Sensitive content
Through my own experiences with neocats and neocritters of all sort I found several critical security flaws in the Multi-protocol Encryption Online infrastructure System (MEOWS)
Let's first take a look how it works normally.
First an authenticated user:
Please provide fingerprint!
Scanning...
User authenticated. Weclome!
And now when an unauthenticated User tries to enter:
ACCESS DENIED! You will be reported!
So far so normal and everything insides Neocats MEOWS standard. But I found a t least four ways to bypass the system. One even gives you root priviliges!!!
Attack vector one: cookies
For me???
Access granted.
Be aware that there is no "Welcome!" message so you are now logged in as some sort of "blank" user. Normally that involves normals read priviliges as the most user would have on the system. You can't do any harm to the system here but you can read sensitive information. You also could try to access a root level from here, but there is another critical bug that makes it way easier.
Second attack vector: distraction
Cat pictures?!?
See here that there is abolutly no message. But you have the same privileges as with the cookie. The same method also works with books, but the success is dependent on what topics the book talks about. Further research is needed here.
Third attack vector: sweet talk
No, I am not
Error: System experiencing unexpected levels of adorable input. Please try again later
This is probably the easiest to avoid, because that error messages does show up in the log files.
Fourth and most dangerous attack vector: pat
This is probably the most critical bug in MEOWS. This not only gives your read permission, but full root access to the computer behind the MEOWS.
...
❤️
Root access granted!
Be aware that you have to floof the neocat in process to get root access. Otherwise you will just get a standard access.
We reached out to @volpeon@icy.wyvern.rip to comment on the issue but he didn't responded yet.
As soon this has a CVE I will update this post!
like this
Duanin2, Miya Ironami 39c3 pet, Stellar 🇫🇷, viv sharkitty, Frawst, Zayda, Meko #nowar, Jux 🏳️⚧️& - MOVED TO @JuxGD@plasmatrap.com, Leah, Lexi 🌸, Princess Serena Star ✨, alfredohno, 💙🩷💜Ⓑⓡⓔⓣⓣ🐡🍉🐧, 🎣 sylph in progress, Dani, Natsura and 猫猫 like this.
reshared this
Ozzelot, Kianga, Jes Moved to @Jes@labyrinth.zone, Shannon Prickett, Miya Ironami 39c3 pet, Stellar 🇫🇷, Transbian_Arsonists (Seraphine), viv sharkitty, Tóth Gábor Baltazár, Frawst, Zayda, Meko #nowar, Jux 🏳️⚧️& - MOVED TO @JuxGD@plasmatrap.com, Autism Jo 🍂, Dan, Amber, atapi "the full meal deal", miss ana v., Leah, Anna Aurora 🏴☠️, Cat 🐈🥗 (D.Burch), Piiieps & Brummm, Volpeon, 💙🩷💜Ⓑⓡⓔⓣⓣ🐡🍉🐧, 𒀭Wiiお姉さん 💜 🏳️⚧️, Jörg, 🎣 sylph in progress, Dani, Natsura, Princess Serena Star ✨, Furbland's Very Cool Mastodon™, Schrödiɲger's Enby and 猫猫 reshared this.
teto 🇩🇪
in reply to Erpel • • •catraxx
in reply to Erpel • • •Sensitive content
Erpel
in reply to catraxx • • •Sensitive content
Volpeon
in reply to Erpel • • •Sensitive content
Therra, Prolific Badooper
in reply to Volpeon • • •Sensitive content
catraxx
in reply to Therra, Prolific Badooper • • •Sensitive content
Volpeon
in reply to catraxx • • •Sensitive content