[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Re: Cantv/Movilnet's Web SMS vulnerability.
From:       rrecabarren () snsecurity ! com
Date:       2006-03-29 22:18:50
Message-ID: 20060329221850.24849.qmail () securityfocus ! com
[Download RAW message or body]

Dear Raven,

raven wrote:
> Bugtraq @ SNSecurity wrote:
> > 
> > Quick Summary:
> > ************************************************************************
> > 
> > Product : Movilnet's Web SMS.
> > Version : In-production versions.
> > Vendor : Movilnet - http://www.movilnet.com.ve/
> > Class : Remote
> > Criticality : High
> > Operating System(s) : N/A.
> [snip]
> > Proof Of Concept Status
> > ************************************************************************
> > 
> > No proof of Concept will be released until the provider has sorted out the
> > issue.
> A first impact Proof of Concept is to use imagemagick tools with gocr to have a \
> good image. I've used colors level input: 31 0.11 160 (you can use gimp too to see \
> the effects) to have a white background and black (or most like black :P) \
> foreground.


What you are talking about is "separability". You are pointing out that you can in \
fact separate what is good and what is garbage from the picture . We do mention such \
a problem, but it is not the worst of it at all. The real problem with this \
implementation is that the "challenge space" is too small. Let me explain this to you \
with a question:

What good is it to have a captcha with rotation, different fonts, deformation, and a \
background that does not allow separation, if you can only generate a total of 3 \
pictures to challenge your users with??

It amounts to nothing. You could simply calculate the MD5 hashes (or choose a not so \
broken digest algorithm, "tiger" if you want, i just cant get used to the sound of \
"tiger hashes", but english is not my native language so what do I know?... ;-)) of \
those 3 images, and when later challenged with one of them you will know exactly what \
the right answer was. Now, if that number is not 3, but a 1000, same thing. If it is \
10^6, same thing. This is way too small.

This technique, by the way, gives you 100% success rate whereas most OCR based \
solutions are bound to have some failure rate greater than 0 due to their heuristic \
methodology. You can think of this as the captcha's brute force technique. When it is \
better to brute force a captcha than to use other techniques, you know there is a \
very serious problem with that implementation and should change it as soon as you \
can... or at least implement additional systems to protect your users.

> Later i've used gocr with djpeg in pipe (see gocr -h to understand better) and i've \
> obtained the famous number. I've already writed a perl software to send sms to \
> cantv mobiles and not is soo hard to implement this last operations, but not is \
> public this latest version because i do for myself. 
> > Credits
> > ************************************************************************
> > 
> > This vulnerability was discovered by Ruben Recabarren and Leandro Leoncini
> > at SNSecurity's Research Lab.
> > 
> Good work, to the advisors. But i think that everyone that have a not so insane \
> mind can understand the CanTv stupidity of this captcha implementation.

I am not sure about stupidity, but this is precisely why everybody is recommending \
third party security reviews as mandatory policy for systems that are potentially \
dangerous to end users. This is the case with this vulnerability. I have personal \
reports that users have had their mobiles totally fried because of these SMS bombs.

> 


[prev in list] [next in list] [prev in thread] [next in thread]