full-disclosure-uk April 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] n3td3v agenda & So

Re: [Full-disclosure] n3td3v agenda & Solid Information Security State Release 0012

From: Ureleet <ureleet_at_nospam>
Date: Sat Apr 05 2008 - 22:48:34 GMT
To: "Razi Shaban" <razishaban@gmail.com>


i know i was just checking.

On Fri, Apr 4, 2008 at 5:41 PM, Razi Shaban <razishaban@gmail.com> wrote:

> It's called "a joke."
>
> --
> Razi
>
> On 4/4/08, Ureleet <ureleet@gmail.com> wrote:
> > r u serious?
> >
> >
> > On Fri, Apr 4, 2008 at 10:48 AM, Micheal Turner <wh1t3h4t3@yahoo.co.uk>
> > wrote:
> > > n3td3v agenda & Cyber Security group
> > > ====================================
> > >
> > > Solid Information Security State Release #0012a
> > >
> > > MARKING: RESTRICTIONS APPLY.
> > > FAO: WORLD LEADERS
> > >
> > > == Introduction ==
> > > Serious high-risk ultra critical vulnerability has
> > > been identified in Remote Help application that maybe
> > > used by CIA, NSA and FBI employees when helping
> > > colleagues on anti-terror campaigns.RemoteHelp is a
> > > minimal http server that allows to view and control a
> > > remote pc running a 32-bits version of Microsoft
> > > Windows.
> > > current version is 0.0.6 and runs stand-alone or
> > > installs as a service.
> > >
> > > == URL ==
> > > http://sourceforge.net/projects/remotehelp/
> > >
> > > == HISTORY ==
> > > After n3td3v agenda emailed the NSA, SANS and all
> > > information security groups and was found not to be
> > > taken seriously. High risk proof of concept exploit
> > > code has been authored for severe vulnerability in
> > > Remote Help application which maybe used by any number
> > > of Yahoo!, Google!, Ebay! or NSA employees. This
> > > vulnerability gives rise to serious national
> > > infrastructure risk and should not be under estimated!
> > >
> > > == Proof of Concept ==
> > > I found a vulnerability in the pages.c file which
> > > generates the login page dialog and authenticates a
> > > user after it checks if your "user" and "pass"
> > > parameter match the defaults
> > > (user/default) it does this:
> > >
> > > strncpy(cookie,"user=default; path=/; expires=Sun,
> > > 11-May-2030 22:11:40 GMT",1024);
> > >
> > > for a valid login and for an invalid login it sets an
> > > expired cookie like so;
> > > strncpy(cookie,"user=default; path=/; expires=Sun,
> > > 11-May-1970 22:11:40 GMT",1024);
> > >
> > > all you have to do is add "Cookie: user=default;
> > > path=/; expires=Sun, 11-May-2030 22:11:40 GMT" to your
> > > HTTP request and you can bypass
> > > authentication to the Remote Help server and access
> > > the filesystem/exec commands/view the webcam of the
> > > hosts running it.
> > >
> > > == Credit ==
> > >
> > > n3td3v & documentation help by Michael Turner.
> > >
> > > "Never trust your employees."
> > >
> > >
> > >
> > ___________________________________________________________
> > > Yahoo! For Good helps you make a difference
> > >
> > > http://uk.promotions.yahoo.com/forgood/
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/