During Shmoocon 2009 I got bored and went digging for vulnerabilities in the conference's FreeRADIUS registration form and its accompanying CAPTCHA. Here are some rough notes on what I found.
- repeated requests with the same "text" argument yield new images w/ different "lines"
- lines are transparent
https://labs.shmoocon.net/cgi-bin/ yields
- Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g Server at labs.shmoocon.net Port 443
- suhosin is a hardened php variant. heh.
- yields "Internal Server Error"
- grab img
- replace xparent pixels w/ white pixels
convert foo2.png -alpha off foo_alpha_off2.png
- better yet, take a bunch of variants on the same capcha and "flatten" them to produce a much more legible image
convert ima* -flatten out.png
- radius.cgi hashes are of varying lengths(?)
- some are 64bytes, others, 64+16 * requesting a cert from the same captcha img
- (bingo) worx w/ ff, not when html form saved locally
- same cert is given each try
- b/c same cert is given always? yep, even to wget :/
- http post w/ wget for poc
wget http://www.mypage.com/index.php --post-data="foo=bar"
A helper script
This script does some rudimentary fuzzing on the input to the CAPTCHA image generation script. You can see its output here.
#!/usr/bin/env python
import sys
def main(argv=None):
imgurlbase = "https://labs.shmoocon.net/cgi-bin/image.cgi?text="
imgurlhash = "9a25a6e0edb90b4b395c3fe986de7dcb6b595a802008e71794ebb2a1619902efa87a3a46345e508a"
for s in xrange(1,len(imgurlhash)+1):
print( "<tt>" )
tweakedHash = "%s0%s" % (imgurlhash[:s-1], imgurlhash[s:])
print( "%02d %s:" % (s, tweakedHash ))
print( "<img width=100 height=33 src=%s%s><br>" % (imgurlbase, tweakedHash))
if __name__ == '__main__':
sys.exit(main())