lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <48EA0537.5090306@wintercore.com>
Date: Mon, 06 Oct 2008 14:31:51 +0200
From: vulns@...tercore.com
To: bugtraq@...urityfocus.com
Subject: Motorola Timbuktu's Internet Locator Service real-time data exposed
 to public.



We just want to make a public warning to those users of Motorola/Netopia
Timbuktu Remote Control Software who are using the Internet Locator
service. This service allows to locate any Timbuktu's user just by
knowing the email.

More than five months ago we notified Netopia's customer support
(http://blog.wintercore.com/?p=21), after discovering a hardcoded
user/password pair within SALT.dll.

---------------
v 8.6.5.1373
Dll: SALT.dll
Address: 0x604b83D4
PE section: .rdata
user: xa7z8
pass: e74sa9
url: findme.netopia.com/_REMOVE_THIS_findme/
---------------

By using this information it was possible to access, in real-time, to
hundreds of users' records containing their IP, email, software version
and information related to the license.

We have received no reply since then. 5 months after, we have found out
what we would say an "obvious" patch:
"if the problem was the user/password, well, let's remove it!. Fixed.".
Really hilarious.

Now, *everyone* can access those records without having valid credentials.

Taking into account that there are remote exploits available for that
software, that everyone can grab your IP and software version, and that
there are emails from government, military and high-profile corporate
staff, better you disable that feature.


-- 

Wintercore
Agustin de Betancourt, 21. 8th Floor.
28003 Madrid. Spain.
Phone: +(34) 91 395 63 40
www.wintercore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ