Dell Quest One Password Manager CAPTCHA Bypass

2013-10-22 / 2013-10-27
Credit: Johnny Bravo
Risk: Low
Local: No
Remote: Yes
CWE: CWE-264

CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

-= [ Disclosure ]=- Filing Date: Today Issue Tracking Numbah: 20747 Discoverorer: Johnny Bravo -=[ Background ]=- Quest made a password management web thing. Dell bought Quest. Dell offers Quest One(tm) Password Manager for $5/user. (Oddly, this is not a joke.) -=[ Issue ]=- To use the web application you need to know your domain, username, and the value of the presented captcha. You submit that, correctly, and the web application will present you with the user's full name and some options. Today we will just talk about that bit there. You do not need to actually know the value of the captcha. Someone who is really bored could easily enumerate logins and match them to a user's name. -=[ Attack ]=- On the POST request you can just remove the captcha bits. Pretty fucking l33t. This is the kind of thing that HFG would produce. Or maybe Gobbles. Or, more likely, se7en. And no, I didn't find this in the "Snowden docs" although this may be an NSA backdoor... you decide! On to the attack. The POST data normally includes the following parameters: ScenarioActionId=42696720-7368-6974-2070-726F64756374&UserName=domain%5Cu ser&Search=false&CaptchaType=Captcha&UseCaptchaEveryTime=True&CaptchaResp onse=SelfCleaningVagina l33t hackers would send these parameters: ScenarioActionId=42696720-7368-6974-2070-726F64756374&UserName=domain%5Cu ser&Search=false -=[ Fix ]=- (This section is for the developers who wrote the software) Write the code such that, oh, I don't know, it actually checks to ensure the fucking captcha is used? Someone did this on one of the other pages in the app. Perhaps use the code from there? If it's not too much to ask that is. (This section is for product owners) Really, you bought this? Really? Really? Really? (This section is for users) Yes, that's right, any moron on the internets can discover your company login id and pair that with your name if you work at a place unfortunate enough to utilize this product. If your company doesn't have resources to create this app themselves, they've probably outsourced your helpdesk too, which means you're about to get pwn3d via some fairly lame social engineering. Enjoy that. -=[ Greetz ]=- Dell, Quest, and the security company that either uses this shit internally or resells it, or uses it and resells it. Brought to youse guys by, Johnny, Johnny Bravo PS If you haven't seen my tips on picking up the chicks, check it out on the youtube

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top