GitHub SWAG

Image  —  Posted: April 12, 2014 in GitHub vulnerability
Tags: , , , , ,

Few months ago, after doing lots of security bug hunting on websites of MS, Dropbox, Yahoo, etc etc.. I finally decided to try out something new. I looked around to fool around with some gadgets and I realized the only option available was my Sony Xperia Sola cell phone. I decided to give it a try just for fun sake and satisfy my hunger for curiosity. I realized I don’t have any knowledge into mobile-sec but decided to give it a try anyways.

Moving forward: I thought, why not start with the lock screen and try some unusual combos to bypass the lock. After a few combos and tries and wasting lots of time waiting I was nowhere ! Oh but wait! I saw an emergency dialer option below the passcode keypad.

“Hm!”, I said to myself, “What can  I possibly find here ?”.

Suddenly, I remembered the USSD code execution in web-browser which used “TEL” protocol which affected samsung mobiles.

My reaction:

I thought, why not enter USSD codes here to make certain paid services activate. After multiple attempts I was no where.

Finally I decided why not try to access the IMEI USSD code and see if it executes it. So I keyed in *#06#  and BAM !

The code successfully executed and gave a pop-up of IMEI.

After several attempts of different codes I realized that, some of these codes don’t at all execute and some of them execute in the background, meaning, you have to run the USSD in emergency dialer, unlock the phone to access the services.

After finding nothing useful, other than poping a IMEI code, my reaction was:

Then suddenly a  movie (I think it was Trackdown) reminded me of a wild term called “FTM” or also known as “FACTORY TEST MODE” …!!!!

So after a few google search I found the IMEI to launch the FTM for Xperia cell phones.

The code is :  *#*#7378423#*#*

After obtaining the code, I went back to emergency dialer, keyed in the FTM USSD code and BAM!!!! I got the FTM access.

Yup !! GOT the FTM access.

A little more fiddling here and there and found the bluetooth option. I took another cell phone which was paired previously to my Xperia.

On Xperia I activated the bluetooth via FTM and also on the other phone simultaneously. Xperia detected the other phone in vicinity and I was successfully able to transfer file from the other cell to my my cell phone !

HM ! nice way of sharing malware to locked phone isn’t it :P

After sitting on this vulnerability for a while due to college exams and what not, I wasn’t able to report to Sony earlier. But now since there are vacations I decided to go and report it. Although, Sony doesn’t have a responsible disclosure or bug-bounty policy, I had to find an security address via customer-support team.

After reporting the issue with some more details about it, Sony security team acknowledged the vulnerability but also said that it was previously reported by other researcher !

Finally my name got listed for responsibly disclosing vulnerability in Microsoft developer platform.

Here is the link of the vulnerability: http://techielogic.wordpress.com/2013/12/13/vulnerability-on-microsoft-social-msdn/

Here is the HOF link:

http://technet.microsoft.com/en-in/security/cc308589.aspx

 

ms hof

Microsoft HOF

This vulnerability was found on 31-10-2013 and LinkedIn addressed the issue within hours after reporting. Again they were quick like the last time to respond to vulnerability reports!

The reason why I use the word “Targetted” is because the CSRF only works on targeted victim and the link for creating the CSRF varies from user to user. This vulnerability unlike traditional vulnerability requires attacker to obtain a parameter value of the victim (UID) to create the malicious CSRF link.

Here is the PoC:

1> Create a link like: https://www.linkedin.com/mfeed?hide=&uid=5801xxxxxxxxxx&pk=uscp-home&goback=%2Enmp_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1&trk=delete-my
2> Select your targeted victim + the update/post which you need to delete.
3> “LIKE” the post to obtain the value for UID parameter.
4> Visit victims profile and under updates, see the update/post which you “LIKE(d)”.
5> Hover the mouse over the victim’s name under the same update/post , capture the UID parameters value. [Hover and hold the mouse pointer on the name for a while till you see the tool-tip].
6> Now reconstruct the above link with the given UID’s value and send to the victim to get the vulnerability work.
7> Now forward the link to the victim, after clicking the link, the victim’s update will get deleted.

This vulnerability has now been fixed by adding a unique anti-CSRF token for deleting the post/Update.

Vulnerability: XSS

TELEKOM XSS

TELEKOM XSS

HOF:

HOF on telekom

HOF on telekom

Found on: 11-10-2013

Status: Fixed

HoF: In 2013’s December list

Vulnerability:

Vulnerability: Clickjacking

Domain affected: https://www.linkedin.com/inbox/mailbox/message/compose?trk=hb-messages-item-cmpmsg-v2

Vulnerability Reported on: 03/10/2013

Response received: Within few hours (Must say they were really fast in responding to security vulnerabilities)

Status: Fixed

PoC: The iframe is made visible just for demonstration purpose.