Gaining Administrative Privileges on any Blogger.com Account, 1337$ (Google Reward Program)

Posted: March 15, 2011 by Hacking & Relax in exploit

Hi,

This is my first post in my blog and also my first post regarding my security vulnerabilities findings in Google Reward Program,

In the last 2 months, I participated in Google reward program and found some High, Serious vulnerabilities,

(First, I want to mention that Google has the best professional, brilliant security team, It amazing how much Google care about security and do a amazing job to secure their sites, Thanks Adam, Google Security Team  for giving me the chance to show my skills :))

The vulnerability that I want to share first, Is a critical vulnerability in Blogger (Google Service),

That vulnerability could be used by an attacker to get administrator privilege over any blogger account (Permission Issue),

Yes I know it sound kind of crazy but it’s true :),

Here are the details regarding the issue in Blogger service,

I found a HTTP Parameter Pollution vulnerability in Blogger that allow an attacker to add himself as an administrator on the victim’s blogger account,

Technical details:

Here are the steps for getting admin control permissions over any blogger accounts.

1.

The attacker Use the invite author options in blogger (add authors):

Vulnerability location:

POST /add-authors.do HTTP/1.1
Request:

security_token=attackertoken&blogID=attackerblogidvalue&blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker email)&ok=Invite
As you can see I added two blogid value in my post request (blogID=attackerblogidvalue&blogID=victimblogidvalue)

The server checks the first blogid value and executes the second blogid value of the attacker

2.

After that the attacker receives a mail to confirm him as a author (author invitation link),
After that, the attacker will be added as an author on the victim account.

3.

At this step it becomes possible to modify the attacker permission from an author to an administrator,
Vulnerability Location:
POST /team-member-modify.do HTTP/1.1
Request:
security_token=attackertoken&blogID=attackerownblogid&blogID=victimblogidvalue&memberID=attackermemberid&isAdmin=true&ok=Grant+admin+privileges
as you can see there is Another field in this request called  memberID,

Any users in blogger have a memberID value, so the attacker also need to provide his memberId value in this post request,

In Blogger service, any Administrator, Author have a memberid value, So to make a successful attack (become administrator),

an attacker must add himself first as a author on the victim account, To perform the next step that will add himself as an administrator on the victim account.

Attached POC VIDEO,

1. (Youtube Source):

http://www.youtube.com/watch?v=AdIWl0gkynk

2.(Full Video Download):

http://www.2shared.com/file/90mjfuab/Blogger_Get_Administrator_priv.html

(The vulnerability mentioned here has been confirmed patched by the Google Security Team very fast.)

Best Regards

Nir.Goldshlager

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s