Hamachi VPN Local Login Credentials Information Disclosure Vulnerability

March 25, 2008

Hi,

Yesterday I’ve released the following advisory on Bugtraq:

Hamachi

Issue can be tested, with my Process Memory Dumper, released yesterday on my WebSite.

The next week I’ll work on other suspect vulnerabilities of Hamachi.

See you to the next post.. :)


Updated

March 24, 2008

Hi,

ProcessMemoryDumper is available for download on my http://evilcry.altervista.org

See you to the next Post


Forum Opened

March 24, 2008

Hi,

Here rains, so I’m at home, I’ve opened on my WebSite a little forum

http://evilcry.altervista.org/phpbb/

and this afternoon I’ll publish the Process Memory Dumper.

I’m also waiting for Secunia¬† response about an advisory written by me and Omni.

See you really soon :)


Symbol Type Viewer 32Bit/64Bit Nice Tool

March 16, 2008

Hi

Today I’ve finded a great tool,Symbol Type Viewer 32Bit/64Bi


Symbol Type Viewer is a tool which makes it possible to easily
visualize the types which can be defined in the symbols of the modules of the
systems Microsoft Windows 32/64bit. Moreover, it makes it possible to convert ( pdb, exe, sys)these informations for the C language (.h) and the disassembler IDA of DataRescue
(.idc).

Link here

See you to the next post.. :)


Process Memory Dumper Finished

March 5, 2008

Hi,

Today I’ve coded a little Process Memory Dumper, just to obtain the entire memory image of a running process.

This will help me to develop a series of applications that exploits a series of Password Disclosure Vulnerable Applications.

Surely, in some time, I’ll publish the source code of the Memory Dumper :)

See you


Banca di Roma Fraud

March 1, 2008

Hi,

Today my Mail-HoneyPot catched a new Fraud, that comes from Japan.

A classical tentive of Bank Fraud, the affected bank is Unicredit Banca di Roma, this is the mail that I’ve received

————————————————————

Gentile CLIENTE,

Nell’ambito di un progetto di verifica dei data anagrafici forniti durante la sottoscrizione dei
servizi di Banca di Roma e stata riscontrata una incongruenza relativa ai dati anagrafici in
oggetto da Lei forniti all momento della sottoscrizione contrattuale.

L’inserimento dei dati alterati puo constituire motivo di interruzione del servizio secondo gli
art. 135 e 137/c da Lei accenttati al momento della sottoscrizione , oltre a constituire reato
penalmente perseguibile secondo il C.P.P. ar. 415 del 2001 relativo alla legge contro il
riciclaggio e la transparenza dei dati forniti in auto certificazione.

Per ovviare al problema e necessaria la verificata e l’aggiornamento dei dati relativi
all’anagrafica dell’Intestatario dei servizi bancari.

Effetuare l’aggiornamento dei dati cliccando sul seguente collegamento sicuro:

Accendi a collegamento sicuro >>

Cordiali Saluti !

| © Banca di Roma S.P.A 2008 Partita Iva 01114601306

————————————————————-

The mail claims an incongruence into Account, so the victim is inducted to reconfirm his Account.

There is a link, for Secure Access, that points at http://www.rwell.co.jp/{Censored}.htm that obviously does not use any form of Secure Connection, suddenly we are redirected to http://oakadaa1.easyvserver.net/roma/{CENSORED}.html that emulates perfectly the Banca di Roma home page.

As usual there is an UserId and Password field to compile, let’s check the source code to know checks perfomed by the attacker..

———————————

if(signupFORM.userid.value == “”){
alert(“Non avete completato il UserID”);return false;
}

if(signupFORM.password.value == “”){
alert(“Non avete completato il Password”);return false;
}

if(signupFORM.userid.value.length <7){
alert(“INTI0565 IDENTIFICATIVO DEL CLIENTE O CODICE SEGRETO NON VALIDI”);return false;

}

if(signupFORM.userid.value.length >7){
alert(“INTI0565 IDENTIFICATIVO DEL CLIENTE O CODICE SEGRETO NON VALIDI”);return false;

}

if((signupFORM.password.value.length <6)){
alert(“INTI0565 IDENTIFICATIVO DEL CLIENTE O CODICE SEGRETO NON VALIDI “);
return false;
}

———————————————–

The function, accepts only numbers for both fields, Userid should be minimum 7 digits long, and password 6.

After clicking here we are driven to the second page..

Where we’re asked for Security Card Id, and Coordinates of Security Card (64 fields), let’s see what are the rules of insertion..

——————————-

if(signupFORM.email.value.length <6){
alert(“Il Numero della Tessera di Sicurezza non e corretto.”);return false;}

—————————–

Card Id, is a 6 digit long number, and .64 Input Boxes of Coordinates, expects 2 digit long value.

After compiling that, the information are completely stolen, and we’re automatically redirected to Real Banca di Roma.

…another stupid classical Bank Fraud..

See you to the next post.. :)


Follow

Get every new post delivered to your Inbox.