OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: r1ccard0 (r1ccard0THE-PENTAGON.COM)
Date: Tue Mar 27 2001 - 13:49:06 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -=> Zero Tolerance Technologies (T) Security Advisory <=-

    Reference: ZTT-SA01-27032001
    Author: Richard Scott, r1ccard0the-pentagon.com

    Product: Computer Associates' CCC\Harvest Source Code
    control software
         http://ca.com/products/ccc_harvest.htm
         http://ca.com/products/descriptions/ccc_harvest.pdf

    Severity:
    High, Application superuser can be obtained.

    Systems:
    CCC\Harvest v5.0 running on NT\2000, could also apply to
    other platforms and versions.
    Discovered: 26th March 2001

    Synopsis
    CCC Harvest is a tool that is used to audit and maintain
    access control to source code If the security mechanism is
    broken, source code can be modified and downloaded with
    little audit to trail.

    CCC Harvest has an authentication model that uses TCP to
    transmit the security credentials to the server for
    authentication. The encryption method used is susceptible
    to a chosen plaintext attack.
    Length of password does not increase the security. No
    feedback chaining is used to prevent repeated terms in the
    plaintext appearing in the ciphertext. A user could
    discover the superuser password in encrypted form and then
    apply character substitution to reveal the plaintext.

    Exploit:
    Using a chosen plain text attack, the character substitution
    matrix can be constructed. Using this matrix, it is
    possible to simply look up each ciphertext character to
    reveal it's plaintext equivalent.

    The password that was captured using a network analyzer in
    encrypted form was:
    yfohoh>u[ghhdptj1111111.

    Using the matrix above, the resulting plain text would be:
    ThisismypasswordQQQQQQQ

    If other characters had been used, it's pretty easy to see
    how a plain text attack would extend, just feed in the ASCII
    character set and review the ciphertext that appears. The
    last few characters also reveal another weakness. The
    algorithm that is being used, seems to take one character at
    a time, and doesn't use any loop back mechanism to prevent
    repeating terms in the plaintext occurring in the
    ciphertext.

    I've come across such attacks on numerous occasions, and it's the following
    premise that leads to this.

             " The password is encrypted, thus it must be secure"

    This isn't the case if the algorithm that is used, is weak. There are so
    much people can learn from this example.

    Vendor Notification:
    CCC\Harvest have been notified through their support system,
    found at : http://support.ca.com/a-g.html
    I've had a response that all they are willing to say is that
    this is the current mechanism. There may be some confusion
    as the extent of the exploit. But I've tried to notify them
    of the problem.

    Current research has led me to believe the following:
    1) the encryption key is hard coded in to the application
    2) the key is the same for all installations of
      CCC\Harvest

    As of 27-03-2001 CA are aware of the problem

    Solution
    If CCC\Harvest supports NT authentication, it should be
    used.

    Changing the key is not a sufficient precaution to prevent
    this attack.

    Never use homebrew cryptography.

    _____________________________________________
    Free email with personality! Over 200 domains!
    http://www.MyOwnEmail.com

    ----------------------------------------------------------------------------
    Delivery co-sponsored by BindView Corporation
    ============================================================================
    Are your security practices adequate enough to protect you from hackers and
    crackers? How do you provide remote access to your users, enable e-mail
    messaging, Internet sites and e-commerce activity, and at the same time
    maintain security? Can you implement and administer the effective security
    measures you need without doing battle with the people who need access to
    your network?

    Download FREE the latest Hurwitz Group Report, Management Controls:
    Security Impact of IT Administration at <http://www.bindview.com/hurwitz3>
    ----------------------------------------------------------------------------