lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 01 Apr 2006 02:48:18 +0200
From: raven <locrideweb@...ero.it>
To: rrecabarren@...ecurity.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Cantv/Movilnet's Web SMS vulnerability.


Dear nosecualestunombre :P

rrecabarren@...ecurity.com wrote:
> What you are talking about is "separability". You are pointing out that you can in fact separate what is good and what is garbage from the picture . We do mention such a problem, but it is not the worst of it at all. The real problem with this implementation is that the "challenge space" is too small. Let me explain this to you with a question:
>
> What good is it to have a captcha with rotation, different fonts, deformation, and a background that does not allow separation, if you can only generate a total of
> 3 pictures to challenge your users with??
>
> It amounts to nothing. You could simply calculate the MD5 hashes (or choose a not so broken digest algorithm, "tiger" if you want, i just cant get used to the sound of
> "tiger hashes", but english is not my native language so what do I know?... ;-)) of those 3 images, and when later challenged with one of them you will know
> exactly what the right answer was. Now, if that number is not 3, but a 1000, same thing. If it is 10^6, same thing. This is way too small.
>
>   
The english not is my language too, so, i think that captcha not is a 
good solution to leave spam or sms bombs from the internet.
What i write in my first mail (the first in bugtraq :P) is a first 
solution that come to my mind to bypass the captcha problem.
I'm  with you that is a unusefull to use many tricks like rotation, 
different font size or whatever come to the programmers mind when you 
use a little pool of numbers.

> This technique, by the way, gives you 100% success rate whereas most OCR based solutions are bound to have some failure rate greater than 0 due to their heuristic methodology.
> You can think of this as the captcha's brute force technique. When it is better to brute force a captcha than to use other techniques, you know there is a very
> serious problem with that implementation and should change it as soon as you can... or at least implement additional systems to protect your users.
>   
He is a brute force solution. I've read many days ago what think w3c 
about captchas and i agree with this document.
Not is better to do a solution with username and password to send sms ? 
For example, CanTV dont pay for mensajes, so, why the interested user 
not receive a sms with a alphanumerics digits for example, 10 that is a 
little usefulness the brute force because [a-z] + [A-Z]+[0-9] is a 
62!/(52!) that is a big number, for maxima, is 390.164.706.723.052.800 
for example a oneday password to do it simple to remember.
I think that the CanTV policy about security not is so good not for 
messages and nor for the servers. But this is another history :)
>> Later i've used gocr with djpeg in pipe (see gocr -h to understand better) and i've obtained the famous number.
>> I've already writed a perl software to send sms to cantv mobiles and not is soo hard to implement this last operations, but not is public this latest version because i do for myself.
>>
>>     
>>> Credits
>>> ************************************************************************
>>>
>>> This vulnerability was discovered by Ruben Recabarren and Leandro Leoncini
>>> at SNSecurity's Research Lab.
>>>
>>>       
>> Good work, to the advisors. But i think that everyone that have a not so insane mind can understand the CanTv stupidity of this captcha implementation.
>>     
>
> I am not sure about stupidity, but this is precisely why everybody is recommending third party security reviews as mandatory policy for systems that are potentially dangerous to end users. This is the case with this vulnerability. I have personal reports that users have had their mobiles totally fried because of these SMS bombs
Me too, but a good implementation of the captcha is better than nothing 
for now, waiting that the security division and system administrators do 
her work better.

Sorry for my bad english. The next time write in spanish (in private 
mail ofcourse) :P

Thank you for your time.
I hope to talk with you more

Francesco Vollero

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ