lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <OFABC5FD22.44219D00-ON88256E40.00696E5D-88256E40.006BB0B4@2roads.com>
Date: Fri, 20 Feb 2004 11:36:14 -0800
From: mgotts@...ads.com
To: LordInfidel@...ectionweb.com
Cc: bugtraq@...urityfocus.com, 'Pavel Levshin' <flicker@...iinsky.ru>
Subject: RE: Remote Administrator 2.x: highly possible remote hole or back	door


LordInfidel@...ectionweb.com wrote on 02/18/2004 10:58:58 AM:

> From reading the thread on famatech's site, this looks more like a weak
> password issue, which is true of "ANY" piece of software
> using simple password authentication.
> 

Actually, if you read the thread closely you will see that the attacks are 
said to comprise a *single* password attempt. On the second connection 
they were in. Tens of minutes pass between the two attempts. This behavior 
is observed in more than one of the attacks.

> 
> Strong enough means absolutely nothing in the world of dictionary
> attacks......

No dictionary attack is being performed. The user claims that his logs 
show that the server is being sent a single password-attempt string of 
some kind, and on the next connection the attacker is in. I say 
"password-attempt string" because it is quite probable that the Radmin 
client is not being used for the initial. The exploit may be take 
advantage of a flaw in the authentication system, or make use of a 
discovered backdoor. Note that those who claim to have been hacked said 
their logs show an initial attempt (probably automated) and then a single 
successful login (no dictionary attack) 10-15 minutes later, presumably 
after the attacker checked his scanner logs and found a vulnerable system.

Additionally, there is a post from an anonymous user who claims to have 
developed an attack against Radmin's built-in authentication scheme. 
Although the posting could be complete BS, this person claims that the 
vulnerability does not exist in Radmin's optional NT authentication 
scheme. This same poster claims that is going to contact Radmin in a short 
while with the details. Guess we'll see.

None of this is proof, of course. But there is also zero proof that every 
case is a weak password or dictionary attack. A bug in the authentication 
scheme is certainly possible.

If I get a chance, maybe I can set up a honeypot machine with radmin (and 
a secure password) and see what happens.

-- Mark


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ