lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <8D09CA68B736C08-724-2E4B9@webmail-d297.sysops.aol.com>
Date: Mon, 21 Oct 2013 14:57:38 -0400 (EDT)
From: Johnny Bravo <j_o_h_n_n_y.b_r_a_v_o@....com>
To: full-disclosure@...ts.grok.org.uk
Subject: Wicked Smaht O-Dayuh in Quest One(tm) Password
	Manager

-= [ Disclosure ]=-
Filing Date: Today
Issue Tracking Numbah: 20747
Discoverorer: Johnny Bravo

-=[ Background ]=-
Quest made a password management web thing. Dell bought Quest. Dell
offers Quest One(tm) Password Manager for $5/user.
http://software.dell.com/products/password-manager/. (Oddly, this is
not a joke.)

-=[ Issue ]=-
To use the web application you need to know your domain, username, and
the value of the presented captcha. You submit that, correctly, and the
web application will present you with the user's full name and some
options.

Today we will just talk about that bit there. You do not need to
actually know the value of the captcha. Someone who is really bored
could easily enumerate logins and match them to a user's name.

-=[ Attack ]=-
On the POST request you can just remove the captcha bits. Pretty
fucking l33t. This is the kind of thing that HFG would produce. Or
maybe Gobbles. Or, more likely, se7en. And no, I didn't find this in
the "Snowden docs" although this may be an NSA backdoor... you decide!

On to the attack. The POST data normally includes the following
parameters:
ScenarioActionId=42696720-7368-6974-2070-726F64756374&UserName=domain%5Cu

ser&Search=false&CaptchaType=Captcha&UseCaptchaEveryTime=True&CaptchaResp

onse=SelfCleaningVagina

l33t hackers would send these parameters:
ScenarioActionId=42696720-7368-6974-2070-726F64756374&UserName=domain%5Cu

ser&Search=false

-=[ Fix ]=-
(This section is for the developers who wrote the software)
Write the code such that, oh, I don't know, it actually checks to
ensure the fucking captcha is used? Someone did this on one of the
other pages in the app. Perhaps use the code from there? If it's not
too much to ask that is.

(This section is for product owners)
Really, you bought this? Really? Really? Really?

(This section is for users)
Yes, that's right, any moron on the internets can discover your company
login id and pair that with your name if you work at a place
unfortunate enough to utilize this product. If your company doesn't
have resources to create this app themselves, they've probably
outsourced your helpdesk too, which means you're about to get pwn3d via
some fairly lame social engineering. Enjoy that.

-=[ Greetz ]=-
Dell, Quest, and the security company that either uses this shit
internally or resells it, or uses it and resells it.

Brought to youse guys by,
Johnny, Johnny Bravo

PS If you haven't seen my tips on picking up the chicks, check it out
on the youtube http://www.youtube.com/watch?v=xnGnl-UElVA.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ