[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAGEYiAr1OUu2QNhmwEdW0Uq6_48fTYNV21Msa3Bmv3+ttOuACw@mail.gmail.com>
Date: Sat, 14 Jun 2014 06:50:07 -0700
From: Americas Testkitchen <americaztestkitchen@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] T-Mobile webConnect Manager sysauth cookie leak in plain text
via http request
########atk #1.txt
###################################################################
"...and it won't be the witches who'll be burning this time"
-Blackbird Raum, Witches
Achtung!!! : T-Mobile webConnect Manager sysauth cookie leaked
in plain text via http request.
Scope: webConnect Manager is the interface used for administration of MANY
T-Mobile devices, including the highly-touted Samsung LTE Mobile
Hotspot Pro.(actually decent hardware, but this chef doesn't
know
much about bowls,whisks,spoons and pressure cookers, only
spices and herbs.)
webConnect Manager has been in the wild via T-mobiles crack
security
code-audit team and responsible for slowing down
AmericasTestKitchens' interlinks
via T-mobile-sponsored zombie nets....so.....
Vendor Notification: None. Seriously.... ever hear of the secure flag you
ninnies?
"someday we will bring you down,
someday this will all come crashing right down
so go on, with your life. We Will Bring YOU DOWN!"
-Blackbird Raum "Honey in the Hair"
Timeline:
6.1.14 : found by Chef Samael
6.2.14 : (still 6.1.14 in Samaels tz) VRFY'd by Sou Chef: Nita
6.3.14 : canned POC developed by Chef Swedish, tested and used to
propagate
through weak routers of a large apartment complex,
account data was
retrieved and stored back to the devices considerable
storage.
6.3.14 : test successful, ownership of test subjects returned,
NSA grade
wipe of testing fiasco complete.
6.4.14
Dist. Schedule:
6.3.14 : POC distributed amongst chefs @ the Frothing
Bunniculitis board of ATK.
6.3.14 : This is posted to:
6.14.14:YOU
############Americas Test Kitchen: Recipe
1##############################################
I) : Intro/Rant/Mission Statement
How Are You Gentlemen/Women?!? Welcome to Americas Test Kitchen , where all
are invited to test, post ingredients and
share the most delightful aspects of cooking,BBQ, baking. We @ ATK assume
the participants will be somewhat seasoned
chefs and able to concoct full recipes on their own with a minimal
discussion of ingredients. Recipes that can be
purchased with a Vietnamese dong are encouraged and are best cooked
amongst/against other chefs (nicely now...).
Have a wonderful and blessed day! Welcome to the kitchen! Join our
community on the behemoth Frothing Bunniculitis Board.
It is set up as a user and not a group for a reason. Don't ask to become a
chef. We will ask you. Or you'll own US and bake a cake
of your own. ;) Nothing wrong with a cook-off amongst friends :p
[code]Karma police, arrest this man
he talks in maths.
he's buzzing like a fridge.
he's like a detuned radio.
This is what you get
this is what YOU get
this is what you get
when you mess with the...
[/code]
Our internets are broken. We are all owners and owned. Hats are
meaningless. Anti-Sec didn't work. We will
give small token gifts to the goy and keep the fine wine for perfect
pairings to go with undisclosed recipes.
We do NOT provide canned exploits. Only a small dataset for those with eyes
to see and minds that reciprocate.
We are agent and agency. We refer to the works of Godel, Escher and Bach.
We refer to Richard Dawkins. We
refer to the Max Headroom Incident of 1987, amongst/against many, many
other ideals, perspectives and subcultures
within subcultures and shadows behind shadows. We refer now to you.
./propagate
Part 2.product info and review
Overview:
T-Mobile webConnect Manager is a program developed BY T-Mobile. The most
used version is 2.04.0030.0
with over 98% of all installations currently using this version. While
about 89% of users of T-Mobile webConnect
Manager come from the United States, it is also popular in Indonesia and
Iran. (hi intel, but you guys know this already)
Ironic Re-views:
The Samsung LTE Mobile HotSpot Pro's Web interface is easy to use and
offers access to all of its settings. Note
how the router is locked to T-Mobile and won't accept a SIM card from a
different carrier until it's unlocked.
"dis ting hee-ya is mai favowit"
- Dong Ngo/CNET
[code]peanutbutterjellyandabaseballbat[/code]
*Ed. Dong, there are those of us who would love your job and all the swag
you get as a part of the gig....DONG
....don't be deceived by its name as the Samsung LTE Mobile HotSpot PRO is
more than just your average mobile hotspot
and is, in fact, something all road warriors might want to have in their
arsenal.
- JC Torres, SlashGear
*Ed. I couldn't have said it better.
Still.... [code]peanutbutterjellyandabaseballbat[/code]
Part 3: discovery date jun2 - 3 /historical greetz
On these 2 days in history:
June 2 1919: some great citizens and lovers of
justice tried to level the playing field:
https://en.wikipedia.org/wiki/1919_United_States_anarchist_bombings
June 3, 1968: Andy Warhol the American artist and a
major driving force in the movement known
as Pop art is shot and wounded in his New York film
studio, The Factory, by actress Valerie Solanas
who founded the "group" called S.C.U.M. (Society for
Cutting up Men).
*Nita got a little too happy about this factoid
methinks
*full disclosure: ATK is busy and have some of us have lives so the
following is nearing (but not quite) plagiarism
of an identical issue on another WAP 300 years ago. This
kind of shit should not be a factor nowadays.Infosuck
101.
The Goods ->
BAKING SCENARIO: An attacker may be able to cause the sysauth cookie to be
leaked via a plaintext HTTP request.
You can create a plaintext HTTP link to the The Samsung LTE Mobile HotSpot
as a local application icon.
If an administrator is authenticated to the site over SSL and visits the
application list, the browser will issue
the plaintext, non-SSL request and automatically include the admin's
current session token. A network
attacker shouldn't have any trouble being able to capture this value via
network sniffing and perform subsequent actions on the
administrator's behalf via DUCT-TAPE.
*OUR WORDS: fire up your pcap of choice and grep http. use some duct tape
(curl,expect,nc), I suggest
you try a GET
http://mobile.hotspot/www/apps/dongleweb/php/en/security/01_sim_pin.php Its
hilarious and
disturbing to see the whole cookie: SID & Credential both pass in plain
text through a directory called
"security" while on the way to visit the sim card.SERIOUSLY?!?! Session
hi-jacking via cookie wasn't even
a considerable hack in '99. They have been selling and using this fskn
"software" on a majority of their devices
for years. We have not the time,(we are rushing to market like you
T-mobile) nor the money to activate another
t-mobile device for yux.I highly suspect they are vuln on any device
running the crap \\\\\\\
See all of you at the coffee shop! Keep a look out for those cute little
red squares & know the admin page is
loaded on a tab somewhere so they can monitor their data usage in
real-time(IT WORKS SOMETIMES). There is plenty of time
and places to wage attack on these. Fix your chit T-Mobile: this is beyond
unacceptable. I want to see @ least a fskn s flag
patch by Friday. There's more.
FIX:
DUCT TAPE!!: mac filtering
COUNTER DUCT TAPE!!:mac spoof (it works fine with this too)good.
....disconnected
References:
a)by habit capturing the first transaction with a new device.
Login, passwd creation, ruleset application (where applicable)
look for really really stupid ish like this. Make note of the
default passswd (admin btw) and the way the device is associated
with the network (last 8 of the MEID in this case)...etc
etc...3rd grade ish
b)
i.http://www.wireshark.org/
ii.http://www.tcpdump.org/ and libpcap
iii.MTP Simulator 12.0 startpage it
iv.
https://github.com/opentechinstitute/commotion-router/issues/33
v.ATK. Thx everyone! Took 10x longer for us to agree what to
say here
than it did proving our perfect cookie recipe..u asshats
are impossible.
Coming Soon: Ingredients for Flatulent Butt-slut stew
./hi
black powder records & drater/n1nor/ron1n (We miss the old kitchen...come
back yoda)
t-mobile tech support for the sexy internal conference line given to us on
accident
by one of the wonderful outsourced workers! Thanks
himynameislindawitht-mobilecanihelpyou?/!!!!!!
Any time Linda, any-time. Hi @ tabis pankweev and his father.
./fuqz @ cipher <------u talk like u r a 3 year old having an apoplectic fit
(thats from Chef Samael) Go make me a pah you myopic turd.
@ tmobile dev : for assisting in breaking OUR interwebs. grow up or
get out -x
./h8 @ samsung for not honouring the insurance contract. missed payment
by a day, lost service for 3 hours
payed bill & insurance, drowned my device 3 days later and you told
me to fsk off. Say hi 2 teh ghost of christmas past.
literally. That was my xmas present you wankers. - sous chef Nita
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists