[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 08/04/14 17:26, Martijn Grooten wrote: > On Tue, Apr 08, 2014 at 05:04:27PM +0100, bad apple wrote: >> Gah... that was entirely my fault: between noscript and request-policy, >> I hadn't seen it (it wasn't loading) on the page. Had to enable some >> blogger* cross domain requests and up it popped. Sorry about that. > > Here's an actual proof-of-concept: https://www.mattslifebytes.com/?p=533 > > It works. > > Martijn. Oh dear, the decent PoC arrived even more quickly than expected... at least some extended testing can be done now. Sidejacking session IDs is now obviously a walk in the park, it's Blacksheep all over again but server side and semi-random this time. Whilst I'm waiting on interminable WSUS configs to do their thing on prepping the Windows Updates, I've set up a batch of vulnerable VM templates and am fuzzing them with large selections of traffic capture replays whilst hammering them with the linked tool. I'll leave it for several hours before I check properly but I'm yet to see anything other than webserver related leaks, as expected: I'm still to be convinced we're going to see SSH key recovery via this mechanism. But I may be wrong, and will happily admit so if the evidence comes out in the next few days. I bloody wish Google (or any other company with a huge Linux footprint) would actually put their hands in the pockets, splash a couple of $10m notes and hire a crack team of security bods to work 24/7 on auditing critical open source libraries and figuring out how to do deterministic builds in a non-teeth pulling manner. You'd have thought such chump change for such a critical security assurance would not only be worth it financially for them but would be a PR coup dream. Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq