Re: [Full-disclosure] [AntiSnatchOr] Drupal = 6.20 insecure Captcha defaults PoC
On 15/02/2011 16:55, Michele Orru wrote: 2011/2/14 MustLivemustl...@websecurity.com.ua: Hello Michele! Few days ago I saw your advisory about Drupal's captcha. It's interesting advisory, but I have one note concerning it - your research is very close to mine ;-) (it concerns similar holes which I found before you). I didn't found anything in FD or other public lists mentioning this issue before, so :) Its not just Drupal - a number of captcha systems are open to attacks of this form. For instance hotfile.com is randomly open, allowing downloads of multiple files because of capcha cookie replay. I have seen this - by accident I should point out - on a number of (commercial) sites where captcha is employed for login or download sanity checks. The most recent system to be borked during upgrade was http://www.nextgenserver.com/calculator/ Jacqui ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [AntiSnatchOr] Drupal = 6.20 insecure Captcha defaults PoC
2011/2/14 MustLive mustl...@websecurity.com.ua: Hello Michele! Few days ago I saw your advisory about Drupal's captcha. It's interesting advisory, but I have one note concerning it - your research is very close to mine ;-) (it concerns similar holes which I found before you). I didn't found anything in FD or other public lists mentioning this issue before, so :) First, you are talking Drupal captcha and saying that Drupal = 6.20 are vulnerable. But it's not fully correct - Drupal Captcha module it's not core module, but third party one, so these holes have no relation to Drupal. It's how Drupal developers answered me in December, when I informed them about holes in their Captcha (I'm not using Drupal, so I didn't know is core this module or not). And so the hole in captcha concerns only Captcha module for Drupal (and sites on any version of Drupal with such module can be vulnerable) - so correctly to write about vulnerability not in Drupal, but exactly in Captcha module. Second, in your PoC (bruteforce exploit for Drupal) you're talking about Brute Force hole. But in title you said about insecure Captcha (which is Insufficient Anti-automation). These are different classes of vulnerabilities, like in WASC TC - Brute Force (WASC-11) and Insufficient Anti-automation (WASC-21). So your title is not fully correct. I don't care too much about WASC classification, as you probably do. wasc-21 can lead to wasc-11, so I don't want to bother on classifying these things. This means the following: if I will be able to correctly solve the first Captcha challenge in the login form, but the login credentials are invalid, there will be no new Captcha challenge to solve in the login form presented after the HTTP response. In this situation is possible to automate a dictionary/bruteforcing attack. This a little different from my hole - in my hole I'm bypassing captcha without any correct solving of challenges, i.e. complete bypass (and persistence option will not help against my attack). But your advisory is still close to mine ;-). Third, concerning the dates. At 2010-12-10 I announced different vulnerabilities in Drupal (http://websecurity.com.ua/4749/), found in summer. Including Insufficient Anti-automation vulnerabilities concerning captcha (as I'll write in my advisory, there are IAA holes as in captcha, as in Drupal itself). At 2010-12-11 I informed Drupal about these vulnerabilities in Drupal. At 2010-12-11 John Morahan from Drupal security team answered me. And in particular he stated, that Drupal Captcha is separate module. At 2010-12-12 I draw John's attention, that IAA holes existed not only in captcha module, but in Drupal itself (so it concerned Drupal too). At 2010-12-15 I announced new vulnerabilities in Drupal (http://websecurity.com.ua/4749/), found in summer. Including Brute Force (as concerning captcha module, as Drupal itself). At 2010-12-16 I informed Drupal about these vulnerabilities in Drupal. So as you can see I announced and informed developers more than month before you. Did they told you, that I informed them about similar attacks and very close holes in December? Looks like they didn't. Which is strange, it's unlikely that they forgot after just a month about it or that the whole Drupal security team had amnesia in January. All these holes in Drupal (from my 4 advisories concerning Drupal) will be disclosed soon. It was planned for February, so at this week I begun disclosing these holes. They didn't told me anything: I've been in contact with Jakub Suchy and Mori Sugimoto. They said that the issue I've reported qualified for public disclosure. Probably they didn't told me about you because they don't give a shit about you, as all of us that write in FD do :) Have a good day mr. MustLive So, Michele, good luck in your security researches. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua [Full-disclosure] [AntiSnatchOr] Drupal = 6.20 insecure Captcha defaults PoC Michele Orru antisnatchor at gmail.com Thu Feb 10 12:15:01 GMT 2011 Drupal = 6.20 insecure Captcha defaults PoC Name: Drupal = 6.20 insecure Captcha defaults PoC Systems Affected: Drupal = 6.20 with Captcha = 2.3 Severity: Medium Vendor: http://drupal.org Advisory: http://antisnatchor.com/Drupal_insecure_Captcha_defaults_PoC Author: Michele antisnatchor Orru` (michele.orru AT antisnatchor DOT com) Date: 20110210 I. BACKGROUND Drupal is a world-wide used open-source CMS written in PHP: being really flexible and easy to extend, is the de-facto choice for many small and big websites/portals that need a robust framework on which model their business. II. DESCRIPTION Many Drupal users use Captcha challenges (specially with reCaptcha) in their websites to protect sensitive resources from bots and spammers. In fact, we've always red and seen Captcha (Drupal or not) implemented to protect
Re: [Full-disclosure] [AntiSnatchOr] Drupal = 6.20 insecure Captcha defaults PoC
On Tue, Feb 15, 2011 at 12:25 AM, Eyeballing Weev eyeballing.w...@gmail.com wrote: On Mon, Feb 14, 2011 at 4:54 PM, MustLive mustl...@websecurity.com.ua wrote: Hello Michele! Few days ago I saw your advisory about Drupal's captcha. It's interesting advisory, but I have one note concerning it - your research is very close to mine ;-) (it concerns similar holes which I found before you). Quit being sexist. Is this because of a woman disclosed this? What the hell :) I'm a man mate. Michele is like Michael. antisnatchor Second, in your PoC (bruteforce exploit for Drupal) you're talking about Brute Force hole. But in title you said about insecure Captcha (which is Insufficient Anti-automation). These are different classes of vulnerabilities, like in WASC TC - Brute Force (WASC-11) and Insufficient Anti-automation (WASC-21). So your title is not fully correct. Again, more sexism by you. All these holes in Drupal (from my 4 advisories concerning Drupal) will be disclosed soon. It was planned for February, so at this week I begun disclosing these holes. So, Michele, good luck in your security researches. Good luck to anyone reading your Engrish ridden advisories ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [AntiSnatchOr] Drupal = 6.20 insecure Captcha defaults PoC
Hello Michele! Few days ago I saw your advisory about Drupal's captcha. It's interesting advisory, but I have one note concerning it - your research is very close to mine ;-) (it concerns similar holes which I found before you). First, you are talking Drupal captcha and saying that Drupal = 6.20 are vulnerable. But it's not fully correct - Drupal Captcha module it's not core module, but third party one, so these holes have no relation to Drupal. It's how Drupal developers answered me in December, when I informed them about holes in their Captcha (I'm not using Drupal, so I didn't know is core this module or not). And so the hole in captcha concerns only Captcha module for Drupal (and sites on any version of Drupal with such module can be vulnerable) - so correctly to write about vulnerability not in Drupal, but exactly in Captcha module. Second, in your PoC (bruteforce exploit for Drupal) you're talking about Brute Force hole. But in title you said about insecure Captcha (which is Insufficient Anti-automation). These are different classes of vulnerabilities, like in WASC TC - Brute Force (WASC-11) and Insufficient Anti-automation (WASC-21). So your title is not fully correct. This means the following: if I will be able to correctly solve the first Captcha challenge in the login form, but the login credentials are invalid, there will be no new Captcha challenge to solve in the login form presented after the HTTP response. In this situation is possible to automate a dictionary/bruteforcing attack. This a little different from my hole - in my hole I'm bypassing captcha without any correct solving of challenges, i.e. complete bypass (and persistence option will not help against my attack). But your advisory is still close to mine ;-). Third, concerning the dates. At 2010-12-10 I announced different vulnerabilities in Drupal (http://websecurity.com.ua/4749/), found in summer. Including Insufficient Anti-automation vulnerabilities concerning captcha (as I'll write in my advisory, there are IAA holes as in captcha, as in Drupal itself). At 2010-12-11 I informed Drupal about these vulnerabilities in Drupal. At 2010-12-11 John Morahan from Drupal security team answered me. And in particular he stated, that Drupal Captcha is separate module. At 2010-12-12 I draw John's attention, that IAA holes existed not only in captcha module, but in Drupal itself (so it concerned Drupal too). At 2010-12-15 I announced new vulnerabilities in Drupal (http://websecurity.com.ua/4749/), found in summer. Including Brute Force (as concerning captcha module, as Drupal itself). At 2010-12-16 I informed Drupal about these vulnerabilities in Drupal. So as you can see I announced and informed developers more than month before you. Did they told you, that I informed them about similar attacks and very close holes in December? Looks like they didn't. Which is strange, it's unlikely that they forgot after just a month about it or that the whole Drupal security team had amnesia in January. All these holes in Drupal (from my 4 advisories concerning Drupal) will be disclosed soon. It was planned for February, so at this week I begun disclosing these holes. So, Michele, good luck in your security researches. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua [Full-disclosure] [AntiSnatchOr] Drupal = 6.20 insecure Captcha defaults PoC Michele Orru antisnatchor at gmail.com Thu Feb 10 12:15:01 GMT 2011 Drupal = 6.20 insecure Captcha defaults PoC Name: Drupal = 6.20 insecure Captcha defaults PoC Systems Affected: Drupal = 6.20 with Captcha = 2.3 Severity: Medium Vendor: http://drupal.org Advisory: http://antisnatchor.com/Drupal_insecure_Captcha_defaults_PoC Author: Michele antisnatchor Orru` (michele.orru AT antisnatchor DOT com) Date: 20110210 I. BACKGROUND Drupal is a world-wide used open-source CMS written in PHP: being really flexible and easy to extend, is the de-facto choice for many small and big websites/portals that need a robust framework on which model their business. II. DESCRIPTION Many Drupal users use Captcha challenges (specially with reCaptcha) in their websites to protect sensitive resources from bots and spammers. In fact, we've always red and seen Captcha (Drupal or not) implemented to protect sensitive forms from online dictionary and bruteforcing attacks. The default configuration of Persistence options for the Captcha module in Drupal are insecure: the persistence option is set to Omit challenges in a multi-step/preview workflow once the user successfully responds to a challenge. This means the following: if I will be able to correctly solve the first Captcha challenge in the login form, but the login credentials are invalid, there will be no new Captcha challenge to solve in the login form presented after the HTTP response. In this situation is possible to automate a dictionary/bruteforcing attack. III.
Re: [Full-disclosure] [AntiSnatchOr] Drupal = 6.20 insecure Captcha defaults PoC
On Mon, Feb 14, 2011 at 4:54 PM, MustLive mustl...@websecurity.com.uawrote: Hello Michele! Few days ago I saw your advisory about Drupal's captcha. It's interesting advisory, but I have one note concerning it - your research is very close to mine ;-) (it concerns similar holes which I found before you). Quit being sexist. Is this because of a woman disclosed this? Second, in your PoC (bruteforce exploit for Drupal) you're talking about Brute Force hole. But in title you said about insecure Captcha (which is Insufficient Anti-automation). These are different classes of vulnerabilities, like in WASC TC - Brute Force (WASC-11) and Insufficient Anti-automation (WASC-21). So your title is not fully correct. Again, more sexism by you. All these holes in Drupal (from my 4 advisories concerning Drupal) will be disclosed soon. It was planned for February, so at this week I begun disclosing these holes. So, Michele, good luck in your security researches. Good luck to anyone reading your Engrish ridden advisories ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
