Vulneralbility in aplication Billing Explorer

From: XNUXER RESEARCH (xnuxerat_private)
Date: Mon Jul 07 2003 - 10:02:49 PDT

Next message: Hugo : "XSS in OWA allows stealing windows domain user credentials"

Previous message: Adam H. Pendleton: "Re: MacOSX - crash screensaver locked with password and get the desktop back"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

XNUXER RESEARCH SECURITY REPORT:
================================================================
Aplication Name: Billing Explorer
Vendor Site    : http://www.billingexplorer.com
Vendor Email   : info_008at_private
Security       : High Risk
Vulnerable     : String command and Client Handle
without check control and without Encryption.
Version        : All versions.
Description    :
 
Billing Explorer is aplication which created on visual
basic. It's used to calculate duration
internet time using. I found that aplication isn't
encrypt the data when send to client and
It also not check what the client is login or not so
we can send spoofing packet to Billing
Explorer and act as server or other client.

Impact         : 
- Posible to shutdown, restart and logoff client from
other client without login.
- Send message to client as server.
- Spying client with remote client fasility from other
client.
- Zeroning duration time without relogin or stoping.
- Possible to hijacking password admin client and
password exit client. :P

Found by     : SCHIZOPRENIC
Organization : Xnuxer Research of Internet Security
Location     : Indonesia
Site         : http://infosekuriti.com (donation by
fans)

Exploitation :
In example if you want nulling duration time, firstly
you must connect to billing server 
(default configuration on billing use port: 1500) and
send packet data to server with sintaks:

         XXX$con$<client number>$<username>

The server would respon and send back data like this:

         YYY$con$13:19:22$adminclientpass$12:00:00 AM

if you send again like the first packet to billing. It
will recalculate duration time begin to
null. The Billing stupid too, we can send with
multiple connection and actions as same client
with same login without restricted. 

To shutdown other client you can send the packet data
with sintaks: YYY$shut$<num client>$5
Another command sintaks owned by me and programmer of
billing explorer (LoL) :D and not 
publishied here.

Response:
Vendor contacted without response yet.

SCHIZOPRENIC (researcher)
==========================
Xnuxer Research of Internet Security since 2001
For Education Purpose

YAHOO is suck to post, many my report can't post to bugtraq
-- 
_______________________________________________
Get your free email from http://www.hackermail.com

Powered by Outblaze

Next message: Hugo : "XSS in OWA allows stealing windows domain user credentials"
Previous message: Adam H. Pendleton: "Re: MacOSX - crash screensaver locked with password and get the desktop back"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 07 2003 - 13:03:14 PDT