Full Disclosure mailing list archives
Re: NSRG-Security SaS Encryption cracked
From: John Sage <jsage () finchhaven com>
Date: Wed, 15 Oct 2003 01:20:33 -0700
hmm.. On Wed, Oct 15, 2003 at 01:55:10AM -0500, Paul Tinsley wrote:
---------------------------------------------------------------------- Product: SaS (Security Application Server) Vendor: NSRG (No Secure Root Group Security Research) Lorenzo Hernandez Garcia-Hierro <lorenzohgh () nsrg-security com> Impact: Intellectual property disclosure Bulletin-ID: PT.2003.0001 ----------------------------------------------------------------------- Product Description (From Vendor Website): We are happy to announce that sas website is now ( again ) online in this server by accessing sas.nsrg-security.com , migrate your links to this server. The portal version is the latest of phpWebSite. We trust in phpWebSite , a very secure solution in this last version ( old versions are affected by SQL Injections , XSS attacks and PD attacks , discovered by Lorenzo H G-H/trulux ). Method of Disclosure: If you have the GET script installed: GET http://www.nsrg-security.com | lorenzo_decode.pl > outfile.html If you have wget: wget http://www.nsrg-security.com -O enc.html lorenzo_decode.pl < enc.html > outfile.html Background: After the veritable cornucopia of website exploits posted today on full-disclosure it inspired me to audit a few websites myself. I started with the author of all the IMHO frivolous postings and found that he "encrypted" his website with something called SaS that his group wrote. I figured man this Lorenzo guy has lots of free time to pick apart everybody's websites, his must be top notch. "Exploit" code is attached and also available at: http://jackhammer.org/exploits/lorenzo_decode.pl Cheers, Paul Tinsley
[jsage@sparky /storage/virii] $ wget http://www.nsrg-security.com -O enc.html --01:08:01-- http://www.nsrg-security.com/ => `enc.html' Resolving www.nsrg-security.com... done. Connecting to www.nsrg-security.com[217.174.193.31]:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] [<=> ] 99,239 5.60K/s 01:08:22 (5.60 KB/s) - `enc.html' saved [99239] [jsage@sparky /storage/virii] $ less enc.html <!-- Web Site desing by Lorenzo Hernandez Garcia-Hierro--><!-- Encrypted using Security Application Server of No Secure Root Group Security Research --> <script language=JavaScript type=text/javascript>function decrypt_p(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,8,24,49,19,61,12,0,45,7,0,0,0,0,0,0,46,31,20,5,37,43,6,28,29,38,56,53,54,2,62,4,51,42,32,57,33,58,44,41,50,59,21,0,0,0,0,55,0,52,27,47,30,14,13,23,35,3,15,60,1,25,26,39,34,18,22,11,17,40,10,16,9,48,36);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decrypt_p("CIxTTE@S3PA5Rg2Y3hdUCrjkooeYIgJT1QupXbWSvQ2J39dT89jUWg2zsrmT3Af3sbfPtPVXs4GXvQ1JEAJIuNnIf9fXxcxQcImP74Gyb /* snip */ [jsage@sparky /storage/virii] $ ./lorenzo_decode.pl < enc.html > outfile.html /* NOTE: performed only after a thorough security audit of the perl source -- one can't be any too careful these days, can one? */ [jsage@sparky /storage/virii] $ less outfile.html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>.::-No Secure Root Group Security Research-::. - You can be secure thinking the opposite</title> <link rel="stylesheet" type="text/css" href="http://www.nsrg-security.com/visual/clean/style.css" title="clean"> /* snip */ Awesome work, man, awesome work. As for you, Lorenzo, back to the drawing board... - John -- "You are in a twisty maze of weblogs, all alike." - John Sage: InfoSec Groupie - ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus- - ATTENTION: this entire message is privileged communication, intended for the sole use of its recipients only. If you read it even though you know you aren't supposed to, you're a poopy-head. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- NSRG-Security SaS Encryption cracked Paul Tinsley (Oct 15)
- Re: NSRG-Security SaS Encryption cracked John Sage (Oct 15)
- Re: NSRG-Security SaS Encryption cracked Valdis . Kletnieks (Oct 15)
- <Possible follow-ups>
- Re: NSRG-Security SaS Encryption cracked Paul Tinsley (Oct 15)