[NT] Multiple Issues in Nettelephone Dialer

From: support@securiteam.com
Date: 01/08/03

  • Next message: support@securiteam.com: "[NT] BRS WebWeaver FTP Server Vulnerabilities" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 8 Jan 2003 11:22:07 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Multiple Issues in Nettelephone Dialer
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.Nettelephone.com> Nettelephone is a PC to Phone service
    provider. The program suffers from a few security problems/design errors
    which should be resolved to make the service more secure.

    DETAILS

    1. Weak Encryption for Account Information:
    The dialer (Executable tested- Netfone.exe Version 3.5.6) stores the
    account number and PIN, besides other account info, in the registry under
    the key HKEY_CURRENT_USER\Software\MediaRing.com\SDK\NetTelephone\settings
    and the values are "account" (a string value of length 12) and "pin" (a
    string value of length 6). The account number is stored in plaintext
    whereas the PIN is stored in encrypted form. However the encryption is
    very weak and can be easily broken.

    The encryption used is a replacement cipher with decimal place based
    standard cipher codes used for each valid digit ranging from 0-9.
    Enumerating all the standard cipher codes enables a malicious attacker to
    steal a valid user's account information and use it to abuse the account.

    Demonstration:
    The table below gives the cipher codes used:
    |- - -1- -2- -3- -4- -5- -6-
    |
    |
    (0) 75 76 79 7E 65 6E
    |
    |
    (1) 74 77 78 7F 64 6F
    |
    |
    (2) 77 74 7B 7C 67 6C
    |
    |
    (3) 76 75 7A 7D 66 6D
    |
    |
    (4) 71 72 7D 7A 61 6A
    |
    |
    (5) 70 73 7C 7B 60 6B
    |
    |
    (6) 73 70 7F 78 63 68
    |
    |
    (7) 72 71 7E 79 62 69
    |
    |
    (8) 7D 7E 71 76 6D 66
    |
    |
    (9) 7C 7F 70 77 6C 67

    The columns indicate the decimal places and the rows indicate the digits.
    Suppose, if the encrypted value in the registry "pin" key is
    "70727A7C656B", we first separate the characters in six groups of two.
    Thus, we get "70" "72" "7A" "7C" "65" "6B". Now, referring the table gives
    us the original unencrypted value of the PIN. For instance, the number in
    the first place is "70". To find its original value, we look for the
    number "70" in the first column. We see that it is in the fifth column.
    Therefore, the decrypted number in the first place is "5". Continuing
    this, we get the decrypted PIN as "543205".

    Solution:
    Obfuscating the PIN, like it is being done here, is probably the only
    practical solution for small software like this one but steps should be
    taken to make it harder to crack. An obfuscation algorithm which gets
    cracked in 5-10 minutes is just not enough.

    2. Demo Call Duration:
    The dialer (Executable tested - Netelph.exe Version 3.2.5) offers demo
    calls to three 1-800 numbers. The duration for these calls is 45 seconds
    and is disconnected automatically after this time is up. The demo call
    settings are stored in the registry key
    HKEY_CURRENT_USER\Software\MediaRing.com\SDK\NetTelephone\One\democall.
    The duration of the demo call is decided by the DWORD value "demoduration"
    that is stored under the above key.

    It is possible to extend the duration of this call by increasing this
    value arbitrarily. The demo calls are mostly disconnected while the user
    is still in the voice menu stage and before anyone answers the call. When
    the duration of the demo is increased, the stage where somebody picks up
    the phone on the other end is reached and this may potentially cause an
    annoyance.

    Although it is not a security issue per se, rather a design error which
    can cause potential annoyance to the call center personnel but, obviously,
    this behavior of the dialer is not intended.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:sgmasood@yahoo.com> S G
    Masood.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages