Full Disclosure mailing list archives
HHU #1: "It's secure, it's reliable, it's Swiss"
From: deepquest <adf () code511 com>
Date: Fri, 28 Oct 2005 20:47:56 +0200
___ ___ ___ /__/\ /__/\ /__/\ \ \:\ \ \:\ \ \:\ \__\:\ \__\:\ \ \:\ ___ / /::\ ___ / /::\ ___ \ \:\ /__/\ /:/\:\ /__/\ /:/\:\ /__/\ \__\:\ \ \:\/:/__\/ \ \:\/:/__\/ \ \:\ / /:/ \ \::/ \ \::/ \ \:\ /:/ \ \:\ \ \:\ \ \:\/:/ \ \:\ \ \:\ \ \::/ \__\/ \__\/ \__\/ "It's secure, it's reliable, it's Swiss" HHU ---Homeless Hackers United is a small group of homeless hackers from Europe and North America. We can't afford paying for Internet access or hotel rooms.
Our only crime is to have a laptop and wireless card, and few knowledge.Homeless state give us the freedom to access and use various open systems, accessible from public places. The following has been tested in UK, Germany, France
and Norway. Who --- Swisscom EuroSpot is a wireless service offered in airports, hotels andother public places. Customers buy certain amount of time online and get access to the wireless network. The login page is of course open in order to join and
subscribe to the service.HHU has been able to access, and validate around several hotels and public
places. Severity -------- Medium Vulnerability ------------- XSS, URL evasion Details -------Swisscom access point seems to use radius servers to provide internet access to their customers. We also noticed issues on the radius authentification process that may be published later. After joining the network you will have either to buy access time or login. The following has been tested in UK, Germany, France
and Norway.http://login**.swisscom-eurospot.com/error.php? error=nasunknown_ui&UI=XSS http://login**.swisscom-eurospot.com/login.php? LANG=de&UserID=0&RadiusReply=XSS
Proof of Concept ----------------http://login02.swisscom-eurospot.com/error.php? error=nasunknown_ui&UI=Please%20fix%20this%20site http://login02.swisscom-eurospot.com/error.php?error=nasunknown_ui&UI= %3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E http://login02.swisscom-eurospot.com/error.php?error=nasunknown_ui&UI= %3CIFRAME%20SRC=javascript:window.parent.location.replace(%2527http:// google.com%2527)%3E%3C/IFRAME%3E
Impacts -------Change, spoof and fool end-users on login page or paiement page. With a bit on
imagination it can be worst. Timeline -------- Discovered: august 14th 2005 Disclosure: october 28th 2005 Service Provider: no HHU Policy ----------HHU can't even afford food, and we're are not paid to debug softwares or systems
for free.We discover, then publish what we find. Will route tcp/ip packets for food! "Fool me once, shame on — shame on you. Fool me — you can't get fooled again."
— George W. Bush HHU Credits ----------- deepquest for discovering and POC, Mescalito for more POC. original post http://deepquest.code511.com/blog/more.php?id=319_0_1_0_M _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- HHU #1: "It's secure, it's reliable, it's Swiss" deepquest (Oct 28)