Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ZipTorrent 1.3.7.3 Discloses Proxy Passwords to Local Users

from [Allen Parker] Network Security [Permanent Link]
Subject: Re: ZipTorrent 1.3.7.3 Discloses Proxy Passwords to Local Users
Date: Tue, 23 Aug 2005 18:35:50 -0800 
On 23 Aug 2005 13:21:23 -0000, kozan@spyinstructors.com
<kozan@spyinstructors.com> wrote:

/*================================================================

ZipTorrent 1.3.7.3 Local Proxy Password Disclosure Exploit by Kozan

Discovered & Coded by Kozan
Credits to ATmaCA
Web: www.spyinstructors.com
Mail: kozan@spyinstructors.com

Application:
--------------------
ZipTorrent 1.3.7.3 (and probably prior versions)
Vendor: www.ziptorrent.com

Introduction:
--------------------
ZipTorrent is the fastest BitTorrent client for Windows with the
most features, such as Search om Major search engines an RSS reader,
IRC Chat rooms, Automatic Torrent Download Rules, Automatic Update,
Bandwidth Monitor, NAT Checking, and UPnP Support. An install wizard
that helps you through the installation process.

Bug:
--------------------
ZipTorrent stores proxy server information and password in
X:\\[Program_Files_Path]\[ZipTorrent_Path]\pref.txt
in plain text. A local user can read passwords and others.

Vendor Confirmed:
--------------------
No

Fix:
--------------------
There is no solution at the time of this entry.


I don't mean to be a party pooper, but wouldn't it be just as easy to
navigate to the program's install path and double freaking click
pref.txt?

In my opinion, since this isn't a privilege escalation (local OR
remote), and it's certainly within the abilities of most of the people
reading this list to just open pref.txt in their favorite editor,
"proof of concept" code is next to worthless... nice try, but it makes
this report really seem like a joke.

On yet another note, I haven't seen many programs making use of
proxies where the username/password pairs were obfuscated in any
way... generally if a proxy is required in the first place, it's a
proxy the whole machine knows about anyway, so there's really not much
use in attempting to keep said proxy secret.

-- 
________________________________________
To avoid being added to my spam filter:
1. Utilize list replies unless otherwise requested.
2. If you DO send me a personal email, use english.
3. HTML isn't cute. It belongs on the web, not in my inbox.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Foojan PHP Weblog Information Disclosure - Refferer Html Injection, ali202
Next by Date:  RE: Remote IIS 5.x and IIS 6.0 Server Name Spoof, Sacha Faust
Previous by Thread:  ZipTorrent 1.3.7.3 Discloses Proxy Passwords to Local Users, kozan
Next by Thread:  Re: ZipTorrent 1.3.7.3 Discloses Proxy Passwords to Local Users, Nick Boyce
Indexes:  [Date] [Thread] [Top] [All Lists]