lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6905b1570803011408n35b6eeadpa5cdf21488aa3d48@mail.gmail.com>
Date: Sat, 1 Mar 2008 22:08:29 +0000
From: "Petko D. Petkov" <pdp.gnucitizen@...glemail.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: The Router Hacking Challenge is Over!

http://www.gnucitizen.org/projects/router-hacking-challenge/

The Router Hacking Challenge is Over! We've got some very interesting
results which prove that routers', and in general embedded devices',
security is poor. There is definitely more room for further
development and we urge security researchers and hobbyists to keep the
challenge alive with new submissions. I hope that the challenge was as
educational and entertaining as practical and useful to all of us.

Here is a quick summary, in no particular order, of the types of
vulnerabilities we are exhibiting:

* authentication bypass
* a-to-c attacks
* csrf (cross-site request forgeries)
* xss (cross-site scripting)
* call-jacking - like making your phone dial numbers or even survey
room's sound where the phone resides
* obfuscation/encryption deficiencies
* UPnP, DHCP and mDNS problems - although not officially reported,
most devices are affected
* SNMP injection attacks due to poor SNMP creds.
* memory overwrites - well it is possible to overwrite the admin
password while being in memory and therefore be able to login as admin
* stealing config files
* cross-file upload attacks - this is within the group of csrf attacks
* remote war-driving - way cool
* factory restore attacks
* information disclosure
* etc, etc, etc

Please check the project page for more information and be sure that we
will continue posting interesting info on that subject in the future.
Also, if you have some findings on your own, pls let us know as we are
very interested to learn about.

pdp

-- 

http://www.gnucitizen.org
http://www.gnucitizen.com

http://www.hakiri.org

GNUCITIZEN

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ