SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   I-Cafe Vendors:   MIT Software
I-Cafe Access Restrictions Can By Bypassed By Local Users
SecurityTracker Alert ID:  1010724
SecurityTracker URL:  http://securitytracker.com/id/1010724
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 17 2004
Impact:   Modification of authentication information, User access via local system
Exploit Included:  Yes  
Version(s): 2.6 rv 2004.72
Description:   Lostmon reported a vulnerability in I-Cafe. A local user can gain administrative access to the I-Cafe software and can bypass hard disk access restrictions.

It is reported that a local user can disable the software by disabling the 'icafecli' process after the operating system has booted. Then, the local user can modify the registry entry that causes the I-Cafe client to load.

It is also reported that a local user can bypass access restrictions and access the hard disk. This can be achieved by opening the desktop in Windows explorer, highlighting an arbitrary shortcut, and then entering Alt-Enter. Then, the local user can select 'Find Target' to browser the disk.

It is also reported that some IRC applications (such as Mirc or X-Cript) allow local users to issue the '/run c:' command to gain access to the disk.

It is also reported that a local user can erase the administrative password by modifying the 'icafecli.ini' file in the windows directory. The line that says 'admin=312a353424243a2c23313b222d2a24' [or something similar] can be changed to 'xadmin='. Then, the local user can gain access to the administrative interface.

The vendor has reportedly been notified.

The original advisory was available at:

http://lostmon.spymac.net/blog/

Impact:   A local user can gain administrative access to the application.

A local user can gain access to the hard disk.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.mitsoftware.com/icafe/index.asp (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)
Underlying OS Comments:  Tested on Windows 98

Message History:   None.


 Source Message Contents

Subject:  Multiple vulnerabilities in icafeclient software for cybercafes


##############################################################################
######## numerous vulnerabilities in icafecli software                ########
######## 1- where trials have been done                               ########
######## 2- use software explanation                                  ########
######## 4- thanks.
######## ##############################################################################

###################################
1-where trials have been done
###################################


  for test these vulnerabilities we have used:
-system: win98 se with all its hotfix
-icafecli v 2.6 rv 2004.72

the original advisore at this url http://lostmon.spymac.net/blog/
we notice the vendor (www.mitsoftware.es)

###################################
2- use software explanation
###################################

in a client/server,
some security options.
This software specifically has an interface from which has access to
the software only administrator
allows, in other words, is not allowed directly executions, only by
software interface.
This software works with users and passwords (members), with time
codes pre-determinated,
or by an open time play who pays when session is finished, variable
according using time.

we notice the verdor (www.mitsoftware.es)

###################################
###################################


  3.1- close the software and avoid its execution:

the program is charged as service, and is included in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run here
is added a chain value I-Cafe Client and with a path value  where is saved
the program as we have tested in: C:\protegido\ICAFECLI.EXE both
choices can be done,
first could be rebooted the pc and charging windows, before icafe
software is charged
do ctrl+alt+supr, choose the process named icafecli and abort it the
pc will be inicialized
without this soft management running... after, if this soft has not
imposed restrictions
we can delete the key registry who calls this software for its
execution in the server this pc
will appear as inactive, but in this case the admin must update the room.

  3.2- to jump access restrictions in a hard disk:


if the administrator has imposed windows restrictions in the securities options
in this software, theorically we have no access to this hard disk, even though
this is an ephymerous state  :) we inicialize icafe with our account member or
a time play code we initiate the explorer and in the address bar we check that
putting as a url c: the access to the hard disk is denied, but if we
put the desktop
we access on it, we mark an icon and on the alt+enter in the emerging
window we choose
to look for destination and we access on the hard disk! :/
after this, is only to search what is interesting in the hard disk :)

An other easy way to jump this restriction is through some irc client,
like, Mirc or X-Cript
we open the irc client and writing  /run c: and we have access to the
hard disk too.

  3.3-reset admin password and change it:

In the software interface if we enter as an admin, we need a password who allows
options configurations for icafecli software. We access to the hard
disk, as the way
explained before, and we go to c:\windows\ , here we look for the
icafecli.ini file,
who save the software configuration, this configuration is who allows
the software inicialize
in this pc. in this file we see as follows:

########################
#  icafecli.ini code   #
########################
[Boot]
Firsttime=0
Reload=1
[Protection]
11=1
16=1
17=1
25=1
26=1
27=1
28=1
29=1
30=1
0=0
1=0
2=0
3=1
4=1
5=1
6=1
7=1
8=1
9=1
10=1
12=1
13=1
14=1
15=1
18=1
19=1
20=1
21=1
22=1
23=1
24=1
[SETUP]
color=clBlack
color2=clBlack
barraicafe=0
publicidad=0
contrato=0
publix=60
publiy=468
publitop=56
publileft=186
publifile=
contratofile=C:\WINDOWS\ESCRITORIO\contrato.htm
ajustar=0 xadmin=312a353424243a2c23313b222d2a24
avisos=0
avisos2=0
icheck=1
sonido=1
mosaico=0
mosaico2=0
enviar=0
paginaopcion=2
pagina=http://www.google.com enviar2=0
enviar3=0
actualizacion=0
gcheck=1
ocheck=1
MODE=TC
[Downloads]
Directory=
down1=1
reebot1=0
socios=1
ocultartc=0
reebot2=0
down0=1
controlmsn=1
zonatray=1
down2=1
down3=1
down4=0
down5=0
down6=0
down7=0
down8=1
[Protection2]
0=0
1=0
2=1
3=1
4=0
5=0
6=0
7=0
[INTERNET]
ITEM0=Internet Explorer;C:\Archivos de programa\Internet Explorer\Iexplore.exe;
ITEM1=Messenger;C:\Archivos de programa\MSN Messenger\msnmsgr.exe;
[GAMES]
ITEM0=Blue Shift;C:\Juegos\Blue-Shift\bshift.exe;
ITEM1=Call of Duty : Multiplayer;C:\Juegos\Call of Duty\CoDMP.exe;
ITEM2=Call of Duty : Singleplayer;C:\Juegos\Call of Duty\CoDSP.exe;
ITEM3=Counter Strike;C:\Juegos\Counter-Strike\CSTRIKE.EXE;-console
-game cstrike
ITEM4=Ghost Recon ;C:\Juegos\Ghost Recon\GhostRecon.exe;
ITEM5=Harry Potter - Quidditch CM;C:\Juegos\Harry Potter - Quidditch
CM\Qwc.exe;
ITEM6=Harry Potter and the Prisoner of Azkaban;C:\Juegos\Harry Potter
and the Prisoner of Azkaban\system\hppoa.exe; ITEM7=Hitman
Contracts;C:\Juegos\HitmanContract\HitmanContracts.exe;
ITEM8=Max Payne2;C:\Juegos\Rockstar Games\Max Payne 2\MaxPayne2.exe;
ITEM9=Mu Online;C:\Juegos\MuOnline\launcher.exe;
ITEM10=Need For Speed Underground;C:\Juegos\NFS Underground\Speed.exe;
ITEM11=NitroFamily;C:\Archivos de programa\NitroFamily\NitroFamily.exe;
ITEM12=Oni;C:\Juegos\Oni\Oni.exe;
ITEM13=Restaurant Empire;C:\Juegos\Restaurant Empire\Restaurant Empire.exe;
ITEM14=The House Of the DeaD 2;C:\Juegos\MVM 2004 - The House of the
Dead 2\Hod2.exe;
ITEM15=Tibia GG 4.1c. ;C:\Juegos\tibiagg41c\tibiagg41c\Tibia GG
4.1c.exe; ITEM16=Tibia. ;C:\Juegos\Tibia\Tibia.exe;
ITEM17=Un vecino infernal;C:\Juegos\JoWooD\Un vecino infernal\bin\game.exe;
ITEM18=Virtua Tennis;C:\Juegos\Sega\Virtua Tennis\VIRTUA_TENNIS_PC.exe;
ITEM19=Yu-Gi-Oh! Power of Chaos KAIBA THE REVENGE;C:\Juegos\Yu-Gi-Oh!
Power of Chaos KAIBA THE REVENGE\kaiba_pc.exe; ITEM20=Yu-Gi-Oh! Power
of Chaos YUGI THE DESTINY;C:\Juegos\Yu-Gi-Oh! Power of Chaos YUGI THE
DESTINY\Version2\yugi_pc.exe;  [OFFICE]
ITEM0=IRcap;C:\mIRC\mirc.exe;
ITEM1=Real One Player;C:\Archivos de programa\Real\RealPlayer\realplay.exe;
ITEM2=Winamp;C:\Archivos de programa\Winamp\winamp.exe;

############
end of file
###############################################################################################

can change in the security options,
software, for it first we will look
the icafecli.ini and we will change
admin=312a353424243a2c23313b222d2a24 for xadmin=
we save the changes, we access to the software interface, we click on
admin and we will leave in blank
the password the software we will bring us access to the configuration
interface :/
now we can change any option and write a new passowrd for admin ;P

###################################
4-thanks
###################################

thanks to everyone who day by day help me and trust on me
thanks to hispanew.com and ayuda-internet.net for their support
thanks Estrella to be my light
thanks rottew and lutrizia to be like this and stay with me

Atentament
Lostmon (lostmon@gmail.com)

-- 
La curiosidad es lo que hace mover la mente....



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC