lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4429C275.9090700@libero.it>
Date: Wed, 29 Mar 2006 01:10:45 +0200
From: raven <locrideweb@...ero.it>
To: "Bugtraq @ SNSecurity" <bugtraq@...ecurity.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Cantv/Movilnet's Web SMS vulnerability.


Bugtraq @ SNSecurity wrote:
>
> Quick Summary:
> ************************************************************************
>
> Product : Movilnet's Web SMS.
> Version : In-production versions.
> Vendor : Movilnet - http://www.movilnet.com.ve/
> Class : Remote
> Criticality : High
> Operating System(s) : N/A.
[snip]
> Proof Of Concept Status
> ************************************************************************
>
> No proof of Concept will be released until the provider has sorted out 
> the
> issue.
A first impact Proof of Concept is to use imagemagick tools with gocr to 
have a good image.
I've used colors level input: 31 0.11 160 (you can use gimp too to see 
the effects) to have a white background and black (or most like black 
:P) foreground.
Later i've used gocr with djpeg in pipe (see gocr -h to understand 
better) and i've obtained the famous number.
I've already writed a perl software to send sms to cantv mobiles and not 
is soo hard to implement this last operations, but not is public this 
latest version because i do for myself.

> Credits
> ************************************************************************
>
> This vulnerability was discovered by Ruben Recabarren and Leandro 
> Leoncini
> at SNSecurity's Research Lab.
>
Good work, to the advisors. But i think that everyone that have a not so 
insane mind can understand the CanTv stupidity of this captcha 
implementation.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ