Sunday 4 May 2014

Odnoklassniki.ru (OK.RU) Online Website Covert Redirect Web Security Bugs Based on Google.com














Odnoklassniki.ru (OK.RU) Online Website Covert Redirect Web Security Bugs Based on Google.com



(1) Domain:Odnoklassniki.ru



"Odnoklassniki, OK.ru (Russian: Одноклассники -Classmates) is a social network service for classmates and old friends. It is popular in Russia and former Soviet Republicsz. The site was developed by Albert Popkov on March 4, 2006. The website currently claims that it has more than 200 million registered users and 45 million daily unique visitors. Users have to be at least seven years old to make an account. Odnoklassniki also currently has an Alexa Internet traffic ranking of 69 worldwide and 7 for Russia. Revenues in the first quarter of 2008 for Odnoklassniki amounted to $3.3 million. The site has been online for at least eight years. Compared with internet averages, Odnoklassniki.ru's users tend to be under the age of 35, and they tend to be men earning less than $30,000 who have postgraduate educations and browse from home. The site is particularly popular among users in Kyrgyzstan (where it is ranked #4) and Armenia (#5)." (Wikipedia)








(2) Vulnerability Description:Odnoklassniki.ru web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks. 







The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 





The vulnerability occurs at "odnoklassniki.ru/dk?" page with "&st.link" parameter, i.e.
http://www.odnoklassniki.ru/dk?cmd=logExternal&st.cmd=logExternal&st.name=62335557910585&st.link=http%3A%2F%2Fgoogle.com





(2.1) When a user is redirected from Odnoklassniki.ru to another site, Odnoklassniki.ru will check whether the redirected URL belongs to domains Odnoklassniki.ru's whitelist, e.g.
google.com

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Odnoklassniki.ru to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Odnoklassniki.ru directly.


One of the vulnerable domain is,
google.com





(2.2) Use one of  webpages for the following tests. The webpage address is "http://tetraphlike.lofter.com/". Can suppose that this webpage is malicious.


Vulnerable URL:
http://www.odnoklassniki.ru/dk?cmd=logExternal&st.cmd=logExternal&st.name=62335557910585&st.link=http%3A%2F%2Fodnoklassniki.ru




POC:
http://www.odnoklassniki.ru/dk?cmd=logExternal&st.cmd=logExternal&st.name=62335557910585&st.link=https%3A%2F%2Fwww.google.com%2Faccounts%2FLogout%3Fservice%3Dwise%26continue%3Dhttp%253A%252F%252Fgoogleads.g.doubleclick.net%252Faclk%253Fsa%253DL%2526ai%253DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0--tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%2526num%253D0%2526sig%253DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%2526client%253Dca-pub-0466582109566532%2526adurl%253Dhttp%253A%252F%252Fwww.tetraph.com%252Fkaleidoscope.html





POC video:
https://www.youtube.com/watch?v=Cf_-xPsYD-s


Blog Detail:
http://tetraph.blogspot.com/2014/05/odnoklassnikiru-covert-redirect.html








(3) What is Covert Redirect? 


Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.



Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196.  X-Force reference number is 93031.






Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)








More Details:
http://tetraph.com/security/covert-redirect/odnoklassniki-ru-covert-redirect-vulnerability-based-on-google/
http://securityrelated.blogspot.com/2014/10/odnoklassnikiru-covert-redirect.html
http://whitehatpost.lofter.com/post/1cc773c8_706b5e4
https://mathfas.wordpress.com/2014/10/15/odnoklassniki-ru-covert-redirect-vulnerability-based-on-google/
https://twitter.com/yangziyou/status/614327346808664064
http://ithut.tumblr.com/post/119494119203/securitypost
https://vulnerabilitypost.wordpress.com/2014/10/15/odnoklassniki-ru-covert-redirect-vulnerability-based-on-google/
http://tetraph.blog.163.com/blog/static/23460305120144511829839/
http://computerobsess.blogspot.com/2014/10/odnoklassnikiru-covert-redirect.html
http://www.inzeed.com/kaleidoscope/covert-redirect/odnoklassniki-ru-covert-redirect-vulnerability-based-on-google/






===========





Одноклассники (социальная сеть)


«Однокла́ссники» (OK.ru) — социальная сеть, принадлежащая Mail.Ru Group. Седьмой по популярности сайт в России, Казахстане и на Украине, 67-й — в мире. Проект запущен 4 марта 2006 года.


По данным собственной статистики сайта, на июль 2011 года зарегистрировано более ▲ 100 миллионов пользователей, на март 2012 года более ▲ 148 миллионов пользователей, а на 1 января 2013 года более ▲ 205 млн пользователей. Посещаемость сайта — ▲ более 44 миллионов посетителей в сутки. (ru.wikipedia)









No comments:

Post a Comment