Архів для категорії 'MoBiC'

Month of Bugs in Captchas: totals

23:50 01.12.2007

My project Month of Bugs in Captchas has finished and I’m summing up.

In the project took part 32 CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart): plugins, services, built-in in CMS and individual captchas. The list of project’s participants (in order of appearance): learnwpf.com, craigslist.org, Peter’s Custom Anti-Spam Image, reCaptcha, Blogger, Google, itua.info, mt-scode, wait-till-i.com, shamanomaly.com, opennet.ru, PHP-Nuke, digg.com, Peter’s Random Anti-Spam Image, expert.com.ua, cgisecurity.com, search.live.com, Cryptographp, uaxxi.com, PHP-Fusion, HBH-Fusion, Nucleus CAPTCHA bypass, AIP, peterhost.ru, Math Comment Spam Protection, thepoorhouse.org.uk, Anti Spam Image, Captcha!, internetua.com, IPB, WP-ContactForm, ESP-PIX.

Altogether there were published 75 vulnerabilities in mentioned captchas. Including Insufficient Anti-automation, Cross-Site Scripting (persistent and reflected), SQL Injection and Cross-Site Request Forgery vulnerabilities (and also redirector).

Results of the project: fixed 5 vulnerabilities from 75. It is 6,67% fixed vulnerabilities, which is much lower results of Month of Search Engines Bugs. Captchas developers need to attend more to reliability of their applications. Also there were published many captcha bypass methods (developed by me), which must be taken into account by web developers, for creating more reliable captchas.

Note, that there are not only Insufficient Anti-automation vulnerabilities in captchas, but also others types of vulnerabilities. Such as Redirector (MoBiC-05 Bonus), Cross-Site Scripting (MoBiC-12 Bonus, MoBiC-23 Bonus, MoBiC-26 Bonus, MoBiC-28 Bonus, MoBiC-29 Bonus), SQL Injection (MoBiC-20 Bonus) and Cross-Site Request Forgery (MoBiC-26). So developers of captchas need to improve their security.

Thanks for watching MoBiC project. Best regards. And attend to your security.

Місяць багів в Капчах: підсумки

23:19 01.12.2007

Завершився мій проект Місяць багів в Капчах і я підводжу підсумки.

В проекті прийняли участь 32 CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart): плагіни, сервіси, вбудовані в CMS та індивідуальні капчі. Перелік учасників проекту (в порядку появи): learnwpf.com, craigslist.org, Peter’s Custom Anti-Spam Image, reCaptcha, Blogger, Google, itua.info, mt-scode, wait-till-i.com, shamanomaly.com, opennet.ru, PHP-Nuke, digg.com, Peter’s Random Anti-Spam Image, expert.com.ua, cgisecurity.com, search.live.com, Cryptographp, uaxxi.com, PHP-Fusion, HBH-Fusion, Nucleus CAPTCHA bypass, AIP, peterhost.ru, Math Comment Spam Protection, thepoorhouse.org.uk, Anti Spam Image, Captcha!, internetua.com, IPB, WP-ContactForm, ESP-PIX.

Всього оприлюднено 75 уразливостей в зазначених капчах. Включаючи Insufficient Anti-automation, Cross-Site Scripting (активні та пасивні), SQL Injection та Cross-Site Request Forgery уразливості (а також редиректор).

Результати проекту: виправлено 5 уразливостей з 75. Це 6,67% виправлених уразливостей, що значно нижче результатів Місяця багів в Пошукових Системах. Розробникам капч потрібно більше слідкувати за надійністю своїх додатків. Також було оприлюднено багато методів обходу капч (розроблених мною), котрі повинні врахувати веб розробники, для створення більш надійних капч.

Зазначу, що в капчах бувають не тільки Insufficient Anti-automation уразливості, але й інші типи уразливостей. Такі як Redirector (MoBiC-05 Bonus), Cross-Site Scripting (MoBiC-12 Bonus, MoBiC-23 Bonus, MoBiC-26 Bonus, MoBiC-28 Bonus, MoBiC-29 Bonus), SQL Injection (MoBiC-20 Bonus) та Cross-Site Request Forgery (MoBiC-26). Тому розробникам капч потрібно покращувати їх безпеку.

Спасибі, що слідкували за проектом MoBiC. Усього найкращого. І приділяйте увагу своїй безпеці.

MoBiC-30: ESP-PIX CAPTCHA bypass

22:53 30.11.2007

Next participant of the Month of Bugs in Captchas project is ESP-PIX captcha. This is advanced type of captchas where instead of typing letters and numbers, human need to recognize what object is common in a set of images. It was the first example of a captcha based on image recognition. And it’s recommended by www.captcha.net.

It is advanced captcha which can’t be bypassed by OCR, but it can be bypassed using my method. This captcha is vulnerable for MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 13.09.2007.

For bypassing captcha you need to use the same tag and words values many times (for every post). This is classic MustLive CAPTCHA bypass method, which easily bypass such advanced captchas.

Insufficient Anti-automation:

ESP-PIX CAPTCHA bypass.html

This exploit for educational purposes only.

Moral: never make such unreliable captchas.

P.S.

Tomorrow I will total the project’s results.

MoBiC-29 Bonus: XSS in WP-ContactForm

22:58 29.11.2007

Continue our talk about last participant of the project - WP-ContactForm. It is plugin for WordPress. Vulnerable version is WP-ContactForm 2.0.7 (and previous versions).

This plugin with built-in captcha in addition to Insufficient Anti-automation is also vulnerable for XSS (like Math Comment Spam Protection). These Cross-Site Scripting holes I found 26.11.2007.

There are six XSS holes and they are persistent XSS (in some cases CSRF + XSS attacks can be used). Holes are at plugin options page (http://site/wp-admin/admin.php?page=wp-contact-form/
options-contactform.php) in parameters wpcf_email, wpcf_subject, wpcf_question, wpcf_answer, wpcf_success_msg, wpcf_error_msg. For attacking you need to make POST request to plugin options script.

XSS:

For attacking admin only (at options page):

WP-ContactForm XSS.html

WP-ContactForm XSS2.html

WP-ContactForm XSS3.html

WP-ContactForm XSS4.html

For attacking every user of the site (at contact page):

WP-ContactForm CSRF5.html
WP-ContactForm XSS5.html

For attacking every user of the site at contact page (and admin at options page):

WP-ContactForm XSS6.html

WP-ContactForm XSS7.html

For attacking every user of the site (at contact page):

WP-ContactForm CSRF8.html
WP-ContactForm XSS8.html

WP-ContactForm CSRF9.html
WP-ContactForm XSS9.html

These exploits for educational purposes only. Don’t use these holes and exploits for malicious purposes.

You need to setup exploits to test them (set site’s URL and others data).

Moral: always make more secure captchas and without XSS holes.

MoBiC-29: WP-ContactForm CAPTCHA bypass

20:44 29.11.2007

Next participant of the project is WP-ContactForm (its new version with built-in captcha made by another author). It is plugin for WordPress. Vulnerable version is WP-ContactForm 2.0.7 (and previous versions).

I already wrote about vulnerabilities in WP-ContactForm, it was in original version of plugin. Recently I fully tested it and found many new holes. And I’ll post information about new holes in original WP-ContactForm plugin later. Also I fully tested new version of this plugin and found many holes. It’s very popular plugin (and version with captcha too). So there are many sites which are in risk with this plugin.

This is text logical captcha and it is vulnerable for сonstant value bypass method. This Insufficient Anti-automation hole I found 22.11.2007.

For bypassing captcha you need to use the same wpcf_response value for every post. Constant value bypass method is similar to MustLive CAPTCHA bypass method (the same value is sending many times).

Insufficient Anti-automation:

WP-ContactForm CAPTCHA bypass.html

This exploit for educational purposes only.

You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example.

I found this hole at blogsecurity.net which is using WP-ContactForm plugin. It is security site, so they need more reliable protection. I already informed admin of the site about this issue.

Insufficient Anti-automation:

blogsecurity.net CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such insecure captchas.

P.S.

Also I prepared another vulnerabilities in WP-ContactForm. So wait for today’s bonus post ;-) .

MoBiC-28 Bonus: XSS in Cryptographp

22:54 28.11.2007

In this post of Month of Bugs in Captchas we continue our talk about one of previous participants of the project - Cryptographp. It is captcha plugin for WordPress. Vulnerable version is Cryptographp 1.2 (and previous versions).

This captcha in addition to Insufficient Anti-automation is also vulnerable for XSS (like Math Comment Spam Protection). These Cross-Site Scripting holes I found 22.11.2007.

There are 24 XSS holes and they are persistent XSS. Holes are at plugin options page (http://site/wp-admin/options-general.php? page=cryptographp/admin.php) in parameters cryptwidth, cryptheight, bgimg, charR, charG, charB, charclear, tfont, charel, charelc, charelv, charnbmin, charnbmax, charspace, charsizemin, charsizemax, charanglemax, noisepxmin, noisepxmax, noiselinemin, noiselinemax, nbcirclemin, nbcirclemax, brushsize. For attacking you need to make POST request to plugin options script.

XSS:

Cryptographp XSS.html

Cryptographp XSS2.html

Cryptographp XSS3.html

Cryptographp XSS4.html

Cryptographp XSS5.html

Cryptographp XSS6.html

Cryptographp XSS7.html

Cryptographp XSS8.html

Cryptographp XSS9.html

Cryptographp XSS10.html

Cryptographp XSS11.html

Cryptographp XSS12.html

Cryptographp XSS13.html

Cryptographp XSS14.html

Cryptographp XSS15.html

Cryptographp XSS16.html

Cryptographp XSS17.html

Cryptographp XSS18.html

Cryptographp XSS19.html

Cryptographp XSS20.html

Cryptographp XSS21.html

Cryptographp XSS22.html

Cryptographp XSS23.html

Cryptographp XSS24.html

These exploits for educational purposes only. Don’t use these holes and exploits for malicious purposes.

You need to setup exploits to test them (set site’s URL and others data).

Moral: always make more secure captchas and without XSS holes.

MoBiC-28: IPB CAPTCHA bypass

20:23 28.11.2007

Next participant of the project is Invision Power Board captcha. Which is using at registration page. Vulnerable version is IPB 2.2.0 (and previous and possibly next versions). Forum engines also have vulnerable captchas.

Like Google said there are up to 3130000 sites in Internet on this forum engine. And including all those sites which use IPB, but have no “Powered by Invision Power Board” sign, there are potentially more millions of sites which are in risk with this insecure captcha.

This captcha is vulnerable for half-automated method. It is one of Advanced MustLive CAPTCHA bypass methods. This Insufficient Anti-automation hole I found 05.08.2007.

In half-automated method you need to prepare captchas image-code pairs beforehand (because of one-time captcha images). For bypassing you need to use new regid and reg_code values for every post. It’s not fully automated, but it’s still half-automated bypass (without using OCR, only using vulnerabilities in captcha directly). Those who don’t want to work by themselves, can use cheap work force to prepare image-code pairs or use OCR software (even for not real time recognition). If in case of personal captcha bypassing this method not too effective, then in case of using with cheap work force (or porn variant) or OCR it’s very effective method (and in this case it can be fully automated). And bad guys often use such techniques. That is why web developers need to improve their captchas which vulnerable to half-automated method - to prevent spam and other automated activity, if not OCR, then at the least work force and porn variants.

Insufficient Anti-automation:

IPB CAPTCHA bypass.html

This exploit for educational purposes only. Don’t use it for malicious purposes at any site on Invision Power Board.

You need to setup exploit to test it (set site’s URL and others data).

Moral: try to make more secure captchas.

P.S.

Also I prepared another vulnerabilities in one captcha. So wait for today’s bonus post ;-) .

MoBiC-27: internetua.com CAPTCHA bypass

22:56 27.11.2007

Next participant of the project is captcha at internetua.com. Which is using in comments form at the site.

This captcha is vulnerable for session reusing with null captcha bypass method. This Insufficient Anti-automation hole I found 04.11.2007.

Session reusing with null captcha bypass method - it is very tricky method, which is similar to session reusing with constant captcha bypass method. For bypassing you need to send first message with captcha code and then use empty security_code value for every post (during current session). After you’ll see first captcha image, you need to turn off images, so captcha will not be regenerating and you’ll be using empty (null) captcha code many times. By the way, as I retested this hole I found that they made some changes at site, so captcha is bypassing now via session reusing with constant captcha bypass method (using not null, but the same captcha code).

Insufficient Anti-automation:

internetua.com CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.

Moral: never make such unreliable captchas.

MoBiC-26 Bonus: XSS in Captcha!

22:48 26.11.2007

Continue our talk about last participant of the project - Captcha!. It is captcha plugin for WordPress. Vulnerable version is Captcha! 2.5d (and previous versions).

This captcha in addition to Cross-Site Request Forgery and Insufficient Anti-automation is also vulnerable for XSS (like Math Comment Spam Protection). These Cross-Site Scripting holes I found 10.11.2007.

There are four XSS holes and they are persistent XSS. Holes are at plugin options page (http://site/wp-admin/options-general.php? page=captcha\captcha.php) in parameters captcha_ttffolder, captcha_numchars, captcha_ttfrange, captcha_secret. For attacking you need to make POST request to plugin options script.

XSS:

Captcha! XSS.html

Captcha! XSS2.html

Captcha! XSS3.html

Captcha! XSS4.html

These exploits for educational purposes only. Don’t use these holes and exploits for malicious purposes.

You need to setup exploits to test them (set site’s URL and others data).

Moral: always make more secure captchas and without XSS holes.

MoBiC-26: Captcha! CAPTCHA bypass

20:25 26.11.2007

Next participant of the project is Captcha!. It is captcha plugin for WordPress. Vulnerable version is Captcha! 2.5d (and previous versions).

This is very popular captcha plugin. It’s one of recommended captcha plugins at codex.wordpress.org. So there are many thousands of sites which are in risk with this plugin.

This captcha is vulnerable for CSRF and for Null string bypass method. These Cross-Site Request Forgery and Insufficient Anti-automation holes I found 10.11.2007.

Null string bypass method - it is very tricky method. First you make CSRF attack and after that you will be able to easily bypass captcha. This captcha use one-time images, so you need to use this tricky method to bypass it. Using CSRF you set captcha_numchars option to 0. And after that you’ll send messages with empty public_key and private_key values (null strings) or without these parameters at all (similar to MoBiC-10 Bonus: another PHP-Nuke CAPTCHA bypass). And so you’ll bypass captcha and also everyone who will send messages after you. It’s social spam style :-D - one hack captcha, all spam.

CSRF + Insufficient Anti-automation:

Captcha! CSRF.html
Captcha! CAPTCHA bypass.html

This exploit for educational purposes only.

You need to setup exploit to test it (set site’s URL and others data).

Moral: never make such insecure captchas.

P.S.

Also I prepared another vulnerabilities in Captcha!. So wait for today’s bonus post ;-) .