nope. did some analysis on the authentication structure and posted results on the board previously, but other than that havent seen anything, apparently XVIII or something (forget ya name, sorry lol), has coded a blank pass checker, but ill believe it when i see it.
there is but it is very private and often requires a bruteforce
twistedps
Jun 2 2004, 10:53 PM
QUOTE (Tacreno @ Jun 2 2004, 07:53 PM)
there is but it is very private and often requires a bruteforce
is there an advisory on it? or any information relating to where this fault takes place in the program?
tazthedev
Jun 3 2004, 01:02 AM
FOR THE LAST TIME, THERE IS NO EXPLOIT !!!
BuzzDee
Jun 3 2004, 05:32 AM
CODE
FOR THE LAST TIME, THERE IS NO EXPLOIT !!!
wrong! there is
eXist
Jun 3 2004, 07:13 AM
A brute forcer isn't an exploit. I'm sure there have been numerous brute forcers coded specifically for this program.
twistedps
Jun 3 2004, 08:44 PM
QUOTE (BuzzDee @ Jun 3 2004, 05:32 AM)
CODE
FOR THE LAST TIME, THERE IS NO EXPLOIT !!!
wrong! there is
what is it? a buffer overflow? heap? any information about this vulnerability?
BuzzDee
Jun 4 2004, 10:00 AM
ah sry i mixed up things. there is an exploit but no buffer overflow or sth like that occurs. it just "exploits" the [null] pass of radmin and gives u a shell. so for making use of this security flaw u actually don't need that exploit. it just saves u time
but i won't post this exploit - so plz dont ask
Killaloop
Jun 4 2004, 10:59 AM
QUOTE (BuzzDee @ Jun 4 2004, 10:00 AM)
ah sry i mixed up things. there is an exploit but no buffer overflow or sth like that occurs. it just "exploits" the [null] pass of radmin and gives u a shell. so for making use of this security flaw u actually don't need that exploit. it just saves u time
but i won't post this exploit - so plz dont ask
you dont seem to understand what an exploit is. is ipcscan an exploit? is sqlscan an exploit? no! why should a radmin password scanner be one? so just stop telling people you got an exploit if you dont even have one. there is no exploit for remote administrator and no published software vulnerability in it. just some kids use radmin as backdoor and forget to set a password (a real radmin installation can't be done without entering a password so it's a hacked installation) and thats what you call an exploit if you scan for this? its a joke and not even a good one
TRi
Jun 4 2004, 11:27 PM
QUOTE (Killaloop @ Jun 4 2004, 10:59 AM)
QUOTE (BuzzDee @ Jun 4 2004, 10:00 AM)
ah sry i mixed up things. there is an exploit but no buffer overflow or sth like that occurs. it just "exploits" the [null] pass of radmin and gives u a shell. so for making use of this security flaw u actually don't need that exploit. it just saves u time
but i won't post this exploit - so plz dont ask
you dont seem to understand what an exploit is. is ipcscan an exploit? is sqlscan an exploit? no! why should a radmin password scanner be one? so just stop telling people you got an exploit if you dont even have one. there is no exploit for remote administrator and no published software vulnerability in it. just some kids use radmin as backdoor and forget to set a password (a real radmin installation can't be done without entering a password so it's a hacked installation) and thats what you call an exploit if you scan for this? its a joke and not even a good one
F*cking agree man, how come everyone (ed. script kiddie) thinks there is an exploit for everything even their gameboy? People either only read lame tuts in some fxpforums or they're reading the Mirror. Dunno how this developed, but I know for sure that there isnt a bruteforce-exploit
twistedps
Jun 5 2004, 02:11 AM
heh. i wonder how the hell that blank pass scanner works when the hash being sent back and forth changes each time... weird.
WeeDMoNKeY
Jun 5 2004, 02:59 AM
i used to have an irc bot i got froma buddy of mine that would ACTUALLY work, scan blank radmin passwords and snuff.. to bad i got avirus and formatted :/
eXist
Jun 5 2004, 07:55 AM
Maybe this will be of some interested to people reading up on this: hxxp://www.cnhonker.com/index.php?module=tools&act=view&type=3&id=85
Though I don't know why you'd go to so much trouble for radmin. Sorry I can't translate the page or the program.
tibbar
Jun 5 2004, 08:40 AM
of course there are blank pass scanners for radmin - try looking at the source of a worm like age/phat bot. ive seen friends use these on .jp ranges with a scary level of success (i.e. about 1 positive scan every 20mins,with only 20 bots scanning).
not my cup of tea, but thought the wannabe black hat skiddies might like to know.
aapje
Jun 5 2004, 10:07 PM
There was an authentication bypass, dont now where i read it anymore, but some guy made it and posted a story about it, but he also contacted radmin so it probebly it fixed and i think no one has it.
blank passes is just like sql, just stupid admins.
Hi folks , this is me again ; "Due to privacy reasons my nick is ????? " =========================== = Radmin 2.1 Advisory = =========================== Mission Accomplished ===========================
as i mentioned before , we`re still working on this staff . every new day of research reveal new things . I`m posting again , cus i saw something posted to securityfocus.com mailing list about our staff . I`m here to confirm that , the vulnerability is NOT against NT-authentication scheme . we succesfully gauned access to win2k/xp boxes with "Radmin 2.1 " installed .
I`m here to give some hints for Radmin users to stay safe yeah , we`re here to help not to fight . Most of u i`m sure , asking urself why only ONE authenticate ?! it`s cus of the way , server try to authenticate u . there is already a post here in this forum wich describe that .
and about the poc , vendor , and the patch. we heard that version 3.0 may come out . we decided to wait till that , and check if that version is vulnerble too , if NOT , we would release the poc to public else , we would NOT publish it to >public< even for vendors they think they r safe. so let them think safe !
and another hint , Up to this moment there are 2 ( two ) different vulnerabilities discovered for this piece . the other one is related to admdll.dll ... we did NOT discovered that one and we`re NOT responsible for that
what should u do ?! -use ACL`s -use NT-authentication (although it have it`s own bug -related to OS- -change the default port -keep tight ur packet sniffers
.EOF
That was from a few months ago though, 4 actually.
Google and read what you find if you're still interested in this.
Hi folks , this is me again ; "Due to privacy reasons my nick is ????? " =========================== = Radmin 2.1 Advisory = =========================== Mission Accomplished ===========================
as i mentioned before , we`re still working on this staff . every new day of research reveal new things . I`m posting again , cus i saw something posted to securityfocus.com mailing list about our staff . I`m here to confirm that , the vulnerability is NOT against NT-authentication scheme . we succesfully gauned access to win2k/xp boxes with "Radmin 2.1 " installed .
I`m here to give some hints for Radmin users to stay safe yeah , we`re here to help not to fight . Most of u i`m sure , asking urself why only ONE authenticate ?! it`s cus of the way , server try to authenticate u . there is already a post here in this forum wich describe that .
and about the poc , vendor , and the patch. we heard that version 3.0 may come out . we decided to wait till that , and check if that version is vulnerble too , if NOT , we would release the poc to public else , we would NOT publish it to >public< even for vendors they think they r safe. so let them think safe !
and another hint , Up to this moment there are 2 ( two ) different vulnerabilities discovered for this piece . the other one is related to admdll.dll ... we did NOT discovered that one and we`re NOT responsible for that
what should u do ?! -use ACL`s -use NT-authentication (although it have it`s own bug -related to OS- -change the default port -keep tight ur packet sniffers
.EOF
That was from a few months ago though, 4 actually.
Google and read what you find if you're still interested in this.
some great information there man, thanks for sharing!
*continues reading*
twistedps
Jun 7 2004, 05:40 PM
started to dissassemble some interesting things in the admdll.dll
.... those go in order (other functions in between them), but what i noticed was it doesnt seem to call GetMaxBufferSize again, which possibly may make it not check the GetServerNextDataBuf length, resulting in a buffer or heap overflow (im not too expirenced with this, so other suggestions would be great)... I have also checked them out in the debugger, and found the following:
i used to have an irc bot i got froma buddy of mine that would ACTUALLY work, scan blank radmin passwords and snuff.. to bad i got avirus and formatted :/
Release notes for Radmin 2.2
-To prevent incorrect Radmin server configurations, it now cannot be used without a password or NT security. Blank password installs are no longer possible. -Smart protection from password-guessing and DoS-attacks. This protection includes the following features: anti-hacker delays, attacker IP banning, etc. -Server password protection. Now the server software actively protects its settings, which are stored in the system registry. Only a user with administrator privileges can access this registry branch. -New, fully OS-integrated NT security system with NTLMv2 support. Now permissions for Radmin connections can be given to users from trusted domains and Active Directories. Also, our users will see a familiar security GUI from the Windows OS series. -Radmin server now starts as a service only on Windows NT/2000/XP, which improves security.
So that problem will be fixed
Serhat
B3T4
Jun 21 2004, 11:02 AM
and 2.2 is out
-=[MePhIsTo]=-
Jun 22 2004, 04:46 AM
i thought the new Version should be 3.0 ?
Serhat
Jun 23 2004, 05:08 PM
QUOTE (-=[MePhIsTo)
=-,Jun 22 2004, 04:46 AM] i thought the new Version should be 3.0 ?
2.2 is Final.. 3.0 is in Beta stage at the moment if I am not mistaken.. They just wanted to fix the little bugs in 2.1 while they were busy witht he 3.0 BETA I guess
Serhat
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
