Odnoklassniki.ru Covert Redirect Vulnerability Bas

来自:tetraph

Odnoklassniki.ru Covert Redirect Vulnerability Based on Google

 

Covert Redirect: http://tetraph.com/covert_redirect/
Covert Redirect Related to OAuth 2.0 and OpenID:http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html


The vulnerability occurs at "odnoklassniki.ru/dk?" page with "&st.link" parameter, i.e.
http://www.odnoklassniki.ru/dk?cmd=logExternal&st.cmd=logExternal&st.name=62335557910585&st.link=http%3A%2F%2Fgoogle.com


The vulnerability can be attacked without user login. My tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.



(1) When a user is redirected from Odnoklassniki.ru to another site, Odnoklassniki.ru will check whether the redirected URL belongs to domains Odnoklassniki.ru's whitelist, e.g.
google.com

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Odnoklassniki.ru to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Odnoklassniki.ru directly.

One of the vulnerable domain is,
google.com


(2) I will use one of my webpages for the following tests. The webpage address is "http://tetraph.com/kaleidoscope.html". We can suppose that this webpage is malicious.


Vulnerable URL:
http://www.odnoklassniki.ru/dk?cmd=logExternal&st.cmd=logExternal&st.name=62335557910585&st.link=http%3A%2F%2Fodnoklassniki.ru

POC:
http://www.odnoklassniki.ru/dk?cmd=logExternal&st.cmd=logExternal&st.name=62335557910585&st.link=https%3A%2F%2Fwww.google.com%2Faccounts%2FLogout%3Fservice%3Dwise%26continue%3Dhttp%253A%252F%252Fgoogleads.g.doubleclick.net%252Faclk%253Fsa%253DL%2526ai%253DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0--tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%2526num%253D0%2526sig%253DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%2526client%253Dca-pub-0466582109566532%2526adurl%253Dhttp%253A%252F%252Fwww.tetraph.com%252Fkaleidoscope.html







Vulnerability Discover:

Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.

http://www.tetraph.com/wangjing


 

 

 

 

 




 

 

 

Reference::


http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html

http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/

http://tech.firstpost.com/news-analysis/after-heartbleed-major-covert-redirect-flaw-threatens-oauth-openid-and-the-internet-222945.html

http://techxplore.com/news/2014-05-math-student-oauth-openid-vulnerability.html

http://phys.org/news/2014-05-math-student-oauth-openid-vulnerability.html

http://www.tomsguide.com/us/facebook-google-covert-redirect-flaw,news-18726.html

http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html

http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html

http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

http://blog.kaspersky.com/facebook-openid-oauth-vulnerable/

http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/

http://tech.ifeng.com/internet/detail_2014_05/03/36130721_0.shtml/

http://network.pconline.com.cn/471/4713896.html

http://media.sohu.com/20140504/n399096249.shtml/

http://it.people.com.cn/n/2014/0504/c1009-24969253.html

http://www.cnbeta.com/articles/288503.htm

http://baike.baidu.com/link?url=0v9QZaGB09ePxHb70bzgWqlW-C9jieVguuDObtvJ_6WFY3h2vWnnjNDy4-jliDmqbT47SmdGS1_pZ4BbGN4Re_

https://zh.wikipedia.org/wiki/%E9%9A%B1%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E

http://www.baike.com/wiki/%E9%9A%90%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E

http://www.csdn.net/article/2014-05-04/2819588

http://tetraph.com/covert_redirect


2015-03-02

评论

©夜如墨 / Powered by LOFTER