Re: Re: Cantv/Movilnet's Web SMS vulnerability.
Dear Raven,
raven wrote:
> Bugtraq @ SNSecurity wrote:
>>
>> Quick Summary:
>> ************************************************************************
>>
>> Product : Movilnet's Web SMS.
>> Version : In-production versions.
>> Vendor : Movilnet - http://www.movilnet.com.ve/
>> Class : Remote
>> Criticality : High
>> Operating System(s) : N/A.
> [snip]
>> Proof Of Concept Status
>> ************************************************************************
>>
>> No proof of Concept will be released until the provider has sorted out the
>> issue.
> A first impact Proof of Concept is to use imagemagick tools with gocr to have
> a good image.
> I've used colors level input: 31 0.11 160 (you can use gimp too to see the
> effects) to have a white background and black (or most like black :P)
> foreground.
What you are talking about is "separability". You are pointing out that you can
in fact separate what is good and what is garbage from the picture . We do
mention such a problem, but it is not the worst of it at all. The real problem
with this implementation is that the "challenge space" is too small. Let me
explain this to you with a question:
What good is it to have a captcha with rotation, different fonts, deformation,
and a background that does not allow separation, if you can only generate a
total of
3 pictures to challenge your users with??
It amounts to nothing. You could simply calculate the MD5 hashes (or choose a
not so broken digest algorithm, "tiger" if you want, i just cant get used to
the sound of
"tiger hashes", but english is not my native language so what do I know?...
;-)) of those 3 images, and when later challenged with one of them you will know
exactly what the right answer was. Now, if that number is not 3, but a 1000,
same thing. If it is 10^6, same thing. This is way too small.
This technique, by the way, gives you 100% success rate whereas most OCR based
solutions are bound to have some failure rate greater than 0 due to their
heuristic methodology.
You can think of this as the captcha's brute force technique. When it is better
to brute force a captcha than to use other techniques, you know there is a very
serious problem with that implementation and should change it as soon as you
can... or at least implement additional systems to protect your users.
> Later i've used gocr with djpeg in pipe (see gocr -h to understand better)
> and i've obtained the famous number.
> I've already writed a perl software to send sms to cantv mobiles and not is
> soo hard to implement this last operations, but not is public this latest
> version because i do for myself.
>
>> Credits
>> ************************************************************************
>>
>> This vulnerability was discovered by Ruben Recabarren and Leandro Leoncini
>> at SNSecurity's Research Lab.
>>
> Good work, to the advisors. But i think that everyone that have a not so
> insane mind can understand the CanTv stupidity of this captcha implementation.
I am not sure about stupidity, but this is precisely why everybody is
recommending third party security reviews as mandatory policy for systems that
are potentially dangerous to end users. This is the case with this
vulnerability. I have personal reports that users have had their mobiles
totally fried because of these SMS bombs.
>