lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <002501c3d85c$ca1747a0$800101df@yaar>
From: dfbarth at akiva.com (David Bartholomew)
Subject: 3 new MS patches next week... but none fix 0x01!

Curious. I wondered why I didn't see the little control character marker in
there when I pulled this page up like I did with the front page. It's
interesting, too, that someone should bother to put this sort of stuff in
the form action section - but as a test I went and filled out the initial
form with random info, just to see what the whole thing looked like.

Figured that maybe they were putting the text in place to 'fill' your status
bar so that you couldn't see the real stuff at the end of it. Seemed to be
what happened. It seems like so much work to bother with the 0x01 exploit at
the beginning of the whole thing, when you could have just as readily done
all this with javascript onmouseover events so that unless you looked at the
source, the button would have looked totally legit.

.dfbarth

***
David Bartholomew, MCSE, MCSA, MCP, Net+, A+
Technical Lead - Akiva, Inc.
***

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Paul Szabo
Sent: Sunday, January 11, 2004 12:37 AM
To: dfbarth@...va.com; full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] 3 new MS patches next week... but none
fix 0x01!


> ... and I've got this question for the list:
>
> This really long 'form action' item
>
http://www.citibank.com:achaaa9uwdtyazjwvwaaaa9p398haaa9uwdtyazjwvwaboundpyw
>
wgc2l6zt00pjxtvgc2l6zt00pjxywwgc2l6zt00pjxt398haaa9uwdtyazjwvwaaoundpywwgc2l
> 6zt00pjxtvgc2l6zt00pjxvgc2l6zt00pjxt@....239.150.170/login/form.php
>
> obviously contains the 0x01 exploit. What I'm curious about is the HUGE
> amount of crap in between the : and the @ sign. I mean, if the 0x01
exploit
> is 'good enough', what's with the extra characters?

Hmmm... where in there do you see %01? No, that is no 0x01 exploit, but
just user:password@...t quasi-RFC-compliant usage. The string is long so
as to leave the user staring at the citibank+gibberish part, not to be
made suspicious of the @IP part.

Cheers,

Paul Szabo - psz@...hs.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ