Results 1 to 8 of 8

Thread: Gmail XSS vulnerability through Content Sniffing Share/Save - My123World.Com!

  1. #1
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3

    Gmail XSS vulnerability through Content Sniffing

    Hi all,

    a few months before i found this vulnerability which was reported to google and patched (Basically my way to google hall of fame).


    Product: Gmail.com
    Setup: Windows XP SP3 with IE 7.0 (Google Chrome frame installed)
    Vulnerability: XSS possible using malicious Image as attachment(works for IE6/7)

    Introduction:
    The vulnerability was in www.gmail.com which can be used to send Emails. We can send images as attachments to any user. By creating malicious image file and attaching it to mail attacker can exploit this vulnerability which can lead to complete compromise of account by stealing mail receiver cookies.
    Gmail was not validating contents of uploaded image files which can lead to XSS by including java scripts in image files. Following are screen shots which demonstrates complete attack vector.


    Name:  1.jpg
Views: 3228
Size:  49.0 KB

    Name:  2.jpg
Views: 2778
Size:  76.0 KB

    Name:  3.jpg
Views: 3224
Size:  94.4 KB

    Name:  4.jpg
Views: 2786
Size:  56.4 KB

    basically firstly this attack was limited for IE 6/7 but after some research i was able to bypass the IE8/9/10 protection which we presented in NullCon 2012. detail paper for same will be published soon here on g4h.
    Attached Images Attached Images    

  2. #2
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    On of the very critical Vulnerabilities since it was affecting Webmails, and a cool discovery .
    Hacking Is a Matter of Time Knowledge and Patience

  3. #3
    Simply awesome !! And a critical one. Great work by 4N1L bro
    The three great essentials to achieve anything worth while are: Hard work, Stick-to-itiveness, and Common sense. - Thomas A. Edison
    __________________________________________________ _____________________

  4. #4
    great..................!! Gud1

  5. #5
    I am seriously asking to admin when we are making Section called as Google Advisories :P ...
    Garage4Hackers bugs for the community , of the community

    We provide IT
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  6. #6
    Web Security Consultant amolnaik4's Avatar
    Join Date
    Jul 2011
    Location
    webr00t
    Posts
    277
    Blog Entries
    4
    And here comes the most awaited PoC ...Gmail Content Sniffing ByPass.

    Nice work, Anil.

    Cheers,
    AMol NAik

  7. #7
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    [S] yea man we should seriously have that, will set it up by tonight .
    Hacking Is a Matter of Time Knowledge and Patience

  8. #8
    Network Security Administrator Hackuin's Avatar
    Join Date
    Apr 2011
    Location
    10011001 10011001
    Posts
    104
    Good one Anil.
    Microsoft should have learned about file processing with IE7 itself, which they failed to, but managed to process appropreatly type of file the browser encounters with IE9.

    check --> Text File Redirection [All versions below IE9] doesn't process type of file correctly.
    "Free software" is a matter of liberty, not price. To understand the concept, you should think of "free" as in "free speech," not as in "free beer."
    "Microsoft is not the answer. Microsoft is the question. NO (or Linux) is the answer."
    "Ubuntu - Linux For Human Beings."

    Currently reading books:
    Integrating Forensic Investigation Methodology into eDiscovery -- by Colin Chisholm.
    Digital Forensics with Open Source Toolss -- by Cory Altheide && Harlan Carvey.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •