Wednesday, 13 June 2012 walkthrough - Nebula level02

So here's our challenge:

We have an environment value USER copied to the buffer without any checking. In the next step the buffer content is executed with a system() call. Basically we just need to prepare USER environment variable with a "proper" content and we are good to go:
level02 walkthrough.
And that's all :)

Wednesday, 6 June 2012

How to NOT implement password reminder function

A quick post about my recent discovery. I created an account on a some website and wanted to get my password reminded. There was only one step - provide e-mail address used to register.

My first suprise was that the password was changed immediately without any confirmation. That means if i only knew a person e-mail i could change his password !

Second surprise was the pattern that emerged when i generated few passwords (for different accounts with different passwords):
[2 upper letters][special char][2 lower letters][special char][number max 2 digit].

Can you spot the problem ?
  • I am able to change someone's password knowing only his e-mail,
  • I know the generation pattern for this new password.
Based on those rules we are able to generate a dictionary file, and try to crack the password. However in this case it is not critical beacuse this is a webapplication. We have:
26 x 26 x 6 x 26 x 26 x 100 = 274185600 possible combinations, so the dictionary file would be around 2.2 GB size. Yep, it seems like a lot of time, but in case of flaws in the randomness of the string generation we could probally shorten the amount of time needed to crack it - i need to examine it deeper. To sum up, it does not seem to be a threat (for now) but those patterns definitely should have not appear in that function.

Saturday, 2 June 2012

How to NOT generate confirmation links

Today i registered an account at some company website. As usual i got an confirmation e-mail to click on, so my account would be activated.It looked like this:
part of activation e-mail i received.

So my first thought was to check this md5 hash ! :)
Using google i quickly got an answer:

md5 hash and the source string.

Hm.. interesting, so it looks like the pattern is 'mw' string + login. Let's verify this.

First step is creating an account with non existant e-mail address.

our fake input data.

Next we generate a md5 hash for 'mwthisisfake' string and pasting the crafted url to the browser.

confirmation link generated by us.


Registration confirmation info.

So let's see if we can log in.

Logged in as thisisfake user.

Ok, so i managed to skip the e-mail verification - what's so bad about it ?

First obvious conclusion is that users can create accounts without using a valid e-mail address.Also it is easier to write a script for automatic user generation (no e-mail, no captcha verification). User login enumeration is possible too. This is just a registration confirmation link, imagine what would happen if reset password function had this vulnerability (and i've seen it happend before). I'll try to continue on this topic if i find more interesting examples.