| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 09 Jun 2008 04:40:42 -0700 From: Moose <moose@...erarium.net> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Full Disclosure - GSC Privilege / Authentication Bypass Exploit Name: Michael Gray Website: www.ownerarium.net Contact: moose@...erarium.net Discovered Exploit: 06-05-2008 Vulnerable Software Title: GSC Vulnerable Version: <= 2067 Severity: CRITICAL Website: http://www.getgsc.com Reported to vendor: Yes Actively exploited: Yes Exploit Discovery ------------------ I was analyzing packets for an application of my own to figure out an issue with my own protocol when I noticed I was receiving packets that looked similar to that of IRC, so I decided to take a break from my own project and figure out what application it was. I noticed it was the voice communication and chat program called GSC. Since I was bored I figured I would poke around at some of these packets. First I logged on to my own channel as an administrator and kicked a friend of mine from the chat channel while recording packets. After capturing that packet I sent him an application to send raw packets over a specific socket and told him to send that to the server while he did not have administrator rights. Immediately after sending the packet he was disconnected from the channel because he was kicked. We discovered that the administration system's authentication is done completely client side and the server only sends a message to the client saying if the client has administrator rights to the channel, but the server doesn't check these rights if any administrator command is received. The Exploit ------------ 1.) Log on to GSC with a valid user account 2.) Join your own channel 3.) Record packets that are sent/received to/from GSC 4.) Kick a kind friend from your channel 5.) Stop capturing packets 6.) Modify this packet to reflect who you want to kick The packet for kicking a user looks something like this: NOTICE <user> :KICK <channel id> :<kick message> The user is the name of the user The channel ID is the same number used in a gsc://join:1 link The kick message is a string <= 15 characters Software Implementation ------------------------ Write a program that simply requests you to type in a user, a channel ID, and a kick message. Format the text to reflect the above example for the way the kick command is and encode it using UTF-8. Append the packet with 0x0A to show where the end of the command is. Hook your application to GSC and determine the socket ID of it's current connection and forward your packet through it's socket to the server. Additional Information ----------------------- The above information may be adapted to fit any administrator command including those used to completely kick and ban users from GSC as a whole, rather than just in a single channel. As is currently happening, users will use social engineering to get users to give out account information and personal information by impersonating a GSC staff member and claiming they will shut down the channel unless this information is released. A C# implementation of the way packets are constructed and how to properly format them can be found here: http://pastebin.se/194837 or can be received by requesting it via email from moose@...erarium.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists