Next Page >>
mail.google.com
the process of password cracking, exist a security problem. I have
programmed a Python script that implements the process that I explain in
the proof of concept paragraph, and it has allowed me to run thousands
of automated requests and obtain the password of one of my test accounts.
> Gmail has all sorts of additional limits on password brute forcing.
> The confusion here is the difference between "login incorrect" (due to
> bad password) and "login incorrect" (due to excessive login attempts).
> This protection kicks in after a small number of failed attempts,
> after which even correct credentials will not be accepted. You can't
> tell the difference in the UI you are using, so it's understandable to
Hi Vicente,
As was explained by my colleague Neel Mehta in his reply, this is not
a vulnerability.
Gmail has all sorts of additional limits on password brute forcing.
The confusion here is the difference between "login incorrect" (due to
bad password) and "login incorrect" (due to excessive login attempts).
This protection kicks in after a small number of failed attempts,
after which even correct credentials will not be accepted. You can't
tell the difference in the UI you are using, so it's understandable to
- Severity: 4.5/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
Gmail vulnerable to automated password cracking.
II. BACKGROUND
-------------------------
Gmail is Google's free webmail service. It comes with built-in Google
search technology and over 7,300 megabytes of storage (and growing
I have noticed several media articles recommending that users use
https to protect their gmail sessions from Robert Graham's
"Sidejacking" attackers.
It turns out that independent of Mr. Graham's work, I have also been
investigating these types of attacks as they pertained to users'
safety while they use the Tor network.
As I presented in my Black Hat and DefCon talks on Securing the Tor
Network, it turns out that using https for accessing mail.google.com
GZIP,
BZIP2, Unix/Linux ZIP, LZH, etc.
Network/Applications Controlled
* Email: Microsoft Outlook, Lotus Notes and SMTP Email
* Web mail: MSN/Hotmail, Yahoo, GMail, AOL Mail, and more
* Instant Messaging: MSN, AIM, Yahoo, and more
* Network Protocols: FTP, HTTP/HTTPS and SMTP Endpoint Devices Controlled
* USB, CD/DVD, COM & LPT ports, removable disks, floppy, infrared and
imaging
devices, print screen, modems, PCMCIA
Vulnerability Report:
As part of our recent work on the trust hierarchy that exists among email providers throughout the Internet, we have uncovered a serious security flaw in Ggoogle's free email service, Gmail. This vulnerability exposes Google's email servers in a way that allows an attacker to use them as open spam and phishing relays. This issue is related to the risk of a malicious user abusing Gmail's email forwarding functionality. This is possible because Gmail's email forwarding functionality does not impose proper security restrictions during its setup process and can be easily subverted. By exploiting this problem an attacker can send unlimited spam and phishing (i.e. forged) email messages that are delivered by Google's very own SMTP servers. Since the messages are delivered by Google's own servers, an attack based on this flaw is able to bypass all spam filters that are based on the blacklist / whitelist concept. We were able to confirm that this vulnerability is indeed exploitable b
y crafting a proof of concept attack that allowed us to send any number of forged email messages without restriction through Google's server infrastructure. We have also verified that this flaw allows attackers to bypass spam filters by using our method to send messages that are usually flagged as spam. While sending these messages directly from our network in the traditional way had the messages classified as spam, by sending the very same messages using our exploit, the messages were delivered directly to the victim's inbox, thus bypassing filters.
Impact:
All email providers that offer Google's SMTP servers any special level of trust (e.g. whitelist status) are vulnerable.
On Wed, 7 May 2008 pablo.ximenes@upr.edu wrote:
>
> Vulnerability Report:
>
> As part of our recent work on the trust hierarchy that exists among email providers throughout the Internet, we have uncovered a serious security flaw in Ggoogle's free email service, Gmail. This vulnerability exposes Google's email servers in a way that allows an attacker to use them as open spam and phishing relays. This issue is related to the risk of a malicious user abusing Gmail's email forwarding functionality. This is possible because Gmail's email forwarding functionality does not impose proper security restrictions during its setup process and can be easily subverted. By exploiting this problem an attacker can send unlimited spam and phishing (i.e. forged) email messages that are delivered by Google's very own SMTP servers. Since the messages are delivered by Google's own servers, an attack based on this flaw is able to bypass all spam filters that are based on the blacklist / whitelist concept. We were able to confirm that this vulnerability is indeed exploitable b
> y crafting a proof of concept attack that allowed us to send any number of forged email messages without restriction through Google's server infrastructure. We have also verified that this flaw allows attackers to bypass spam filters by using our method to send messages that are usually flagged as spam. While sending these messages directly from our network in the traditional way had the messages classified as spam, by sending the very same messages using our exploit, the messages were delivered directly to the victim's inbox, thus bypassing filters.
>
> Impact:
>
> All email providers that offer Google's SMTP servers any special level of trust (e.g. whitelist status) are vulnerable.
>
> The details are not so hard to guess. Unless this post is different,
> anyone can send an email to a nonexistent user at a google service and
> they accept it and bounce back to the envelope recipient. *sigh*.
They don't, for normal gmail service:
$ telnet gmail-smtp-in.l.google.com 25
Trying 209.85.135.114...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
Hi,
According to the following press release of MessageLabs:
http://www.messagelabs.com/resources/press/11351
"the proportion of spam from Gmail increased two-fold from 1.3 percent
in January to 2.6 percent in February"
Recently, researchers at Websense also spotted ITW
(http://www.websense.com/securitylabs/blog/blog.php?BlogID=174) a bot
trying to break Gmail's image captcha, with relative success though. So
I understand what you're saying, but you're not so good at explaining things like this in a clear manner. What I understand from reading your studies, is that gmail implements one of two (or possibly both) systems where authentication is forcefully denied (to either the IP or the account):
i. If 100 unsuccessful attempts to a given (or any?) email address during any 2 hour period are made, from a given IP.
ii. If 100 unsuccessful attempts to a given email address during any 2 hour period are made, regardless of IP.
Once the given IP successfully accesses any gmail account that it hasn't accessed in the last 2 hours, the blockade is apparently removed (for all given IPs/accounts). If this is correct, then there is a problem because the unsuccessful attempt count can be reset automatically.
This has been done incorrectly time and time again. Take MSN Messenger for example: a denial of service attack is (or once was) present because access to the given account was blocked for all IPs.
On the other hand, if the restriction only results in access to IP addresses being denied, then you better watch out for those people with 50,000 drone botnets because they can make 200 * 50k attempts per hour (under ideal conditions).
#
# VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit
# --------------------------------------------------
#
# About:
# by DarkFig < gmdarkfig (at) gmail (dot) com >
# http://acid-root.new.fr/
# #acidroot@irc.worldnet.net
#
# Exploit:
# + Logged in (Administrator)
Privilege Escalation]================
Author(s): Giuseppe 'Evilcry' Bonfa'
AbdulAziz Hariri
E-Mail: evilcry {AT} GMAIL {DOT} COM
Website: http://evilcry.netsons.org
http://www.insight-tech.org
http://evilcodecave.blogspot.com
http://evilcodecave.wordpress.com
hosting incidents: WHID 2007-74: Web host breach may have exposed passwords
for 6,000 clients, WHID 2007-77: HostGator: cPanel Security Hole Exploited
in Mass Hack, WHID 2007-76: A large web hosting firm inflicted by mass
malware installation.
+ The first CSRF entry in WHID, and a really bad one: CSRF in g-mail cost
someone his very successful domain, stolen by a blackmailer (WHID 2007-72:
Gmail CSRF exploited to hijack a domain
(http://www.webappsec.org/projects/whid/byid_id_2007-72.shtml)
+ Our first story from Brazil. It is not new, but the exposure to the
Terribly sorry, gmail messed up the GPG signature. Hope this one can
get through.
=== WordPress Charset SQL Injection Vulnerability ===
Release date: 2007-12-10
Last modified: 2007-12-10
(b) most mail users use mail servers at their employers or their local
ISP (ISPs with retail presence in multiple territories will of course
have mail servers in situated locally);
(c) the balance, excluding those weirdos running their own personal
MTA / MSAs, will be using webmail services like Hotmail and Gmail.
Tracerouting from the machine I'm typing this on (in the UK) shows a
route through my ISP, to LINX (the London IX), and then straight into
Google space. The RTT all the way to the final hop is in the 30ms
Advisory number: SN-2007-01
Advisory URL: http://www.securenetwork.it/advisories/, http://www.ikkisoft.com
*** SUMMARY ***
GCALDaemon is an OS-independent Java program that offers two-way synchronization between Google Calendar and various iCalendar compatible calendar applications. GCALDaemon is primarily designed as a calendar synchronizer but it can also be used as a Gmail notifier, Address Book importer, Gmail terminal and RSS feed converter.
Sunbird/Kontact/Firefox/ThunderBird/Mozilla Calendar all share calendars over HTTP, by uploading their file via an HTTP PUT and getting/refreshing their calendar with an HTTP GET. The GCALDaemon's built-in HTTP server keeps this HTTP messages in sync with a specified Google Calendar. An input validation flaw permits to craft an HTTP request with an abnormal content-length value; this malformed request could trigger a denial of service that arises from a Java out of memory fatal error.
*** VULNERABILITY DETAILS ***
# Internal IP Address Disclosure
#
# -=- PRIV8 -=- 0day -=- PRIV8 -=- 0day -=- PRIV8 -=-
#
# -[nitrus]- [ Alejandro Hernandez H. ]
# nitrousenador -at- gmail -dot- com
# http://www.brainoverflow.org
#
# Mexic / 25-Aug-29
#
# -=- PUBLIC NOW -=-
-----------[TheGreenBow VPN Client tgbvpn.sys DoS and Potential Local
Privilege Escalation]--------->
Author: Giuseppe 'Evilcry' Bonfa'
E-Mail: evilcry {AT} GMAIL {DOT} COM
Website: http://evilcry.netsons.org
http://evilcodecave.blogspot.com
http://evilcodecave.wordpress.com
http://evilfingers.com
http://malwareAnalytics.com [under construction]
-----------[Avast aswMon2.sys kernel memory corruption and Local Privilege Escalation]--------->
Author: Giuseppe 'Evilcry' Bonfa'
E-Mail: evilcry {AT} GMAIL {DOT} COM<br>
Website: http://evilcry.netsons.org<br>
http://evilcodecave.blogspot.com<br>
http://evilcodecave.wordpress.com<br>
http://evilfingers.com<br>
V. Credits
Juan Galiana Lara
<jgaliana gmail com>
http://blogs.ua.es/jgaliana
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
Sincerely,
Simon
---------- Forwarded message ----------
From: Simon Ryeo <bar4mi@gmail.com>
Date: 2008/12/13
Subject: TmaxSoft JEUS Alternate Data Streams Vulnerability
To: bugtraq@securityfocus.com
On Friday 31 October 2008 15:03:55 irancrash@gmail.com wrote:
> ----------------------------------------------------------------
>
> Script : Cpanel 11.x
>
> Type : Local File Inclusion & Cross Site Scripting
>
> Risk : High
>
> ----------------------------------------------------------------
# Found the 29th September 2008
##########################################################
# Author: Kad
#
# mail : kadfrox [ a ] gmail [ dot ] com
#
##########################################################
#
# script : RPortal v 1.1
# http://www.rportal.org/?op=download&fid=36
#
#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
#
#My Offical Website : HTTP://FEREIDANI.IR
#
#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
#
#----------------------------------------------------------------
#
#Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR
#
Our Team : IRCRASH
My Official Website : HTTP://FEREIDANI.IR
Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
----------------------------------------------------------------
Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR
Discovered by : Khashayar Fereidani Or Dr.Crash
My Website : HTTP://FEREIDANI.IR
Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com
----------------------------------------------------------------
Script Download : http://dev-wms.sourceforge.net/
Fixed version:
libxslt, N/A
Credit: vulnerability report and PoC code received from Chris Evans
<scarybeasts [at] gmail [dot] com>, Google Security Team.
CVE: CVE-2008-2935
Timeline:
2008-07-03: vulnerability report received
>
> Vulnerability Report:
>
> As part of our recent work on the trust hierarchy that exists among email
> providers throughout the Internet, we have uncovered a serious security flaw
> in Ggoogle's free email service, Gmail.
>
> Disclosure:
> We have contacted Google about this issue and are waiting for their position
> before releasing further details.
>
| | >
| | > Vulnerability Report:
| | >
| | > As part of our recent work on the trust hierarchy that exists among email
| | > providers throughout the Internet, we have uncovered a serious security flaw
| | > in Ggoogle's free email service, Gmail.
| | >
| | > Disclosure:
| | > We have contacted Google about this issue and are waiting for their position
| | > before releasing further details.
| | >
| >
| > Vulnerability Report:
| >
| > As part of our recent work on the trust hierarchy that exists among email
| > providers throughout the Internet, we have uncovered a serious security flaw
| > in Ggoogle's free email service, Gmail.
| >
| > Disclosure:
| > We have contacted Google about this issue and are waiting for their position
| > before releasing further details.
| >
Next Page>>
|
