lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 4 Apr 2008 16:37:56 -0400
From: Ureleet <ureleet@...il.com>
To: "Micheal Turner" <wh1t3h4t3@...oo.co.uk>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: n3td3v agenda & Solid Information Security
	State Release 0012

r u serious?

On Fri, Apr 4, 2008 at 10:48 AM, Micheal Turner <wh1t3h4t3@...oo.co.uk>
wrote:

>      n3td3v agenda & Cyber Security group
>      ====================================
>
>  Solid Information Security State Release #0012a
>
> MARKING: RESTRICTIONS APPLY.
> FAO: WORLD LEADERS
>
> == Introduction ==
> Serious high-risk ultra critical vulnerability has
> been identified in Remote Help application that maybe
> used by CIA, NSA and FBI employees when helping
> colleagues on anti-terror campaigns.RemoteHelp is a
> minimal http server that allows to view and control a
> remote pc running a 32-bits version of Microsoft
> Windows.
> current version is 0.0.6 and runs stand-alone or
> installs as a service.
>
> == URL ==
> http://sourceforge.net/projects/remotehelp/
>
> == HISTORY ==
> After n3td3v agenda emailed the NSA, SANS and all
> information security groups and was found not to be
> taken seriously. High risk proof of concept exploit
> code has been authored for severe vulnerability in
> Remote Help application which maybe used by any number
> of Yahoo!, Google!, Ebay! or NSA employees. This
> vulnerability gives rise to serious national
> infrastructure risk and should not be under estimated!
>
> == Proof of Concept ==
> I found a vulnerability in the pages.c file which
> generates the login page dialog and authenticates a
> user after it checks if your "user" and "pass"
> parameter match the defaults
> (user/default) it does this:
>
>   strncpy(cookie,"user=default; path=/; expires=Sun,
> 11-May-2030 22:11:40 GMT",1024);
>
> for a valid login and for an invalid login it sets an
> expired cookie like so;
>   strncpy(cookie,"user=default; path=/; expires=Sun,
> 11-May-1970 22:11:40 GMT",1024);
>
> all you have to do is add "Cookie: user=default;
> path=/; expires=Sun, 11-May-2030 22:11:40 GMT" to your
> HTTP request and you can bypass
> authentication to the Remote Help server and access
> the filesystem/exec commands/view the webcam of the
> hosts running it.
>
> == Credit ==
>
> n3td3v & documentation help by Michael Turner.
>
> "Never trust your employees."
>
>
>      ___________________________________________________________
> Yahoo! For Good helps you make a difference
>
> http://uk.promotions.yahoo.com/forgood/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ