Full Disclosure mailing list archives

Re: NSRG-Security SaS Encryption cracked

From: John Sage <jsage () finchhaven com>
Date: Wed, 15 Oct 2003 01:20:33 -0700

hmm..

On Wed, Oct 15, 2003 at 01:55:10AM -0500, Paul Tinsley wrote:

----------------------------------------------------------------------
 Product:            SaS (Security Application Server)
 Vendor:             NSRG (No Secure Root Group Security Research)
                     Lorenzo Hernandez Garcia-Hierro
                     <lorenzohgh () nsrg-security com>
 Impact:             Intellectual property disclosure
 Bulletin-ID:        PT.2003.0001
-----------------------------------------------------------------------


Product Description (From Vendor Website):
We are happy to announce that sas website is now ( again ) online in this
server by accessing sas.nsrg-security.com , migrate your links to this
server.  The portal version is the latest of phpWebSite.  We trust in
phpWebSite , a very secure solution in this last version ( old versions 
are
affected by SQL Injections , XSS attacks and PD attacks , discovered by
Lorenzo H G-H/trulux ).

 Method of Disclosure:
If you have the GET script installed:
 GET http://www.nsrg-security.com | lorenzo_decode.pl > outfile.html
If you have wget:
 wget http://www.nsrg-security.com -O enc.html
 lorenzo_decode.pl < enc.html > outfile.html

 Background:
After the veritable cornucopia of website exploits posted today on
full-disclosure it inspired me to audit a few websites myself.  I started
with the author of all the IMHO frivolous postings and found that he
"encrypted" his website with something called SaS that his group wrote.
I figured man this Lorenzo guy has lots of free time to pick apart
everybody's websites, his must be top notch.  "Exploit" code is attached
and also available at:
http://jackhammer.org/exploits/lorenzo_decode.pl


Cheers,
Paul Tinsley


[jsage@sparky /storage/virii] $ wget http://www.nsrg-security.com -O enc.html
  --01:08:01--  http://www.nsrg-security.com/   => `enc.html'

Resolving www.nsrg-security.com... done.
Connecting to www.nsrg-security.com[217.174.193.31]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
 
    [<=>             ] 99,239         5.60K/s
 
01:08:22 (5.60 KB/s) - `enc.html' saved [99239]



[jsage@sparky /storage/virii] $ less enc.html
<!-- Web Site desing by Lorenzo Hernandez Garcia-Hierro--><!-- Encrypted using Security Application Server of No Secure 
Root Group Security Research -->
<script language=JavaScript type=text/javascript>function
decrypt_p(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,8,24,49,19,61,12,0,45,7,0,0,0,0,0,0,46,31,20,5,37,43,6,28,29,38,56,53,54,2,62,4,51,42,32,57,33,58,44,41,50,59,21,0,0,0,0,55,0,52,27,47,30,14,13,23,35,3,15,60,1,25,26,39,34,18,22,11,17,40,10,16,9,48,36);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decrypt_p("CIxTTE@S3PA5Rg2Y3hdUCrjkooeYIgJT1QupXbWSvQ2J39dT89jUWg2zsrmT3Af3sbfPtPVXs4GXvQ1JEAJIuNnIf9fXxcxQcImP74Gyb

/* snip */


[jsage@sparky /storage/virii] $ ./lorenzo_decode.pl < enc.html >
  outfile.html

/* NOTE: performed only after a thorough security audit of the perl
source -- one can't be any too careful these days, can one? */ 


[jsage@sparky /storage/virii] $ less outfile.html
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>.::-No Secure Root Group Security Research-::. - You can be
  secure thinking the opposite</title>
<link rel="stylesheet" type="text/css"
  href="http://www.nsrg-security.com/visual/clean/style.css";
  title="clean"> 

/* snip */


Awesome work, man, awesome work.

As for you, Lorenzo, back to the drawing board...



- John
-- 
"You are in a twisty maze of weblogs, all alike."
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

NSRG-Security SaS Encryption cracked Paul Tinsley (Oct 15)
- Re: NSRG-Security SaS Encryption cracked John Sage (Oct 15)
- Re: NSRG-Security SaS Encryption cracked Valdis . Kletnieks (Oct 15)
- <Possible follow-ups>
- Re: NSRG-Security SaS Encryption cracked Paul Tinsley (Oct 15)