lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 08 Jul 2003 01:02:49 +0800
From: "XNUXER RESEARCH" <xnuxer@...kermail.com>
To: bugtraq@...urityfocus.com
Subject: Vulneralbility in aplication Billing Explorer


XNUXER RESEARCH SECURITY REPORT:
================================================================
Aplication Name: Billing Explorer
Vendor Site    : http://www.billingexplorer.com
Vendor Email   : info_008@...oo.com
Security       : High Risk
Vulnerable     : String command and Client Handle
without check control and without Encryption.
Version        : All versions.
Description    :
 
Billing Explorer is aplication which created on visual
basic. It's used to calculate duration
internet time using. I found that aplication isn't
encrypt the data when send to client and
It also not check what the client is login or not so
we can send spoofing packet to Billing
Explorer and act as server or other client.

Impact         : 
- Posible to shutdown, restart and logoff client from
other client without login.
- Send message to client as server.
- Spying client with remote client fasility from other
client.
- Zeroning duration time without relogin or stoping.
- Possible to hijacking password admin client and
password exit client. :P

Found by     : SCHIZOPRENIC
Organization : Xnuxer Research of Internet Security
Location     : Indonesia
Site         : http://infosekuriti.com (donation by
fans)

Exploitation :
In example if you want nulling duration time, firstly
you must connect to billing server 
(default configuration on billing use port: 1500) and
send packet data to server with sintaks:

         XXX$con$<client number>$<username>

The server would respon and send back data like this:

         YYY$con$13:19:22$adminclientpass$12:00:00 AM

if you send again like the first packet to billing. It
will recalculate duration time begin to
null. The Billing stupid too, we can send with
multiple connection and actions as same client
with same login without restricted. 

To shutdown other client you can send the packet data
with sintaks: YYY$shut$<num client>$5
Another command sintaks owned by me and programmer of
billing explorer (LoL) :D and not 
publishied here.

Response:
Vendor contacted without response yet.

SCHIZOPRENIC (researcher)
==========================
Xnuxer Research of Internet Security since 2001
For Education Purpose

YAHOO is suck to post, many my report can't post to bugtraq
-- 
_______________________________________________
Get your free email from http://www.hackermail.com

Powered by Outblaze

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ