REGULUS

EXPOSED

 

            (A story of a RADIUS server)

           This document contains the over-all weaknesses of REGULUS.

 

      Regulus is useful and easy to use RADIUS software but it contains following bugs….

 

1.      Default DES encryption.

2.      Easy to obtain any user information (such as password, personal information etc…)

3.      Staff File Default path.

4.      Poor Authentication procedure.

5.      Any mis-configuration exposed all system.

 

 

 

   DES:::

     Des uses 56 bits of encryption and considerably easy to crack. DES limits its passwords length to 8

characters. I think having MD5 facility available with more strong encryption, MD5 should be its default

encryption technique.

 

 

   Users Information:::::

 

     Well this is the weakest point or you may call it the poor programming approach.

 When you first interact with regulus the first page you going to have is

   http://cust.domainname/

  Here you have to put your user name n password. It seems all fine, you will have all correct information

about your account and usage details. But we are not dealing with correct information. The question here

is any one without having my password can see what I am looking? The answer is yes. And he can change

password, use your account etc..

   Exploiting this hole is very easy just follow my instructions J

 

http://cust.domain/base-dir/htmlcust/custchoice.php?lang=English&userid=<name>&action=To see your

connections logs

 

Now in-place of <name> u can put any user name any card number n u will get all information like u r in

with the password. The main reason of this is not that I m smart enough, well the reason is poor regulus

programming and that’s what I wanna show u.

 

  Now not only this u can change password. HOW?? Simple change its one parameter to è>>

    http://cust.domain/base-dir/htmlcust/custchoice.php?lang=English&userid=<name>&action= To update

 your password

 

  Now that’s simple but it require old password as well, at this point regulus creator must be thinking they

did a great job but if we view the source code of that page that old password is available in hidden tags

but in encrypted form. Now we can do 2 thi9ngs here change the password or copy the encrypted password

n break that using password creator tools….

 

  Changing password :::

   

     I don’t knw y they give password in hidden tags while using great PHP.. J

 Simple look at this <<      iiTQ1mHnl1.vQ >> this is an encrtpted form of 123 using DES.. Now how to use

 it …..

 

http://cust.domain/base-dir/htmlcust/custpass.php?lang=English&base=/var/lib/regulus2&pass=

iiTQ1mHnl1.vQ&userid=<name>&oldpass=123&newpass1=<your choise>&newpass2=<same provius>&action=update

   Just give new password 2 times with old password as the above-encrypted form and you will see this…

 

The password provided is OK 



The password provided is OK and will be shortly stored in our Data-Base

 

 

 Well that’s gr8……

 

 

HACKING STAFF USERS TO GET CONTROL Over REGULUS:::

 

    Simple as u ever think of try this

 

 http://cust.domainname/ base-dir/access/stafffile

 

   So you got password list hmmmmmm again DES… cracking require time but mostly people don’t chose strong password and they are easily breakable ….

 

After Getting password try this link

  http://acct2.domainname/

 

  Give user name and password and you will say hmmmmmmm  regulus is so easy to use hehehe

 

 So I think one credit goes to regulus is that it is easy to use.

  i got a practical example of wot ever i explained above!!!

http://www.aosp.net/regulus.ppt

 

 For more tutorials visit my site http://www.phclub.org/.

 Or any kind of help mail me mailto:masud_libra@hotmail.com