Cenzic 232 Patent
Paid Advertising
web application security lab

Google Picasa Listening on Port 80

You can probably already tell where this is going just by the title, but it’s got me thinking. There’s a recent post on bugtraq a few days ago about Google’s picasa opening up ports for the attacker. There are a lot of applications that bind to localhost port 80. And it just so happens that with JavaScript we have access to localhost:80. How cute! Using JavaScript malware we now can execute commands on those locally hosted webservers where they were never visible to us before. Not 127.0.0.1 even but localhost:80, which your bowser thankfully gives us access to.

There are a ton of applications that do this, that are normally outside of our control. Just because you have port 80 open doesn’t mean you can do anything about it if it’s not bound to an external interface, but in this case the browser acts as that cross domain restriction lifter using CSRF, and our cross RFC1918 JavaScript scanner at our disposal. So now things like Google Desktop and Picasa and other tools that bind only to localhost are up for grabs. It’s just a matter of time before this is turned into a remote compromise. Any bets on which one will be first? Time to get VMWare up and running again.

9 Responses to “Google Picasa Listening on Port 80”

  1. WhiteAcid Says:

    I think skype does this too. I used to have problems that Apache didn’t start. The error was something about log files but I realised (via netstat -p TCP -b) that skype was listening on port 80 and therefore Apache couldn’t bind to it. I can’t remember how I solved it because I still have both running automatically, though since Apache is a service it should run first, maybe that’s how I solved it.

    Maybe you could make them call people? Maybe even call a premium rate line if they have SkypeOut. I don’t know why it binds to port 80 or what you can do via that, or if it maybe was just a freak accident, though my PC doesn’t usually do those, it behaves well.

  2. RSnake Says:

    Yah, conflicts will get you every time. There’s a cool tool called fport that can help you identify what is running on which port. Super useful tool and actually helped me find a few previously unseen adware tools. It’s worth the download.

    I can’t comment on Skype in particular but just like anything if it uses it’s own directive you can get people to automatically do stuff.

  3. WhiteAcid Says:

    That is useful. Thanks.

  4. RSnake Says:

    And btw, if you just want to see an annoying example of forced directives click here (be warned, this will really really really suck and you’ll probably have something crash as a result).

  5. WhiteAcid Says:

    Good thing I prepended view-source: to the url before going there :p

  6. RSnake Says:

    Party pooper. ;) Give it to your friends for a laugh. It’s sure to please.

  7. WhiteAcid Says:

    Just had someone on a forum I admin do that through his avatar. We force the file extension to be a valid image type but of course people can simply use .htaccess files to have their server run a jpg as if it were php. So this guy had this code run for his avatar “image”:

    Obviously that’s only one popup, and seemed to be firefox only, still humerous.

  8. WhiteAcid Says:

    uhmm.. WP got rid of the code. htmlentities’d it:
    <?php
    header(”Location:mailto:fsf”);
    ?>

  9. RSnake Says:

    That’s pretty much exactly what I was talking about in one of my previous posts. Great way to annoy people, or otherwise let them know your email address when that is otherwise forbidden on the site.