[16293] in bugtraq
swc / ActivCard
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Fri Aug 18 03:59:14 2000
Mime-Version: 1.0
Content-Type: MULTIPART/Mixed; BOUNDARY="453665793-1870952434-966513560=:6137"
Content-Id: <Pine.LNX.4.21.0008171402231.26041@dione.ids.pl>
Message-Id: <Pine.LNX.4.21.0008171854200.26041@dione.ids.pl>
Date: Thu, 17 Aug 2000 18:54:20 +0200
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
--453665793-1870952434-966513560=:6137
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.21.0008171402232.26041@dione.ids.pl>
--
Standard disclaimer: this material contains my personal oppinions and
beliefs ONLY. It has nothing to do with my employer / company. I am
writing it as a private person. It doesn't have to be upright, nor doesn't
even pretend to provide objective / useful information. All statements
should be verified before claiming they are true. I can't and will not
take any responsibility for any use / misuse of this information, nor any
kind of damage / loss caused by any interpretation of it.
--
First of all, something light:
Simple Web Counter, quite popular cgi application (distributed eg. on
Linuxberg ftp) written by Ross Thompson, is vulnerable to stack buffer
overflow when parsing ctr= parameter. Considered exploitable, exposes
some ISP servers.
Then, something more juicy:
Some time ago, we performed brief, comparative analysis of one-time
passphrases returned by different tokens (SecurID and ActivCard,
mainly) in short time periods (collecting successive one-time
passwords returned by token).
In ActivCard's case, we discovered something at least alarming.
Before continuing, please note - although we tried to collect
the most accurate and representative data and provide objective
and realible informations, there's a chance we've made some mistakes.
-- IMPORTANT STATEMENT --
Thus, please threat this message as an attempt to start futher, more
complete analysis *ONLY*. You shouldn't trust these statements
before making sure they're true - and we can't take *ANY* kind of
responsibility they are.
-- END OF IMPORTANT STATEMENT --
Theoretically, default ActivCard 8-digit display can handle up to
100,000,000 combinations.
First, while analysing output returned by different tokens kindly
provided to us, we thought ActivCard uses alarmingly small (within
around 1-2% of possible number space), but random positive increments in
random length sequences. For example:
.
05314080 .
06401172 < increment around 1.1M : --- sequence of increments
07332504 < increment around 0.9M |
08957912 < increment around 1.6M |
09134516 < increment around 0.2M /
00104910 < large decrement
... \
:
.
But that was only the first impression. We visualised output presented
by tokens, and found it isn't looking really random:
By calculating first derivate of collected values (over 100 samples),
we discovered these increments are determined by simple functions,
that looks pretty deterministic and periodic. For example, one of them
(partially responsible for that huge decrements) has simple cycle of
10). You can see it on graphics generated by our sample program (see
below) as green peaks below X axis.
To make sure we're not studying some rare set of conditions, we checked
some other tokens, with different PIN codes. I guess all of them were
previously synchronized to same server (most of them lost
synchronisation in the meantime), that's why I'm asking other people to
collect some information and try to verify these observatios.
I included simple code to visualise one of our sample data portions. It
should work on Linux/BSD box with svgalib installed:
# gcc -lvga -lm vis.c -o vis
# ./vis <DATA.in
Actually, I guess you can use any other program, like gnuplot,
Derive, Mathematica and so on to perform visualisation.
Dark blue lines are discrete measurement points. White line connects
values in these points, while green line shows delta (increments
between previous and current value).
Consequences?
It make us think that it's quite easy to predict, at least in short
term. It means, attacker, by intercepting short sequence of one-time
passwords, can easily (at least with reasonable probability)
predict next password, and enter it to obtain access to protected
systems.
Predictability of passwords is definetely against idea of such tokens.
Of course, very often ability to sniff password means ability to
intercept session, but by making such assumption in order to justify
predictable output, we have to ask if we need such tokens at all,
instead of static passwords?;)
Even basing on our rough estimations and basic analysis, we were able
to guess next number with about 35% chance within 100 attempts -
while, if returned values meant to be indeterministic, this chance
should be equal to 0.00001%. I guess in-depth analysis might
expose more details about ActivCard algorithm - or prove we've made
a mistake.
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
--453665793-1870952434-966513560=:6137
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="DATA.in"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0008171359200.6137@nimue.tpi.pl>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME="DATA.in"
MDk1NzI1NTENCjAwMTA0MjQwDQowMTUxNDQxNA0KMDIxOTY4ODINCjAzMTMx
MDk2DQowNDQzODcxMA0KMDUzMTQwODANCjA2NDAxMTcyDQowNzMzMjUwNA0K
MDg5NTc5MTINCjA5MTM0NTE2DQowMDEwNDkxMA0KMTE0MTAyMTINCjEyMzIw
MDk0DQoxMzQ1MTAxNQ0KMTQ4MTUwNjgNCjE1OTU3MTIwDQoxNjMzMTg1Mw0K
MTczMTU3NTMNCjI4MDU5MTM3DQoyOTE1MDA2NQ0KMjAxNDQ1MDMNCjIxNDE4
MzEzDQoyMjU0MTQ0Ng0KMzMxNTQxMjgNCjM0MTUyNTkzDQozNTIzNDMyMQ0K
MzY0MjA1NzANCjM3MDY4NzUyDQozODIyMjU5MA0KMzkxMjU0MjANCjMwOTA2
ODEzDQozMTQ0MzI1MQ0KMzIzODMxNTINCjMzNDUyMzE2DQozNDMxMTA5MQ0K
MzUzNzU5MTENCjQ2MTQ0MzExDQo0NzUzOTAyMw0KNDg2MDMzMDUNCjQ5MjMw
MDU0DQo0MDY0MzA1Ng0KNDEzNDMwMzMNCjQyODQzMzg0DQo0MzM0MTUyNQ0K
NDQwMDQ0NTcNCjQ1NDA0MzQ0DQo1NjkxNTEzMw0KNTczNTI5NDMNCjU4MjQw
MzgzDQo1OTU0MTIzNQ0KNTA2MDgxMjENCjUxMTEwODY1DQo1MjMxMTQyMw0K
NTMxODYzNzINCjU0NTEwMzg3DQo1NTMyMDQzMw0KNTYwNTAwNzENCjU3NjM0
ODI0DQo1ODUxNzQyNw0KNjk0NTk0OTQNCjYwNjkzOTgxDQo2MTUxMjQzMQ0K
NjIzMzU3MjINCjYzMDUxMDY1DQo2NDMxMzY1Ng0KNjUxNDUwNTINCjY2NDk2
NTc5DQo2NzA5OTY5MQ0KNjg0MjI5OTQNCjY5MTM4NDUzDQo2MDUyNDA5Mg0K
NjE3MzQxMDkNCjcyNTEyMjAyDQo3MzIzMDMzNg0KNzQ4NTI3MTINCjc1MTA2
NzM1DQo3NjM1MzExNQ0KNzcyMjQ0MzMNCjc4NTQxMzg0DQo3OTQ3OTAxOQ0K
NzAzNzMxNDANCjcxMTIwMTI1DQo3MjA2MTQzNA0KODMxODA1MzkNCjg0MjUy
NTI2DQo4NTQwMDYyOA0KODY0NDgxNDINCjk3NTExNzQ2DQo5ODQ3NDU4OA0K
OTkzMzE0OTcNCjkwMjIwOTExDQo5MTQ2NzA0MQ0KOTIwMTMyNzANCjkzMjYw
MTg1DQo5NDMyNTIwMg0KOTU4NDMzMzANCjk2OTA4NzA0DQo5NzgwNTE1NA0K
OTg3NDAwNzkNCjA5NTU5NjMwDQowMDg1NjQ3OA0KMDE1NjkyMDUNCjAyMzUw
NTY2DQowMzEzMDgwMw0K
--453665793-1870952434-966513560=:6137
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="vis.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0008171359201.6137@nimue.tpi.pl>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME="vis.c"
Ly8gZ2NjIC1sdmdhIC1sbSAuLi4NCi8vIChDKSAyMDAwIE1pY2hhbCBaYWxl
d3NraSA8bGNhbXR1ZkB0cGkucGw+DQoNCi8vIC4vYS5vdXQgPERBVEEuaW4N
Cg0KI2luY2x1ZGUgPHZnYS5oPg0KI2luY2x1ZGUgPG1hdGguaD4NCg0KaW50
IGR1cGFbMTAwXTsNCmludCBjbnQsaTsNCmRvdWJsZSBseCxseTsNCg0KaW50
IHNjYWxlOw0KDQppbnQgWk9PTT0xMDAwMDAwMDA7DQpjaGFyIGJ1ZlsxMDAw
XTsNCmNoYXIqIHg7DQppbnQgU0NBTEU7DQoNCm1haW4oaW50IGFyZ2MsY2hh
ciogYXJndltdKSB7DQogIGlmIChhcmdjPT0yKSBaT09NPWF0b2koYXJndlsx
XSk7DQogIHdoaWxlIChnZXRzKGJ1ZikpIHsNCiAgICB4PWJ1ZjsNCiAgICB3
aGlsZSAoKng9PScwJykgeCsrOw0KICAgIHNzY2FuZih4LCIlZCIsJmR1cGFb
Y250KytdKTsNCiAgfQ0KICBTQ0FMRT02NDAvY250Ow0KICBpZiAoIVNDQUxF
KSBTQ0FMRT0xOw0KICB2Z2Ffc2V0bW9kZShHNjQweDQ4MHgxNik7DQogIHZn
YV9jbGVhcigpOw0KICB2Z2Ffc2V0Y29sb3IoMTMpOw0KICB2Z2FfZHJhd2xp
bmUoMCwyNDAsNjQwLDI0MCk7DQogIHZnYV9zZXRjb2xvcigxKTsNCiAgZm9y
IChpPTA7aTxjbnQqU0NBTEU7aSs9U0NBTEUpIHsNCiAgICB2Z2FfZHJhd2xp
bmUoaSwwLGksNDgwKTsNCiAgfQ0KICB2Z2Ffc2V0Y29sb3IoMTUpOw0KICBm
b3IgKGk9MDtpPGNudDtpKyspIHsNCiAgIGlmIChpKSB2Z2FfZHJhd2xpbmUo
bHgsbHksU0NBTEUqaSwyNDAtKGludCkoKChkb3VibGUpZHVwYVtpXSkqMjQw
LjAvWk9PTSkpOyAgDQogICBseD1TQ0FMRSppOw0KICAgbHk9MjQwLShpbnQp
KCgoZG91YmxlKWR1cGFbaV0pKjI0MC4wL1pPT00pOw0KICB9DQoNCiAgZm9y
IChpPWNudDtpPjE7LS1pKSBkdXBhW2ldPWR1cGFbaV0tZHVwYVtpLTFdOw0K
ICB2Z2Ffc2V0Y29sb3IoMTApOw0KDQogIGZvciAoaT0wO2k8Y250O2krKykg
ew0KICAgaWYgKGkpIHZnYV9kcmF3bGluZShseCxseSxTQ0FMRSppLDI0MC0o
aW50KSgoKGRvdWJsZSlkdXBhW2ldKSoyNDAuMC9aT09NKSk7ICANCiAgIGx4
PVNDQUxFKmk7DQogICBseT0yNDAtKGludCkoKChkb3VibGUpZHVwYVtpXSkq
MjQwLjAvWk9PTSk7DQogIH0NCg0KDQogIHNsZWVwKDEwMDApOw0KICB2Z2Ff
c2V0bW9kZShURVhUKTsNCn0NCg==
--453665793-1870952434-966513560=:6137--
