Blogger.com vulnerability, Gaining Administrative Privileges on whatever Account !
In the final 2 months,Nir.Goldshlager participated inwards Google vantage programme together with works life to a greater extent than or less High, Serious vulnerabilities. The vulnerability that Nir.Goldshlager want to part first, Is a critical vulnerability inwards Blogger (Google Service). That vulnerability could live on used past times an assaulter to instruct administrator privilege over whatever blogger trouble concern human relationship (Permission Issue).
Here are the details regarding the upshot inwards Blogger service,
Nir.Goldshlager works life a HTTP Parameter Pollution vulnerability inwards Blogger that permit an assaulter to add together himself every bit an administrator on the victim's blogger account,
Technical details:
Here are the steps for getting admin command permissions over whatever blogger accounts.
1.) The assaulter Use the invite writer options inwards blogger (add authors):
Vulnerability location:
POST /add-authors.do HTTP/1.1
Request:
security_token=attackertoken&blogID=attackerblogidvalue&blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker email)&ok=Invite
As you lot tin forcefulness out encounter I added 2 blogid value inwards my post asking (blogID=attackerblogidvalue&blogID=victimblogidvalue)
The server checks the get-go blogid value together with executes the minute blogid value of the attacker
2.) After that the assaulter receives a postal service to confirm him every bit a writer (author invitation link) , After that, the assaulter volition live on added every bit an writer on the victim account.
3.) At this footstep it becomes possible to alter the assaulter permission from an writer to an administrator,
Vulnerability Location:
POST /team-member-modify.do HTTP/1.1
Request:
security_token=attackertoken&blogID=attackerownblogid&blogID=victimblogidvalue&memberID=attackermemberid&isAdmin=true&ok=Grant+admin+privileges
every bit you lot tin forcefulness out encounter at that topographic point is Another plain inwards this asking called memberID.
Any users inwards blogger accept a memberID value, together with hence the assaulter too withdraw to render his memberId value inwards this post request.In Blogger service, whatever Administrator, Author accept a memberid value, So to brand a successful assail (become administrator), an assaulter must add together himself get-go every bit a writer on the victim account, To perform the side past times side footstep that volition add together himself every bit an administrator on the victim account.
Proof of Concept Video :
Note : The vulnerability mentioned hither has been confirmed patched past times the Google Security Team really fast.
News Source : Nir.Goldshlager
Here are the details regarding the upshot inwards Blogger service,
Nir.Goldshlager works life a HTTP Parameter Pollution vulnerability inwards Blogger that permit an assaulter to add together himself every bit an administrator on the victim's blogger account,
Technical details:
Here are the steps for getting admin command permissions over whatever blogger accounts.
1.) The assaulter Use the invite writer options inwards blogger (add authors):
Vulnerability location:
POST /add-authors.do HTTP/1.1
Request:
security_token=attackertoken&blogID=attackerblogidvalue&blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker email)&ok=Invite
As you lot tin forcefulness out encounter I added 2 blogid value inwards my post asking (blogID=attackerblogidvalue&blogID=victimblogidvalue)
The server checks the get-go blogid value together with executes the minute blogid value of the attacker
2.) After that the assaulter receives a postal service to confirm him every bit a writer (author invitation link) , After that, the assaulter volition live on added every bit an writer on the victim account.
3.) At this footstep it becomes possible to alter the assaulter permission from an writer to an administrator,
Vulnerability Location:
POST /team-member-modify.do HTTP/1.1
Request:
security_token=attackertoken&blogID=attackerownblogid&blogID=victimblogidvalue&memberID=attackermemberid&isAdmin=true&ok=Grant+admin+privileges
every bit you lot tin forcefulness out encounter at that topographic point is Another plain inwards this asking called memberID.
Any users inwards blogger accept a memberID value, together with hence the assaulter too withdraw to render his memberId value inwards this post request.In Blogger service, whatever Administrator, Author accept a memberid value, So to brand a successful assail (become administrator), an assaulter must add together himself get-go every bit a writer on the victim account, To perform the side past times side footstep that volition add together himself every bit an administrator on the victim account.
Proof of Concept Video :
Note : The vulnerability mentioned hither has been confirmed patched past times the Google Security Team really fast.
News Source : Nir.Goldshlager
Share This :
comment 0 Comments
more_vert