------------------------------------------------------------------ - EXPL-A-2003-XX1 exploitlabs.com Advisory XX1 ------------------------------------------------------------------ -=- Looksmart / Grub Distributed Webcrawling Client -=- =================================== VENDOR CONTACTED - Advisory on hold =================================== Vunerability(s): ---------------- 1.local clear user / password in windows registry Product: -------- http://www.grub.org/ http://www.looksmart.com/ grub-client-1.3.7.exe [CURRENT] May 12, 2003 grub-client-1.3.7.zip [CURRENT] May 12, 2003 Linux client stores cleartext in .ini Description of product: ----------------------- "Grub uses the power of distributed computing to build the best search on the Web. It automatically crawls the Web in the background, borrowing your computer's spare clock cycles, so you won't even notice it's there. The download is quick, you control how much you crawl, and the cool screensaver shows you the real-time progress your computer is making. You can even compare your stats to other Grubsters in the project! Help perfect the search engine. Join the Grub project today!" Company Profile: ---------------- "LookSmart is a leader in Search Targeted Marketing. Through its innovative LookListingsTM suite of commercial search listings products and graphical advertising products, LookSmart enables large and small businesses alike to expose their products and services to customers at the precise moment they're searching for that very thing. The result is a better search experience for the user, as well as highly qualified leads and lower customer acquisition costs for the business. The LookSmart network reaches 77%* of Internet users, and includes Microsoft's MSN, Excite@Home, AltaVista, Netscape Netcenter, Inktomi, Prodigy, Juno, CNN.com, Road Runner, Cox Interactive Media, InfoSpace (Go2Net, Dogpile, MetaCrawler) and Ask Jeeves." *Media Metrix June 2001 Digital Media Audience Ratings Reviews: -------- http://www.fortune.com/fortune/smallbusiness/skeptic/0,15704,453288,00.html David Lidsky http://www.wired.com/news/infostructure/0,1377,58497,00.html http://slashdot.org/article.pl?sid=03/04/19/1916209&mode=thread&tid=95 VUNERABILITY / EXPLOIT ====================== Local: ------ Passwords and user names are stored cleartext inside registry under Windows OS REG Key Subkey ( data ) HKEY_CURRENT_USER\Software\VB and VBA Program Settings\GrubClient\Settings userEmail userPassword Vendor Fix: ----------- No fix on 0day mabey re-read http://www.grub.org/html/help.php?op=privacy mmmmkay??? Vendor Contact: --------------- I left a message at Tel: 415.348.7000 @3am June 4 2003 advising them of my impending release at 12pm. Callback 9:10am from corp office. kord@grub.org kord campel 415-348-7691 Vendor knows and is working on the issue. Credit to Donnie Werner of exploitlabs.com for publicly bringing this to our attention and working with us on a resolve. Author Comment: --------------- For a company of this breadth to skimp on a basic security practice is inexcuseable. There is absolutly no excuse for a plaintext passsword in the windows registry period. Any computer with multiple users is vunerable to password discovery and disclosure. hint - hash yer pass Made enuf money yet??? Use some of it to fix your software please. Credits: -------- Donnie Werner http://exploitlabs.com "where finding your holes is job one, and plugging them twice the fun" morning_wood@exploitlabs.com =================================== VENDOR CONTACTED - Advisory on hold ===================================