OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: K. K. Mookhey (cto_at_nii.co.in)
Date: Mon Dec 16 2002 - 02:17:45 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ===================================================
    Advisory: Password Disclosure in Cryptainer
    Vendor: SecureSoft http://www.cypherix.com
    Download Location: http://www.cypherix.com/downloads.htm
    Versions affected: Cryptainer PE and Cryptainer 2.0
    Date: 16th December 2002
    Type of Vulnerability: Information Disclosure in Memory of Process
    Severity: Medium

    Discovered by: K. K. Mookhey (ctonii.co.in)
    Network Intelligence India Pvt. Ltd. (http://www.nii.co.in)
    Online location: http://www.nii.co.in/vuln/crypt.html
    ===================================================

    Background:
    =========
    >From vendor website: "Cryptainer PE's ease of use together with its powerful 448
    bit strong
    encryption provides file security without changing the way you work. It creates
    a 100MB encrypted drive that can be loaded and unloaded as required. It combines
    ease of use and simple drag-and-drop operations with powerful 448 bit strong
    encryption ensuring total security with phenomenal ease of use and maximum
    convenience!"
    Both products use the Blowfish algorithm.

    Description:
    =========
    Both the versions of Cryptainer store the password in clear text in the memory
    of the process without encrypting it or nullifying it. This password is clearly
    visible as long as the following two conditions are satisfied:
    1. The user has entered the password at least once
    2. Cryptainer is loaded
    The encrypted volume may or may not be loaded.
    Since this product comes with an option to minimize to the System Tray, it is
    quite likely that the user would keep Cryptainer running without loading the
    encrypted volume containing the encrypted files. In such a case, a user might
    assume that since the encrypted volume is not loaded, his files are safe. But an
    intruder who is able to dump the memory of the running process can ferret out
    the password with relative ease. Besides the password, the physical path of the
    volume is also clearly visible.
    Also Cryptainer does not provide a limit to the number of wrong password
    attempts. So an intruder must collect the memory dump, and copy the physical
    location of the logical volume (which is actually one big file) onto his
    machine, and then run Cryptainer and check all the strings in the memory dump
    for the correct password.

    References:
    =========
    A similar vulnerability was found in Password Safe written by crypto-guru
    Bruce Schneier. This was acknowledged by him and addressed by the developer of
    the open source version of this product. Bruce Schneier's response is here:
    http://www.counterpane.com/crypto-gram-0111.html#6

    Impact:
    =====
    First of all, the intruder would need to have physical access to the PC in order
    to gather a physical dump. Moreover, it would be necessary to have Cryptainer
    running - either with the encrypted volume loaded or unloaded. This however is
    not
    so uncommon. On the other hand, it is in the event of a physical intrusion, that
    one would need the encryption software to protect one's data. Therefore, the
    physical access event must be assumed as having occured. Then, the
    estimated probability of a compromise must be that of Cryptainer running in the
    System Tray, and the user having used the software at least once.

    Vendor Response:
    =============
    The vendor response is somehow not so clear. We have corresponded with them
    repeatedly
    since November 23rd. The essence that we have been able to make out is that they
    will probably look into it in their next release sometime in the first quarter
    of 2003. Their contention is also that with the kind of physical access required
    for this to work, the intruder might as well install a keylogger.

    Workaround:
    ==========
    Do not keep Cryptainer minimized in the System Tray even if you have unloaded
    the encrypted volume. Exit the software as soon as you have finished
    encrypting/decrypting the files, by clicking on the Shutdown and Exit button.

    Note:
    ====
    The software is still pretty secure, and if you do not keep Cryptainer in the
    System Tray you should be safe.

    K. K. Mookhey
    CTO,
    Network Intelligence India Pvt. Ltd.
    Tel: 91-22-22001530, 22006019
    Email: ctonii.co.in
    Web: www.nii.co.in
    =================================
    The Unix Auditor's Practical Handbook
    http://www.nii.co.in/tuaph.html
    =================================