|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <20001017003756.C2646@sothis.heaven.gams.at> Date: Tue, 17 Oct 2000 00:37:56 +0200 Reply-To: "Guenther H. Leber" <gleber@GAMS.AT> From: "Guenther H. Leber" <gleber@GAMS.AT> To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <200010120331.LAA21325@intra.nsfocus.com> On Thu, Oct 12, 2000 at 11:25:24AM +0800, Nsfocus Security Team wrote: [...] > server. That is, if a client set the length of password to be one byte and send > the packet with plaintext password to server, the server will only compare it > with the first byte of the shared password(plaintext), and if consistent, > verification process is done. All an attacker need to do is to guess and try the > first byte of password in the victim . [...] This flaw can also easily be used the recover the entire password. When the first character is found disconnect the share and proceed with the next character(s), by providing a password with the known character(s) fixed and varying the last one (with an appropriate length parameter). Apply this until character '\0' matches, then you have the entire password. And this will give you the password with at most 256*16 (=4096) tries (assuming the maximum length of the password is 16 characters and there are 256 valid characters) instead of 256^16. -Günther -- GünthER H. Leber @ home PGP KeyID: 1024/68279259 PGP Public Key: https://www.luga.at/pgppubkeys/68279259.asc PGP Fingerprint: 4B 12 AD B5 4E ED AB 56 F7 3F B2 02 25 FD 95 98
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |