[11278] in bugtraq
Re: bo2k plugins
daemon@ATHENA.MIT.EDU (Ryan Permeh)
Fri Aug 6 01:19:15 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <37A98FD0.954BD27D@rconnect.com>
Date: Thu, 5 Aug 1999 08:21:21 -0500
Reply-To: Ryan Permeh <rrpermeh@RCONNECT.COM>
From: Ryan Permeh <rrpermeh@RCONNECT.COM>
X-To: Alfred Huger <ah@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
I just released a Blowfish plugin that doesn't use MD5, and should be a
fast encryption substitue. It is availible from a link on the bo2k site.
As a note, both the cast and IDEA plugins are now fixed.
talis
Alfred Huger wrote:
> ---------- Forwarded message ----------
> Date: Sun, 01 Aug 1999 21:29:40 -0500
> From: Irwan Amir Widjaja <irwanw@netscape.net>
> To: vuldb@securityfocus.com
> Subject: bo2k plugins
>
> Hi,
>
> I recently (July 31st) discovered that the CAST-256 plugin v2.2 which
> allows any user to connect to any CAST256 server with any password.
> After reporting the bug to Daniel (the author), he fixed the plugin
> within a few hours and found that the problem lied within Maw~'s MD5
> module, which he used for his plugin (Dan later found that MAW~'s IDEA
> plugin has the same flaw).
>
> This is obviously a very big security risk for administrators who use
> bo2k as a legit remote administration tool (as opposed to a 'cracking &
> hacking' tool).
>
> Currently CAST-256 and IDEA are the only strong encryption plugins which
> are internationally available for bo2k (the only ones I'm aware of at
> least).
>
> There were over 1000 downloads of the faulty CAST256 plugin alone.
>
> Both of these plugins have been updated by their authors.
>
> Sincerely,
>
> Amir
