[NEWS] Weak Password Storage in Demarc (Commercial Snort Front-end)
From: support@securiteam.comDate: 03/02/02
- Previous message: support@securiteam.com: "[UNIX] Squid Buffer Overflow (FTP)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 2 Mar 2002 19:03:14 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Weak Password Storage in Demarc (Commercial Snort Front-end)
------------------------------------------------------------------------
SUMMARY
<http://www.demarc.com> Demarc, the commercial front-end for snort
authenticates users into the front-end via a MySQL database. A security
vulnerability in the product allows attackers to more easily brute force
the password used by the program.
DETAILS
A lack of understanding of DES encryption functions (in this case the perl
'crypt' function) has reduced the password (which is supposed to use
single-DES algorithm) to a weak, effectively 42-bit password. The first
two characters of the password are visible in clear text, making guessing
of the password easier, and of course reducing the effort required for a
brute force attack.
The encrypted password can be viewed by anyone who has read access to the
'snort' database on the machine used to store the Demarc information.
These passwords are stored in the 'dm_sessions' table.
The problem is that the 'salt' required for DES encryption is not used.
Instead, the UNENCRYPTED password is passed as the salt. The upshot of
this is that the first two characters of the password are stored
unencrypted, in the password field (which is meant to contain the salt).
This reduces the DES key length from 8 characters * 7 bits = 56 bits, down
to 6 characters * 7 bits = 42 bits. The valuable 'salt' functionality is
also thrown away.
Example:
Default install of Demarc has
admin user: admin
admin password: my_DEMARC
mysql> use snort
Database changed
mysql> select username, password from dm_sessions where username =
'admin';
+----------+---------------+
| username | password |
+----------+---------------+
| admin | myTaxdrg53/9A |
+----------+---------------+
1 row in set (0.00 sec)
You can see the first two characters of the password ('my_DEMARC' -> 'my')
stored in the password field.
ADDITIONAL INFORMATION
The information has been provided by <mailto:demarcprobs@hotmail.com>
demarc probs.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Squid Buffer Overflow (FTP)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
