[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Dameware Passes Weak File Encryption Key in the Clear
From:       ax09001h <ax09001h () hotmail ! com>
Date:       2004-03-23 20:17:10
Message-ID: 20040323201710.16065.qmail () www ! securityfocus ! com
[Download RAW message or body]



Dameware Mini Remote Control version 4.1.0.0 and presumably other versions pass a \
Blowfish encryption key over the wire in the clear.  It is bad enough that they \
appear to be using Blowfish in Electronic Codebook Mode; but they compound their \
errors by the following two vulnerabilities.

The Dameware Mini Remote Control offers the capability to transfer files between the \
host and client encrypted using 128-bit Blowfish Encryption.  Their first mistake is \
using a poor random bit generator to create their encryption key.  After identifying \
the key in the clear I was able to surmise that the lack of cryptographic expertise \
of the Dameware developers was systemic and checked to see if they were using the \
built-in rand() function to generate the key.  It did not take long to exhaust the \
small space of the Windows’ linear congruential generator (LCG) in rand() to discover \
the following hypothesized loop for generating their file encryption key.

int 			i;
unsigned char 	dw_f_key[16];
srand(time(NULL));
for(i=0;i<16;i++){
	dw_f_key[i] = rand();
}

The second major and more serious mistake is that they actually pass the file \
encryption key in the clear over the wire.  This can be seen by analyzing packets \
between host and target.  In a packet just prior to the file being sent the second to \
the last string of 16-bytes is the file encryption key. 


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic