Re: bo2k plugins

[rrpermeh () RCONNECT COM (Ryan Permeh)]

I just released a Blowfish plugin that doesn't use MD5, and should be  a
fast encryption substitue.  It is availible from a link on the bo2k site.
As a note, both  the cast and IDEA plugins are now fixed.
talis

Alfred Huger wrote:

> ---------- Forwarded message ----------
> Date: Sun, 01 Aug 1999 21:29:40 -0500
> From: Irwan Amir Widjaja <irwanw () netscape net>
> To: vuldb () securityfocus com
> Subject: bo2k plugins
>
> Hi,
>
> I recently (July 31st) discovered that the CAST-256 plugin v2.2 which
> allows any user to connect to any CAST256 server with any password.
> After reporting the bug to Daniel (the author), he fixed the plugin
> within a few hours and found that the problem lied within Maw~'s MD5
> module, which he used for his plugin (Dan later found that MAW~'s IDEA
> plugin has the same flaw).
>
> This is obviously a very big security risk for administrators who use
> bo2k as a legit remote administration tool (as opposed to a 'cracking &
> hacking' tool).
>
> Currently CAST-256 and IDEA are the only strong encryption plugins which
> are internationally available for bo2k (the only ones I'm aware of at
> least).
>
> There were over 1000 downloads of the faulty CAST256 plugin alone.
>
> Both of these plugins have been updated by their authors.
>
> Sincerely,
>
> Amir