lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 4 Apr 2008 15:48:12 +0100 (BST)
From: Micheal Turner <wh1t3h4t3@...oo.co.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: n3td3v agenda & Solid Information Security State
	Release 0012a

      n3td3v agenda & Cyber Security group
      ====================================

 Solid Information Security State Release #0012a

MARKING: RESTRICTIONS APPLY.
FAO: WORLD LEADERS

== Introduction ==
Serious high-risk ultra critical vulnerability has
been identified in Remote Help application that maybe
used by CIA, NSA and FBI employees when helping
colleagues on anti-terror campaigns.RemoteHelp is a
minimal http server that allows to view and control a
remote pc running a 32-bits version of Microsoft
Windows.
current version is 0.0.6 and runs stand-alone or
installs as a service.

== URL ==
http://sourceforge.net/projects/remotehelp/ 

== HISTORY ==
After n3td3v agenda emailed the NSA, SANS and all
information security groups and was found not to be
taken seriously. High risk proof of concept exploit
code has been authored for severe vulnerability in
Remote Help application which maybe used by any number
of Yahoo!, Google!, Ebay! or NSA employees. This
vulnerability gives rise to serious national
infrastructure risk and should not be under estimated!

== Proof of Concept ==
I found a vulnerability in the pages.c file which
generates the login page dialog and authenticates a
user after it checks if your "user" and "pass"
parameter match the defaults
(user/default) it does this:

   strncpy(cookie,"user=default; path=/; expires=Sun,
11-May-2030 22:11:40 GMT",1024);

for a valid login and for an invalid login it sets an
expired cookie like so;
   strncpy(cookie,"user=default; path=/; expires=Sun,
11-May-1970 22:11:40 GMT",1024);

all you have to do is add "Cookie: user=default;
path=/; expires=Sun, 11-May-2030 22:11:40 GMT" to your
HTTP request and you can bypass
authentication to the Remote Help server and access
the filesystem/exec commands/view the webcam of the
hosts running it.

== Credit ==

n3td3v & documentation help by Michael Turner.

"Never trust your employees."


      ___________________________________________________________ 
Yahoo! For Good helps you make a difference  

http://uk.promotions.yahoo.com/forgood/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ