Attack #2 is more interesting because it can be remotely exploited via a SMS message.
When reporting this issue it did come into question the 160 character limitation of SMS technology and if this would to limit the attacker. In the proof of concept video, you can see exploitation was successful with 158 characters using the Browser Exploitation Framework BeEF!
Below are the steps that led up to the discovery of this low hanging fruit:
I first started by using tcpdump to capture traffic between the appliance and a workstation running the console software.
When using the console software to login, I noticed the authentication was done over port 5000. After I logged in, the console software started to load data over MySQL port 3306. What I found interesting was all the sql traffic was getting initated by the workstation. At this point I wanted to know how the workstation was able to login to the MySQL server on the appliance.
By using several sysinternal tools on the workstation, I was able to determine which binary files the console software was using when the sql connection got initiated.
I then used a combination of strings and IDA Pro to search through the binaries for the sql login and bingo found it!
I’ve posted an updated version of my “Karma” patch for HostAP (hostap_0_7_2-775-g9fc6aa9). This patch adds Karma-style automatic probe response, in addition to PEAP/MSCHAPv2 authentication logging (think all-in-one FreeRadius-WPE). See the Wireless page for a link to the old Hostap 0.6.9 patch and the newer version.
PercX has been furiously hacking multi-function printers, and the result is a new tool called Praeda. Praeda is used to interrogate printers from a variety of manufacturers in an effort to gain information about a target network, or compromise credentials. You can get it here. It’s written in perl.
TARGET_FILE = List of IP addresses or Host names to enumerated
TCP_PORT = port address of targets to scan ” At present only one port can be specified. This is expected to be modified in future version”
PROJECT_NAME = the name for this project. This will create a folder under the folder where Praeda was executed to contain logs and export info.
OUTPUT_FILE = name of log file for data output
This is a very interesting flaw that I came across in Symantec Antivirus Corporate edition in July 2009 while trying to recreate the XFR.EXE design flaw (CVE-2009-1431). At first I thought this was the same flaw, but while running a serious of test against multiple versions of SAVCE. I realized I had tested it against the latest patched 10.1.8 version of the product and the vulnerability was still there. Upon further investigation I discovered this flaw went against the Intel Alert Handler Service (hndlrsvc.exe) over TCP port 38292.
I’ve uploaded a basic PEAP/LEAP brute-force logon script that I wrote a couple of months ago to the wireless page. It simply calls wpa_supplicant and parses the results, which is slow, but appears to work. Enjoy.
This is old, but might be interesting to fellow security geeks. The idea here is to challenge concepts of what a password is and how it should be secure. In essence, using this system will allow you to keep your uber-secret in a public place such as twitter. There’s some other crufty code (firefox plugin) to go with this, but it’s really just for fun.