IE8 On windows 7 32 bits unspecified DoS

Tuesday, July 13, 2010
##########################################
IE8 On windows 7 32 bits unspecified DoS
Vendor URL:http://www.microsoft.com
Advisore:http://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.html
Vendor Notify:YES Vendor confirmed:YES
EXPLOIT:Private
###########################################

A posible flaw exits in Internet explorer 8
on windows 7 32-bits ,that can cause a remote
denial of service from a malformed web page.

This issue is tiggered when IE8 try to render
Modal app prompt in conjuncion with thirds appz that
uses recurses from IE8 and try to render text inputs
it is a posible GDI text-rendering
APIs bug or or DrawText() functions involved.

When the victim visit a malformed web page, an close the 2nd
appz, this appz turns unstable and needs to close , and then
when IE8 try to restore
the tab ,it los the focus from application and it results in
a denial of service to this window , because we can't click
in any bar , in any button or do some action in this window,
ie8 aparently is frozen.

After several test this issue only is reproducible in win7 32 bits

I have a exploit or PoC for this issue , but it's
private at this time :)

Solution:
Microsoft know that as a stability bug and they add it
for consideration in a future version to address it.

#################### €nd ##########################

Thnx for your time !!!
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Google Services Notifier Chrome extension XSS/CSRF

Friday, June 18, 2010
######################################
Google Services Notifier Chrome extension XSS/CSRF
extension:https://chrome.google.com/extensions/detail/dmgbflokapnkfnegeigclohhplnflgie
advisore:http://lostmon.blogspot.com/2010/06/google-services-notifier-chrome.html
Exploit available:yes vendor notify : NO
#######################################

So in this case "Notifier for Google Wave Chrome"
has a flaw that allow attackers to make XSS style attacks.

All extensions runs over his origin and no have way to altered data from extension
or get sensitive data like , email account or password etc..

if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/dmgbflokapnkfnegeigclohhplnflgie
109 users have instaled it (WoW)

############
explanation
############

Google Services Notifier allows users to view wen they have a new wave and
view a preview of it ....

"Keep you update with Google services like Google Mail,Blogger,Reader,YouTube,
Google Docs, Google Wave etc. More services will be added soon."

If a attacker compose a new mail with html or javascript code in
subject & send it to victim´s the code is executed wen Victim´s click in the
extension to view a preview of mail.

So for exploit we need to compose a "special" mail
for example if we put directly in the mail subject a iframe like
"><iframe src="javascript:alert(location.href);"></iframe>
in the two cases the alert is executed wen try to preview the mail
with the extension :) it is executed in context location.href value is
"about:blank"

For example send a mail With a logout acction in google wave in body
"><iframe src="https://wave.google.com/wave/logout"></iframe>
it closes the sesion on google wave , this is a CSRF.

######################€nd#################################
.
Thnx for your time !!!
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Notifier for Google Wave Chrome extension XSS/CSRF

######################################
Notifier for Google Wave Chrome extension XSS/CSRF
extension:https://chrome.google.com/extensions/detail/aphncaagnlabkeipnbbicmcahnamibgb
advisore:http://lostmon.blogspot.com/2010/06/notifier-for-google-wave-chrome.html
Exploit available:yes vendor notify : NO
#######################################

So in this case "Notifier for Google Wave Chrome"
has a flaw that allow attackers to make XSS style attacks.

All extensions runs over his origin and no have way to altered data from extension
or get sensitive data like , email account or password etc..

if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/aphncaagnlabkeipnbbicmcahnamibgb
56,542 users have instaled it (WoW)

############
explanation
############

Notifier for Google Wave allows users to view wen they have a new wave and
view a preview of it ....

If a attacker compose a new wave with html or javascript code in
body & send it to victim´s the code is executed wen Victim´s click in the
extension to view a preview of wave.

So for exploit we need to compose a "special" wave
for example if we put directly in the mail body a iframe like
"><iframe src="javascript:alert(location.href);"></iframe>
in the two cases the alert is executed wen try to preview the wave
with the extension :) it is executed in context location.href value is
"about:blank"

For example send a wave With a logout acction in google wave in body
"><iframe src="https://wave.google.com/wave/logout"></iframe>
it closes the sesion on google wave , this is a CSRF.

######################€nd#################################
.

Thnx for your time !!!

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Gmail Checker plus Chrome extension XSS/CSRF II

Thursday, June 17, 2010
######################################
Gmail Checker plus Chrome extension XSS/CSRF II
extension: https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe
advisore:http://lostmon.blogspot.com/2010/06/gmail-checker-plus-chrome-extension.html
Exploit available:yes vendor notify: NO
#######################################

So in this case "Google Mail Checker Plus" version 1.1.7 (2010-02-10)
has a flaw that allow attackers to make XSS style attacks.

All extensions runs over his origin and no have way to altered data from extension
or get sensitive data like , email account or password etc..

if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe
303,711 users have instaled it (WoW)

############
explanation
############

Google Mail Checker Plus allows users to view wen they have a new mail and
view a preview of the mail ....

If a attacker compose a new mail with html or javascript code in mail
body & send it to victim´s the code is executed wen Victim´s click in the
extension to view a preview of mail.

So for exploit we need to compose a "special" mail
for example if we put directly in the mail body a iframe like
"><iframe src="javascript:alert(location.href);"></iframe>
the extension shows this code in plain text and the alert isn´t executed...
them we need to use a Feature from gmail ( auto conver links in clicable urls)
them we can compose a email body with a http link like
http://"><iframe src="javascript:alert(location.href);"></iframe>
or compose a mail link like :
lalala@"><iframe src="javascript:alert(location.href);"></iframe>.com
in the two cases the alert is executed wen try to preview the email
with the extension :) it is executed in context location.href value is
"about:blank"


Gmail is a safe place , but the extensions to manage it, can be a potential
vector to attack.

For example send a email With a logout acction in gmail in body
http://"><iframe src="https://mail.google.com/mail/?logout&hl=es"></iframe>
it closes the sesion on gmail , this is a CSRF.
also if the user has mark option to show notifications on desktop this issue execute the iframe too in the desktop notifications window and can cause to a denial of service of extension, for example if the victim´s try to change any option in options page from extension :P

So we have dispute it in http://code.google.com/p/chromium/issues/detail?id=45401
The developer has release a patch version in trunk for other issues what i disclose before
see for references for previous vulns => OSVDB ID :65459 and OSVDB ID: 65460
previous patch =>
http://github.com/AndersSahlin/MailCheckerPlus/blob/54ab118e505feae819e676c8e525e8fe5409c981/src/mailaccount.class.js
and see diff => http://github.com/AndersSahlin/MailCheckerPlus/commit/54ab118e505feae819e676c8e525e8fe5409c981#diff-0

I release it as 0-day and no notify to vendor because
in the previous issues , he patch the vulns and don´t
make any reference to it and stealing credits on discover
Them i release this new vulns without notify developer :)


UPDATED :Now the extension in about secition reflects the vulnerability and credit it to me :)



######################€nd#################################
.

Thnx for your time !!!

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends