Hack The Gmail Filesystem

10 11 2006

Via Full Disclosure

This is pretty cheeky:

Darkz wrote:
>>>>
>>>>
>>>>> Mail Drives Security Considerations
>>>>> ===================================
>>>>>
>>>>> Author: Attila Gerendi (Darkz)
>>>>> Date: November 03, 2006
>>>>>
>>>>>
>>>>> There are more “mail drive” solutions available like “GMail Drive”,
>>>>> “GSpace”, “Gmail FS”, etc.. These systems are built to store ordinary
>>>>> files in email accounts (usually gmail because it’s free 2Gb++ space).
>>>>>
>>>>> In some of these solutions the files and folders usually are stored as
>>>>> attachments in a special email. The file system does not have FAT (File
>>>>> Allocation Table) and the informations regarding the name and path of
>>>>> the files/folders are stored in the email SUBJECT field. Additionally
>>>>> there is no mechanism to filter these emails.
>>>>>
>>>>> So the problem is the remote attacker can shout blindly emails which
>>>>> describe a file or folder in this file systems and manipulate or inject
>>>>> files into that file system. This may be used for a new spam type or to
>>>>> inject undesirable/malicious files into someone’s file collection. At
>>>>> the first sight this can not be worse then plain email spamming, however
>>>>> because this concept is extending the email use if no sanitation will be
>>>>> included then it will extend the spam use as well, some malicious people
>>>>> will find out new malicious solutions for particular or generic situations.
>>>>>
>>>>> A few examples are described below, other may exist.
>>>>>
>>>>> 1. viksoe’s GMail Drive shell extension
>>>>> —————————————
>>>>>
>>>>> – file injection. You can inject files into the “GMail Drive file
>>>>> system” by sending email with Subject: “GMAILFS: /new_filename.txt
>>>>> [13;a;1]” and “new_filename.txt” as attachment. However if the sender is
>>>>> not “self” then the filename will be displayed with red color. The
>>>>> sender email address can be spoofed.
>>>>>
>>>>> – folder creation. You can create new folder by sending email with
>>>>> Subject: “GMAILFS: /new_folder/. [14;a;1]”
>>>>>
>>>>> – rewrite file contains. You can overwrite file displayed content
>>>>> sending email with Subject: “GMAILFS:
>>>>> /existing_path/existing_filename.txt [13;a;1]” and “filename.txt” as
>>>>> attachment. However if the sender is not “self” then the extension will
>>>>> display 2 files with the same name but both will have the same new content.
>>>>>
>>>>>
>>>>>
>>>>> 2. Gmail File Space(GSpace) by Rahul Jonna
>>>>> ——————————————
>>>>>
>>>>> – file injection. You can inject files into the “GSpace file system”
>>>>> by sending email with Subject: “GSPACE|new_filename.txt|2174|1|1|1|gs:/
>>>>> d$” and putting “new_filename.txt” and “metadata.txt” as attachment.
>>>>> However the interface will fill the “from” information with the sender
>>>>> email address. The sender email address can be spoofed.
>>>>>
>>>>> – folder creation. You can create new folder by sending email with
>>>>> Subject: “GSPACE|test/|-135|1|1|0|gs:/ d$” and “blank.txt” and
>>>>> “metadata.txt” as attachment. However the interface will fill the “from”
>>>>> information with the sender email address. The sender email address can
>>>>> be spoofed.
>>>>>
>>>>>
>>>>> Solution:
>>>>> ———
>>>>> there are more possible solutions to filter unwanted content, such as
>>>>> inserting unpredictable id-s in the emails, message signing, but none
>>>>> (in my opinion) which can offer backward compatibility.
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure – We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia – http://secunia.com/
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>> I am not really familiar with message signing but i guess you can not sign
>>> already received emails in your inbox. So how you manage the older
>>> files(emails)? If you chose to support signed and unsigned emails then you are
>>> vulnerable, if you not then you have to delete all files(emails) and rewrite
>>> them, which method is no more compatible with the old file-system. Please
>>> correct me if I am wrong.
>>>
>>> Attila Gerendi
>>>
>>
>>
>>
> Then the remote attacker will have to override the email date. After a fast test
> I found out it can be done by changing the settings on the SMTP server, and
> that is possible if you have access to server setting or you own one. I send
> this email with altered SMTP server date, you should check in the email headers
> to see how will arrive to you.
>
> Attila Gerendi 

I shall give it a try and report back!!  Mad credit to Darkz for putting finger to key to write all this.


Actions

Information

One response

15 06 2012
Ronaldinho

Thanks for sharing superb informations. Your website is very cool. I am impressed by the details that youˇ¦ve on this website. It reveals how nicely you understand this subject. Bookmarked this website page, will come back for extra articles. You, my pal, ROCK! I found just the information I already searched everywhere and just could not come across. What a perfect web-site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: