白帽子安全

白帽子文章
计算机安全
安全漏洞
网络攻击

© 白帽子安全 | Powered by LOFTER

2014年11月15日

The New York Times(Nytimes.com) Covert Redirect Vulnerability Based on Google Doubleclick.net 

The vulnerability exists at “adx_click.html?” page with “&goto” parameter, i.e.
http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/pages/nyregion/index.html&pos=SFMiddle&sn2=8dfce1f6/9926f9b3&sn1=bbba504f/c0de9221&camp=CouplesResorts_1918341&ad=NYRegionSF_Feb_300x250-B5732328.10663001&goto=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fddm%2Fclk%2F279541164%3B106630011%3Bs%3Fhttp%3A%2F%2Ffacebook%2Ecom%2Fall%2Dinclusive%2Ephp%3Futm%5Fsource%3Dnyt%26utm%5Fmedium%3Ddisplay%26utm%5Fcontent%3Dclicktracker%26utm%5Fcampaign%3D300x250%5FExpectMore%5FNYT%5FNYRegion





The vulnerability can be attacked without user login. Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.

(1) When a user is redirected from Nytimes to another site, Nytimes will check parameters “&sn1″ and “&sn2″. If the redirected URL’s domain is OK, Nytimes will allow the reidrection.
However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Nytimes to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Nytimes directly.
One of the vulnerable domain is,
doubleclick.net (Google’s Ad website)

 

 

 

poems

 

 

 



(2) Use one of webpages for the following tests. The webpage address is “http://tetraph.com/blog”. We can suppose that this webpage is malicious.
Vulnerable URL:
http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/pages/nyregion/index.html&pos=SFMiddle&sn2=8dfce1f6/9926f9b3&sn1=bbba504f/c0de9221&camp=CouplesResorts_1918341&ad=NYRegionSF_Feb_300x250-B5732328.10663001&goto=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fddm%2Fclk%2F279541164%3B106630011%3Bs%3Fhttp%3A%2F%2Ffacebook%2Ecom%2Fall%2Dinclusive%2Ephp%3Futm%5Fsource%3Dnyt%26utm%5Fmedium%3Ddisplay%26utm%5Fcontent%3Dclicktracker%26utm%5Fcampaign%3D300x250%5FExpectMore%5FNYT%5FNYRegion



POC:
http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/pages/nyregion/index.html&pos=SFMiddle&sn2=8dfce1f6/9926f9b3&sn1=bbba504f/c0de9221&camp=CouplesResorts_1918341&ad=NYRegionSF_Feb_300x250-B5732328.10663001&goto=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fddm%2Fclk%2F279541164%3B106630011%3Bs%3Fhttp%3A%2F%2Ftetraph%2Ecom%2Fblog%3F%2Dinclusive%2Ephp%3Futm%5Fsource%3Dnyt%26utm%5Fmedium%3Ddisplay%26utm%5Fcontent%3Dclicktracker%26utm%5Fcampaign%3D300x250%5FExpectMore%5FNYT%5FNYRegion






Credit:
Wang Jing, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.
http://tetraph.com/wangjing/






More:

http://threatpost.com/critical-holes-in-oauth-openid-could-leak-information-redirect-users/105876

https://en.wikipedia.org/wiki/Covert_Redirect

http://aga.ustc.edu.cn/news/view?id=2094

http://blog.kaspersky.com.cn/openid%E5%92%8Coauth%E6%98%93%E5%8F%97%E6%94%BB%E5%87%BB%EF%BC%8C%E9%9C%80%E4%BF%9D%E6%8C%81%E8%AD%A6%E6%83%95/938/

https://zh.wikipedia.org/zh-sg/隱蔽重定向漏洞

http://www.ustcif.com/default.php/content/2128/

http://blog.sina.com.cn/s/blog_13e2110420102v3b4.html

http://blog.sina.com.cn/s/blog_13de2fcd60102v8r6.html

http://yurusi.blogspot.sg/2014/11/covert-redirect.html

http://aibiyi.blogspot.sg/2014/11/covert-redirect.html

http://frenchairing.blogspot.sg/2014/11/des-vulnerabilites-pour-les-boutons.html

http://germancast.blogspot.sg/2014/11/sicherheitslucke-in-oauth-20-und-openid.html

http://japanbroad.blogspot.sg/2014/11/oauthopenid-facebook.html

http://russiapost.blogspot.sg/2014/11/openid-oauth-20.html

https://vulnerabilitypost.wordpress.com/2014/10/02/google-chromium-xss-auditor-filter-bypass/

http://tetraph.wordpress.com/2014/10/31/otra-brecha-de-seguridad-amenaza-parte-de-internet/

http://tetraph.tumblr.com/post/101408567382/falha-de-seguranca-afetam-logins-de-facebook

http://whitehatview.tumblr.com/post/101405308531/openid-oauth-2-0

http://blog.sina.com.cn/s/blog_ecd65d410102v6gp.html

http://essayjeans.blog.163.com/blog/static/237173074201493171559786/

http://tetraph.blog.163.com/blog/static/23460305120149316548212/

http://mathfas.wordpress.com/2014/10/31/otra-brecha-de-seguridad-amenaza-parte-de-internet/

http://blog.sina.com.cn/s/blog_9c466a590102v2hw.html

http://computerobsess.blogspot.sg/2014/10/sicherheitslucke-in-oauth-20-und-openid.html

http://securityrelated.blogspot.sg/2014/10/id-oauth.html

http://tetraph.blogspot.sg/2014/10/id-oauth.html

http://essaybeans.blogspot.sg/2014/10/blog-post.html

http://www.tetraph.com/blog/love/%E8%AE%A9%E4%BA%BA%E4%BC%A4%E5%BF%83%E7%9A%84%E7%88%B1%E6%83%85%E5%8F%A5%E5%AD%90-%E5%85%B3%E4%BA%8E%E6%8F%8F%E5%86%99%E4%BC%A4%E5%BF%83%E7%9A%84%E5%8F%A5%E5%AD%90-%E6%9C%80%E4%BC%A4%E5%BF%83%E7%9A%84/

http://diebiyi.com/articles/%E6%84%9B%E6%83%85/540/

http://www.youtube.com/watch?v=RekCK5tjXWQ

http://www.youtube.com/watch?v=KiNKYD9VRK8

http://blog.163.com/whitehatpost/

https://vimeo.com/110769496

https://vimeo.com/110761588

https://zh.wikipedia.org/wiki/%E5%96%AE%E4%B8%80%E7%99%BB%E5%85%A5

https://zh.wikipedia.org/wiki/OAuth

https://zh.wikipedia.org/wiki/OpenID

https://zh.wikipedia.org/wiki/%E9%92%93%E9%B1%BC%E5%BC%8F%E6%94%BB%E5%87%BB

https://en.wikipedia.org/wiki/Single_sign-on

https://en.wikipedia.org/wiki/OpenID

https://en.wikipedia.org/wiki/OAuth

https://en.wikipedia.org/wiki/Phishing

http://v.youku.com/v_show/id_XNzIzMDU0NTc2.html

http://www.tudou.com/programs/view/49qWBJhRm7o

http://www.tudou.com/programs/view/Px3eEBhXjpc

http://v.youku.com/v_show/id_XODE1MDI4OTcy.html

http://tetraph.com/security/covert-redirect/youku%E4%BC%98%E9%85%B7covertredirect%E8%B7%B3%E8%BD%AC%E7%B3%BB%E7%BB%9F%E6%BC%8F%E6%B4%9E%E5%9F%BA%E4%BA%8Ebaidu-com-%E7%99%BE%E5%BA%A6/

http://www.inzeed.com/kaleidoscope/covert-redirect/otra-brecha-de-seguridad-amenaza-parte-de-internet/

http://www.tudou.com/programs/view/qkX60p9KHsk/

https://twitter.com/essayjeans/status/529171466202275840

https://www.facebook.com/essaybeans?ref=bookmarks

https://www.facebook.com/essayjeans?ref=bookmarks

https://www.facebook.com/tetraph

https://twitter.com/justqdjing/status/530969599420792832

http://www.reddit.com/user/gadshots

http://www.reddit.com/user/butterdry/

http://www.pinterest.com/pin/326018460499926302/

http://www.pinterest.com/tetraph/life/

http://www.pinterest.com/essaybeans/daily-life/

http://www.pinterest.com/pin/465278205227138284/

http://securitynewswire.com/securitynews2012/article.php?title=XSS_Risk_Found_in_Links_to_New_York_Times_Articles_Prior_to_2013

http://www.veooz.com/news/FHb0__Q.html

http://www.tomsguide.com/us/xss-flaw-ny-times,news-19784.html

http://www.hotforsecurity.com/blog/cross-site-scripting-xss-vulnerability-in-new-york-times-articles-before-2013-10555.html

http://news.softpedia.com/news/XSS-Risk-Found-In-Links-to-New-York-Times-Articles-Prior-to-2013-462334.shtml

http://itsecuritynews.info/tag/wang-jing/

http://www.hellasforce.com/blog/xss-kindini-entopistikan-se-sindesmous-sto-new-york-times-se-arthra-prin-2013/

http://telezkope.com/Technology/Programming/3321242/cross-site-scripting-xss-vulnerability-in-new-york-times-articles-before-2013

http://news.silobreaker.com/google-doubleclicknetadvertising-system-url-redirection-vulnerabilities-can-be-used-by-spammers-5_2268368584637939712

http://worldnew.org/xss-flaw-may-exist-in-the-old-new-york-times-article-pages.html

评论
热度 ( 3 )