lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 6 Jul 2004 09:21:43 -0500
From: "Burton M. Strauss III" <BStrauss@....org>
To: <bugtraq@...urityfocus.com>
Subject: xingtone opens server on desktop using undocumented protocol (probably http)


xingtone (www.xingtone.com) is a popular accessory for mobile phone ring
tone creation and download:

"Xingtone's desktop software is easy-to-use, legal, and allows you to create
mobile phone ringtones using digital audio files on your computer - music
clips, sound effects, your child's laugh, your dog’s bark, or any sound you
like!"

In the FAQ are these sections:

"How does the file get to my phone?
The section devoted to Using Ringtones describes this process in more
detail. Basically, the audio file is sent directly from your PC to the phone
in the form of an Internet link. During uploading, you will see the status
of the file during transport. Once you see the "RINGING" status, you can
check your phone for the text message. If you see an error such as "Attempt
to Connect Rejected," it is likely that you are operating behind a firewall,
which prevents the text message and file from reaching your phone. Please
try suspending any firewalls or web filters temporarily and try re-sending
the file."

"Why should I do with the text message that arrives on my phone?
The text message tells your phone where your ringtone is located. You must
keep the program open on your desktop in order to receive the text message.
If you upload a ringtone and do not receive a text message on your phone
very soon after that, please right-click on the silver part of the program
and confirm that you have selected the correct phone model and network.
Also, make sure that your coverage area is adequate enough to receive
data/text messages."

Note the "You must keep the program open on your desktop in order to receive
the text message."

When queried as to whether this meant that the desktop program was in fact
running a server and if so, which ports and protocols were being used, the
response was:


"if i told you i`d have to kill you......"

Users are cautioned that they may wish to explore the implications of
running this program.  I'm guessing it's running a small web server, but I'm
disinclined to explore further and can't offer any information on which
files are exposed or how secure it is.

-----Burton

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ