[Full-Disclosure] Supposed SaS "encryption" weak - Coments and Infor about wrong claims

From: Lorenzo Hernandez Garcia-Hierro (lorenzohgh_at_nsrg-security.com)
Date: 10/15/03

  • Next message: auto67574_at_hushmail.com: "[Full-Disclosure] SQL Injection from SPAM message :)" 
    To: "Full-Disclosure" <full-disclosure@lists.netsys.com>
Date: Wed, 15 Oct 2003 19:05:35 +0200

    Dear Paul,
    I've testing your exploit ( good one ) for the supposed html encryption weak
    of SaS.
    I think yo toke the exploit/perl script from a developers site because SaS
    is using an standard of encoding,
    here is the proof :
    variables for function _fwk_filter_encrypt($content)
    $table = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_@";
      $xor = 165;
    as you see it's not encryption , so , you didn't cracked nothing....
    you decoded it !
    the script its not for protect sites information such as passwds or usrnames
    , etc , it is stupid to use it for those things.
    It is only a low protection for people that copy contents ( people that its
    only interested in copying things ) and its not
    for critical uses.
    Another thing:
    here is the code for prepare tables of encoding characters:
    $table = array_keys(count_chars($table, 1));
      $i_min = min($table);
      $i_max = max($table);
      for ($c = count($table); $c > 0; $r = mt_rand(0, $c--))
        array_splice($table, $r, $c - $r, array_reverse(array_slice($table, $r,
    $c - $r)));

    the encode sequence:

    $len = strlen($content);
      $word = $shift = 0;
      for ($i = 0; $i < $len; $i++)
      {
        $ch = $xor ^ ord($content[$i]);
        $word |= ($ch << $shift);
        $shift = ($shift + 2) % 6;
        $enc .= chr($table[$word & 0x3F]);
        $word >>= 6;
        if (!$shift)
        {
          $enc .= chr($table[$word]);
          $word >>= 6;
        }
      }
      if ($shift)
        $enc .= chr($table[$word]);

    --- THE FINAL DECODE SEQUENCE ----
    // Decode sequence
      $tbl = array_fill($i_min, $i_max - $i_min + 1, 0);
      while (list($k,$v) = each($table))
        $tbl[$v] = $k;
      $tbl = implode(",", $tbl);

      $fi = ",p=0,s=0,w=0,t=Array({$tbl})";
      $f = "w|=(t[x.charCodeAt(p++)-{$i_min}])<<s;";
      $f .= "if(s){r+=String.fromCharCode({$xor}^w&255);w>>=8;s-=2}else{s=6}"; 

    ----
You see ?
xD
So definately not encryption ,
you are wrong....
encoding , i know , is a *** form to protect things but its the easier and
fast form to bind a low protection system for contents.
here is the javascript used:
$r.= "function decrypt_p(x){";
  $r.= "var l=x.length,b=1024,i,j,r{$fi};";
  $r.=
"for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){{$f}}do
cument.write(r)}";
  $r.= "}decrypt_p(\"{$enc}\")";
CONCLUSIONS:
- I think , i can be sure checking this later , you copied the exploit code
from a developers site.
- You were first wrong saying that the Encryption system is cracked , asyou
see you dind't cracked nothing !!
you decoded a simple xor sequence w00w!
- Your claims saying i have lots of free time for [-] other sites[-] its
completely inapropiatted,
first of all:
- i don't make these things for famous , just for fun and hobby
- i don't say false things
- sometimes i'm wrong ( i'm human ) or lots of times ! but the important
thing is that i recognice my errors.
--
Thank you and next time do a better research.
Best regards to all the members of Ful-Disclosure.
-------------------------------
0x00->Lorenzo Hernandez Garcia-Hierro
0x01->/* not csh but sh */
0x02->$ PATH=pretending!/usr/ucb/which sense
0x03-> no sense in pretending!
__________________________________
PGP: Keyfingerprint
4ACC D892 05F9 74F1 F453  7D62 6B4E B53E 9180 5F5B
ID: 0x91805F5B
**********************************
No Secure Root Group Security Research Team
http://www.nsrg-security.com
______________________
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: auto67574_at_hushmail.com: "[Full-Disclosure] SQL Injection from SPAM message :)"