Hi,
I haven't been here for a while, one because I fought with one of the *reputated* admins and another because I have been busy with school. meh, anyway, I just came back to Evilzone today and tried resetting my password and see whats been up in ~year (since i forgot it) then notice a very lame password reset logical flaw.
when you reset your password, evilzone will mail you a link similar to,
https://evilzone.org/reminder/?sa=setpassword;u=13473;code=5c24bf48baI haven't done a perfect cryptanalysis but so far I have noticed the url contains my userid (13473) and the reset code.
But if you notice carefully, the reset code is a substr version of MD5 value of some random hash and the worst part being, it have a constant length (10).
So taking that, we can construct all the possible values of that password reset hash.
md5 is hexadecimal, meaning there are 0-F characters. (abcdef0123456789), that is 10 numbers, 6 letters, 16 total characters. since its always 10 constact length, its 16^10, that is equvallent to
1,099,511,627,776 possible values. and thats very small, so I wrote a final python script to have all the possible password reset URL's
Now, all we got to do is reset the user (
https://evilzone.org/reminder/) then all we got to do is know the userid, (simply by going to the user profile and clicking on personal message, the URLcontains the user ID, like
https://evilzone.org/pm/?sa=send;u=13473) so the password reset pseudo would look like
https://evilzone.org/reminder/?sa=setpassword;u=USERID;code=
HASHthen after making a simple python script to send all the requests, we can takeover ALL Evilzone accounts.
Have zombies? Makes things even easier!
Enjoy!
Show Posts
and still RCE in Forums is enough to infect more users and escalate the attack to more worse scenarios, very worse (I leave that to your imaginations)