SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Instant Messaging/IRC/Chat)  >  aMSN Vendors:  amsn.sourceforge.net
aMSN Discloses Password Hashes to Local Users
SecurityTracker Alert ID:  1010555
SecurityTracker URL:  http://securitytracker.com/id?1010555
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 21 2004
Impact:  Disclosure of authentication information
Version(s): 0.90
Description:  Lostmon reported a vulnerability in aMSN. A local user can obtain hashed passwords.

It is reported that the software stores the user's hashed password in the 'hotlog.htm' file. A local user may be able to decrypt the password, the report said.
Impact:  A local user can obtain a user's hashed password.
Solution:  No solution was available at the time of this entry.
Vendor URL:  sourceforge.net/tracker/index.php?func=detail&aid=976450&group_id=54091&atid=472655 (Links to External Site)
Cause:  Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  Tested on Windows 2000 SP4
Reported By:  Lostmon <lostmon@spymac.com>
Message History:   None.

 Source Message Contents
Date:  Sun, 20 Jun 2004 19:23:38 -0600 (MDT)
From:  Lostmon <lostmon@spymac.com>
Subject:  some important information about amsn windows client disclose: user

 

This is a multi-part message in MIME format.
--------------000309070006060408050602
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit


Hello :
i found this bug in amsn client :
http://sourceforge.net/tracker/index.php?func=detail&aid=976450&group_id=54091&atid=47265
5



Windows


=============================================================================
1. Introduction
2. What it was tested on
3. How to reproduce the exploit
4. Conclusion
5. Fix
=============================================================================
1. After studying the instant messager client aMSN (v0.90)for
windows and looking in their files; I noticed that a local maliciously user
could obtain with hash one user who were logged in amsn:
=============================================================================

2. This was tested on:
  Amsn v 0.90 client
win 2000 pro sp4 built 2195
=============================================================================
3. To reproduce this vulnerability, it´s necessary to follow these instructions:
open the messenger client amsn; login hotmail wih our user and password.
After we open our e-mail and we click in the tray enveloppe who notices that we
have a new mail,
the explorer is open and we see that locally one page is open
from the local place, file:///C:/Documents%20and%20Settings/Lostmon/amsn/hotlog.htm
As we can see, this is the local route from de profile user who started the
session in the pc :/
If we open this folder and we see this route, specially this file we find the
following:
=============================================================================
code of file hotdog.htm

<html>
<head>
<noscript>
<meta http-equiv=Refresh content="0; url=http://www.hotmail.com">
</noscript>
</head>
<body onload="document.pform.submit(); ">
<form name="pform"
action="https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1033" method="POST">
<input type="hidden" name="mode" value="ttl">
<input type="hidden" name="login" value="yourfull">
<input type="hidden" name="username" value="yourfull@hotmail.com">
<input type="hidden" name="sid" value="507">
<input type="hidden" name="rru" value="/cgi-bin/HoTMaiL">
<input type="hidden" name="auth"
value="58eRJLDWhDzdS64AsWCR1FKtjcWTkW76jtnGCOdp7bvlsr1wUHbfGLystSU6ig6bpdx7zGmj15d2MmglLZxr!iAQ$
$">
<input type="hidden" name="creds" value="a93e78753eed0fe90ae59a9245d459d0">
<input type="hidden" name="svc" value="mail"><input type="
hidden" name="js"
value="yes">
</form>
</body>
</html>
=============================================================================

Looking this infomation we noticed how is the sending way used in this form,
executed
under “hidden” mode, here we have so many important things.

But things are not finished here, if we look in the folder %userroot%amsn\
looking very careful we have a config.xml and in his last lines has this entry :
=============================================================================
part of code of config.xml

<entry>
       <attribute>remotepassword</attribute>
       <value>c26ccaaba25f6642</value>
    </entry>
ummmmmm

What is remote password and how it´s possible to obtain ??
We suppose that remote password is the password who allows identify every account :/
thus if we make a through investigation looking from where is this remote
password coming from, we arrive to folder c:\program files \amsn\scripts\
and if we look among these files we find: config.tcl
In the line 296 we have this:
   }

     if { ($config(save_password)) && ($password != "")} {

	set key [string range "${loginback}dummykey" 0 7]
	binary scan [::des::encrypt $key "${password}\n"] h* encpass
	puts $file_id "   <entry>\n      <attribute>encpassword</attribute>\n
<value>$encpass</value>\n   </entry>"
     }

     set key [string range "${loginback}dummykey" 0 7]
     binary scan [::des::encrypt $key "${config(remotepassword)}\n"] h* encpass
     puts $file_id "   <entry>\n      <attribute>remotepassword</attribute>\n
  <value>$encpass</value>\n   </entry>\n"

     foreach custom $config(customsmileys2) {
	puts $file_id "   <emoticon>"
	foreach attribute [array names emotions] {
	    if { [string match "${custom}_*" $attribute ] } {
		set var_attribute [::sxml::xmlreplace [string map [list "${custom}_" ""]
$attribute ]]
		set var_value [::sxml::xmlreplace $emotions($attribute)]
		puts $file_id "      <$var_attribute>$var_value</$var_attribute>"
	    }

=============================================================================
These are functions that codify the remote password umm :/
If we could look the background in this file we will be able to say that there
are the variables neccessaries to revert certains functions.

Yours faithfully

#dismarking
greetings to RotteW and LuTRiZiA so many nigth whith me :DDDD

Lostmon (lostmon@spymac.com)



La curiosidad es lo que hace mover a la mente ...




---- Msg sent via Spymac Mail - http://www.spymac.com



--------------000309070006060408050602
Content-Type: text/plain;
 name="30375amsn1.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="30375amsn1.txt"


--------------000309070006060408050602
Content-Type: text/plain;
 name="amsn1.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="amsn1.txt"


--------------000309070006060408050602--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC