lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 9 Jul 2012 10:07:12 -0400
From: Григорий Братислава <musntlive@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Remote Exploit in Words With Friends

Hello is full disclosure!! !! !!

Is like to warn you about remote vulnerability is "Words With Friends"

-----------------------------
Advisory: Words With Friends is played by millions of people. Attack
is grant remote access to is player machine. Full control
-----------------------------
URL:http://tinyurl.com/wordsisfriends
-----------------------------
Affected products: All is Apple products that is allow Words With Friends.
-----------------------------
Timeline:

01.07.1997 - Hong Kong returned to China
01.01.1998 - Richard Bejtlich first to discover and make term APT
02.01.1998 - Richard Bejtlich is made Captain of USAF CERT
03.07.2007 - GE is bamboozled is to think APT is after them
15.03.2011 - GE subordinates is so happy no more APT paranoia after April
01.04.2011 - Mandiant is next company to be APT bamboozled
-----------------------------
Details:

Words With Friends players is play game to make words and get points.
Musntlive is discover remote vulnerability in game.
-----------------------------
PoC Code:

%68%74%74%70%3a%2f%2f%77%77%77%2e%6c%65%78%69%63%61
%6c%77%6f%72%64%66%69%6e%64%65%72%2e%63%6f%6d%2f%3f
%67%61%6d%65%3d%57%a%6f%72%64%73%5f%57%69%74%68%5f
%46%72%69%65%6e%64%73%26%6c%61%79%6f%75%74%3d%31%26
%74%69%6c%65%73%3d%25%32%30%26%62%6f%61%a%72%64%3d%
2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%
2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%
2d%2d%2d%a%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d
%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d
%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%a%2d%2d%2d%77%2d%2d
%2d%2d%2d%2d%2d%2d%2d%2d%6d%2d%2d%2d%61%2d%2d%2d%2d
%2d%2d%2d%2d%2d%76%75%6c%6e%65%72%61%62%69%6c%69%74
%a%79%2d%2d%2d%73%2d%2d%2d%6e%2d%2d%73%2d%2d%2d%6f
%2d%2d%2d%74%2d%2d%2d%2d%2d%2d%2d%61%62%6f%75%74%2d
%2d%2d%2d%2d%2d%2d%2d%a%2d%2d%2d%2d%2d%2d%2d%2d%2d
%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%6d%6f%76
%25%32%30%64%78%25%32%30%61%78%25%32%30%25%a%32%30
%2d%2d%2d%2d%6d%6f%76%2d%64%6c%25%32%30%63%6c%25%32
%30%25%32%30%2d%2d%2d%2d%70%6f%70%2d%65%73%2d%2d%2d
%2d%2d%2d%2d

-----------------------------
Live exploit

http://tinyurl.com/wordsisfriends


Best regards & is wishes,
MusntLive
Administrator of Internet Security

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists