Quick Summary: ************************************************************************ Product : Movilnet's Web SMS. Version : In-production versions. Vendor : Movilnet - http://www.movilnet.com.ve/ Class : Remote Criticality : High Operating System(s) : N/A. Synopsis ************************************************************************ From Cantv's corporative webpage: "Cantv es la compania privada más grande de Venezuela. Desde su privatizacion en 1991, la compania ha experimentado una constante transformacion para convertirse en una empresa competitiva, con altos niveles de calidad en la oferta de sus productos y servicios de transmision de voz, datos, acceso a internet, telefonia celular y directorios de informacion." Movilnet is an affiliate of Cantv, the largest private telecomunications company in Venezuela. Movilnet's Web SMS is a very popular Short Messages System that allows web surfers to send short text messages directly to Movilnet's mobile phone subscribers. Notice ************************************************************************ The very popular Movilnet's Web SMS protects its mobile customers from SMS bombs, and undesirable spam using the mechanism pioneered by Blum's AI group at Carnegie Mellon University that tries to tell humans and computers apart by using programs known as captchas. Unfortunately, Movilnet's captcha implementation is a very weak one and it is possible to recognize its patterns 100% of the time. Others have previously reported breaking "scode" based captchas, however no proof of concept source code has ever been released to the public. Vendor Status ************************************************************************ SNSecurity has contacted Movilnet, who already knew about the problem and is currently dealing with the issue. 2/21/2006 Vendor is contacted about the vulnerability. 2/23/2006 Vendor informs the vulnerability was already known and asks for a 30 day period before publication. 3/17/2006 Vendor agrees to make the advisory public at the date agreed upon. 3/27/2006 Advisory is made public. Basic Explanation ************************************************************************ There are several problems with the "scode" based captcha used by Movilnet on their Web Short Message System. Most notoriously, the captcha's challenge space is very reduced. Estimates performed by our research labs indicate that only 16 Mb of memory would be required to store pre-calculated data that would allow for a complete image to response map. Additionally, several other design flaws present on Movilnet's captcha implementation allow for the creation of heuristic algorithms that would not require data pre-calculation at all. Most important weaknesses include: only one font, no color variation, useless perturbation, no rotation and no deformation. Proof Of Concept Status ************************************************************************ No proof of Concept will be released until the provider has sorted out the issue. Work Around ************************************************************************ No work around is possible to prevent abusers to spam or sms-bomb mobile customers. If you are sms-bombed you can only turn off your mobile phone and ask a Movilnet representative to have your entire short text message queue deleted. Corrective Measures ************************************************************************ Replace the captcha module for a stronger and more robust implementation. Credits ************************************************************************ This vulnerability was discovered by Ruben Recabarren and Leandro Leoncini at SNSecurity's Research Lab. Disclaimer ---------------------------------------------------------------------- This advisory was released by SNSecurity as a matter of notification to help administrators protect their systems and to warn mobile customers against the described vulnerability. Exploit source code is never released in our advisories but can be obtained under contract. Contact our sales department at info (at) snsecurity (dot) com for further information on how to obtain proof of concept code. ---------------------------------------------------------------------- SNSecurity. http://www.snsecurity.com