lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 22 Sep 2006 23:08:45 -0700
From: Jacob Appelbaum <jacob@...elbaum.net>
To: bugtraq@...urityfocus.com
Subject: Re: More Vulnerable ATM Models

Steve wrote:
> The entire Triton 9100, and 9700 hundred series of machines are
> vulnerable to the same default password problem that's been in the news
> lately in one form or another.
> 
>  More details can be found on my blog, including sources for the
> relevant manuals.
> http://hardware.quicksilverscreen.com/more-vulnerable-atm-models-discovered/
> 

These "vulnerabilities" are old hat. Every night club owner in your
nearest city knows about these default passwords. It's pretty common to
see a change in the messages on the receipts rather than changing the
value of the bills. I've heard about people changing the bills as a
prank and a nightclub is probably a good place to pull such a "prank" if
you're trying to mess with the company in question.

Common functions for those that haven't actually messed around with
these ATMs (or machines like them) include:
A three track magstripe reader that dumps card data to the screen.
A nifty printer demo.
The ability to change displayed messages on screen and on printouts.
Language localization.
The ability to change the password.

It's also quite easy to actually crash the ATM in the magnetic stripe
testing menu section. This is especially crappy for the owner or renter
of such a machine if it's built into a wall.

Extra points if you can fit your shellcode on a magnetic stripe and get
a connect back over the modem.

Also in the realm of important default passwords worth alerting the
world about:
Oregon trail can be won in under 30 minutes if you type the secret
password of "boom" during game play!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ