Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Instant Messaging/IRC/Chat)  >   aMSN Vendors:
aMSN Discloses Password Hashes to Local Users
SecurityTracker Alert ID:  1010555
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 21 2004
Impact:   Disclosure of authentication information

Version(s): 0.90
Description:   Lostmon reported a vulnerability in aMSN. A local user can obtain hashed passwords.

It is reported that the software stores the user's hashed password in the 'hotlog.htm' file. A local user may be able to decrypt the password, the report said.

Impact:   A local user can obtain a user's hashed password.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  Tested on Windows 2000 SP4

Message History:   None.

 Source Message Contents

Subject:  some important information about amsn windows client disclose: user

This is a multi-part message in MIME format.
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit

Hello :
i found this bug in amsn client :


1. Introduction
2. What it was tested on
3. How to reproduce the exploit
4. Conclusion
5. Fix
1. After studying the instant messager client aMSN (v0.90)for
windows and looking in their files; I noticed that a local maliciously user
could obtain with hash one user who were logged in amsn:

2. This was tested on:
  Amsn v 0.90 client
win 2000 pro sp4 built 2195
open the messenger client amsn; login hotmail wih our user and password.
After we open our e-mail and we click in the tray enveloppe who notices that we
have a new mail,
the explorer is open and we see that locally one page is open
from the local place, file:///C:/Documents%20and%20Settings/Lostmon/amsn/hotlog.htm
As we can see, this is the local route from de profile user who started the
session in the pc :/
If we open this folder and we see this route, specially this file we find the
code of file hotdog.htm

<meta http-equiv=Refresh content="0; url=">
<body onload="document.pform.submit(); ">
<form name="pform"
action="" method="POST">
<input type="hidden" name="mode" value="ttl">
<input type="hidden" name="login" value="yourfull">
<input type="hidden" name="username" value="">
<input type="hidden" name="sid" value="507">
<input type="hidden" name="rru" value="/cgi-bin/HoTMaiL">
<input type="hidden" name="auth"
<input type="hidden" name="creds" value="a93e78753eed0fe90ae59a9245d459d0">
<input type="hidden" name="svc" value="mail"><input type="hidden" name="js"

Looking this infomation we noticed how is the sending way used in this form,

But things are not finished here, if we look in the folder %userroot%amsn\
looking very careful we have a config.xml and in his last lines has this entry :
part of code of config.xml


We suppose that remote password is the password who allows identify every account :/
thus if we make a through investigation looking from where is this remote
password coming from, we arrive to folder c:\program files \amsn\scripts\
and if we look among these files we find: config.tcl
In the line 296 we have this:

     if { ($config(save_password)) && ($password != "")} {

	set key [string range "${loginback}dummykey" 0 7]
	binary scan [::des::encrypt $key "${password}\n"] h* encpass
	puts $file_id "   <entry>\n      <attribute>encpassword</attribute>\n
<value>$encpass</value>\n   </entry>"

     set key [string range "${loginback}dummykey" 0 7]
     binary scan [::des::encrypt $key "${config(remotepassword)}\n"] h* encpass
     puts $file_id "   <entry>\n      <attribute>remotepassword</attribute>\n
  <value>$encpass</value>\n   </entry>\n"

     foreach custom $config(customsmileys2) {
	puts $file_id "   <emoticon>"
	foreach attribute [array names emotions] {
	    if { [string match "${custom}_*" $attribute ] } {
		set var_attribute [::sxml::xmlreplace [string map [list "${custom}_" ""]
$attribute ]]
		set var_value [::sxml::xmlreplace $emotions($attribute)]
		puts $file_id "      <$var_attribute>$var_value</$var_attribute>"

These are functions that codify the remote password umm :/
If we could look the background in this file we will be able to say that there
are the variables neccessaries to revert certains functions.

Yours faithfully

greetings to RotteW and LuTRiZiA so many nigth whith me :DDDD

Lostmon (

La curiosidad es lo que hace mover a la mente ...

---- Msg sent via Spymac Mail -

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC