[5466] in cryptography@c2.net mail archive
Re: bo2k cryptography
daemon@ATHENA.MIT.EDU (mischief@lanesbry.com)
Tue Aug 24 19:44:34 1999
From: mischief@lanesbry.com
Date: Wed, 25 Aug 1999 08:00:19 +1000
To: Bluefish <11a@gmx.net>
Cc: cryptography@c2.net
mischief@lanesbry.com wrote:
>
> The authors have announced and fixed one bug...
Here's the details of that one:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-1&msg=Pine.GSO.4.05.9908021606360.4451-100000@www.securityfocus.com
---------- Forwarded message ----------
Date: Sun, 01 Aug 1999 21:29:40 -0500
From: Irwan Amir Widjaja <irwanw@netscape.net>
To: vuldb@securityfocus.com
Subject: bo2k plugins
Hi,
I recently (July 31st) discovered that the CAST-256 plugin v2.2 which
allows any user to connect to any CAST256 server with any password.
After reporting the bug to Daniel (the author), he fixed the plugin
within a few hours and found that the problem lied within Maw~'s MD5
module, which he used for his plugin (Dan later found that MAW~'s IDEA
plugin has the same flaw).
This is obviously a very big security risk for administrators who use
bo2k as a legit remote administration tool (as opposed to a 'cracking &
hacking' tool).
Currently CAST-256 and IDEA are the only strong encryption plugins which
are internationally available for bo2k (the only ones I'm aware of at
least).
There were over 1000 downloads of the faulty CAST256 plugin alone.
Both of these plugins have been updated by their authors.
Sincerely,
Amir
