============================================================================= 1. Introduction 2. What it was tested on 3. How to reproduce the exploit 4. Conclusion 5. Fix ============================================================================= 1. After studying the instant messager client aMSN (v0.90)for windows and looking in their files; I noticed that a local maliciously user could obtain with hash one user who were logged in amsn: =============================================================================
2. This was tested on: Amsn v 0.90 client win 2000 pro sp4 built 2195 ============================================================================= 3. To reproduce this vulnerability, itīs necessary to follow these instructions: open the messenger client amsn; login hotmail wih our user and password. After we open our e-mail and we click in the tray enveloppe who notices that we have a new mail, the explorer is open and we see that locally one page is open from the local place, file:///C:/Documents%20and%20Settings/Lostmon/amsn/hotlog.htm As we can see, this is the local route from de profile user who started the session in the pc :/ If we open this folder and we see this route, specially this file we find the following: ============================================================================= code of file hotdog.htm
Looking this infomation we noticed how is the sending way used in this form, executed under "hidden" mode, here we have so many important things.
But things are not finished here, if we look in the folder %userroot%amsn\ looking very careful we have a config.xml and in his last lines has this entry : ============================================================================= part of code of config.xml
What is remote password and how itīs possible to obtain ?? We suppose that remote password is the password who allows identify every account :/ thus if we make a through investigation looking from where is this remote password coming from, we arrive to folder c:\program files \amsn\scripts\ and if we look among these files we find: config.tcl In the line 296 we have this: }
if { ($config(save_password)) && ($password != "")} {
============================================================================= These are functions that codify the remote password umm :/ If we could look the background in this file we will be able to say that there are the variables neccessaries to revert certains functions.
keep up the good works guys
