[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Dameware Passes Weak File Encryption Key in the Clear
From: ax09001h <ax09001h () hotmail ! com>
Date: 2004-03-23 20:17:10
Message-ID: 20040323201710.16065.qmail () www ! securityfocus ! com
[Download RAW message or body]
Dameware Mini Remote Control version 4.1.0.0 and presumably other versions pass a \
Blowfish encryption key over the wire in the clear. It is bad enough that they \
appear to be using Blowfish in Electronic Codebook Mode; but they compound their \
errors by the following two vulnerabilities.
The Dameware Mini Remote Control offers the capability to transfer files between the \
host and client encrypted using 128-bit Blowfish Encryption. Their first mistake is \
using a poor random bit generator to create their encryption key. After identifying \
the key in the clear I was able to surmise that the lack of cryptographic expertise \
of the Dameware developers was systemic and checked to see if they were using the \
built-in rand() function to generate the key. It did not take long to exhaust the \
small space of the Windows’ linear congruential generator (LCG) in rand() to discover \
the following hypothesized loop for generating their file encryption key.
int i;
unsigned char dw_f_key[16];
srand(time(NULL));
for(i=0;i<16;i++){
dw_f_key[i] = rand();
}
The second major and more serious mistake is that they actually pass the file \
encryption key in the clear over the wire. This can be seen by analyzing packets \
between host and target. In a packet just prior to the file being sent the second to \
the last string of 16-bytes is the file encryption key.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic