evidentes.

Referencias :

http://caja.caja-granada.es

http://lostmon.blogspot.com/2009/01/la-banca-espaola-ante-el-phishing.html

http://lostmon.blogspot.com/2009/02/entidades-bancarias-espanolas-ante-el.html



################## €nd ###################


Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com
--
atentamente:
Lostmon (lost...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends