| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jsage at finchhaven.com (John Sage)
Subject: NSRG-Security SaS Encryption cracked
hmm..
On Wed, Oct 15, 2003 at 01:55:10AM -0500, Paul Tinsley wrote:
> ----------------------------------------------------------------------
> Product: SaS (Security Application Server)
> Vendor: NSRG (No Secure Root Group Security Research)
> Lorenzo Hernandez Garcia-Hierro
> <lorenzohgh@...g-security.com>
> Impact: Intellectual property disclosure
> Bulletin-ID: PT.2003.0001
> -----------------------------------------------------------------------
>
>
> Product Description (From Vendor Website):
> We are happy to announce that sas website is now ( again ) online in this
> server by accessing sas.nsrg-security.com , migrate your links to this
> server. The portal version is the latest of phpWebSite. We trust in
> phpWebSite , a very secure solution in this last version ( old versions
> are
> affected by SQL Injections , XSS attacks and PD attacks , discovered by
> Lorenzo H G-H/trulux ).
>
> Method of Disclosure:
> If you have the GET script installed:
> GET http://www.nsrg-security.com | lorenzo_decode.pl > outfile.html
> If you have wget:
> wget http://www.nsrg-security.com -O enc.html
> lorenzo_decode.pl < enc.html > outfile.html
>
> Background:
> After the veritable cornucopia of website exploits posted today on
> full-disclosure it inspired me to audit a few websites myself. I started
> with the author of all the IMHO frivolous postings and found that he
> "encrypted" his website with something called SaS that his group wrote.
> I figured man this Lorenzo guy has lots of free time to pick apart
> everybody's websites, his must be top notch. "Exploit" code is attached
> and also available at:
> http://jackhammer.org/exploits/lorenzo_decode.pl
>
>
> Cheers,
> Paul Tinsley
>
[jsage@...rky /storage/virii] $ wget http://www.nsrg-security.com -O enc.html
--01:08:01-- http://www.nsrg-security.com/ => `enc.html'
Resolving www.nsrg-security.com... done.
Connecting to www.nsrg-security.com[217.174.193.31]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
[<=> ] 99,239 5.60K/s
01:08:22 (5.60 KB/s) - `enc.html' saved [99239]
[jsage@...rky /storage/virii] $ less enc.html
<!-- Web Site desing by Lorenzo Hernandez Garcia-Hierro--><!-- Encrypted using Security Application Server of No Secure Root Group Security Research -->
<script language=JavaScript type=text/javascript>function
decrypt_p(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,8,24,49,19,61,12,0,45,7,0,0,0,0,0,0,46,31,20,5,37,43,6,28,29,38,56,53,54,2,62,4,51,42,32,57,33,58,44,41,50,59,21,0,0,0,0,55,0,52,27,47,30,14,13,23,35,3,15,60,1,25,26,39,34,18,22,11,17,40,10,16,9,48,36);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decrypt_p("CIxTTE@...A5Rg2Y3hdUCrjkooeYIgJT1QupXbWSvQ2J39dT89jUWg2zsrmT3Af3sbfPtPVXs4GXvQ1JEAJIuNnIf9fXxcxQcImP74Gyb
/* snip */
[jsage@...rky /storage/virii] $ ./lorenzo_decode.pl < enc.html >
outfile.html
/* NOTE: performed only after a thorough security audit of the perl
source -- one can't be any too careful these days, can one? */
[jsage@...rky /storage/virii] $ less outfile.html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>.::-No Secure Root Group Security Research-::. - You can be
secure thinking the opposite</title>
<link rel="stylesheet" type="text/css"
href="http://www.nsrg-security.com/visual/clean/style.css"
title="clean">
/* snip */
Awesome work, man, awesome work.
As for you, Lorenzo, back to the drawing board...
- John
--
"You are in a twisty maze of weblogs, all alike."
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.
Powered by blists - more mailing lists