[NEWS] RTS CryptoBuddy Multiple Encryption Implementation Vulnerabilities

• Previous message: support@securiteam.com: "[NT] Rouge Applet Can Crash Opera"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 11 Feb 2003 15:38:03 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  RTS CryptoBuddy Multiple Encryption Implementation Vulnerabilities
------------------------------------------------------------------------

SUMMARY

 <http://www.cryptobuddy.com> CryptoBuddy(TM) is an easy-to-use encryption
program that allows individuals and corporations to effectively protect
and encrypt their files and data. As the Internet increasingly becomes an
unsafe medium for transporting confidential information, CryptoBuddy
enables you to take any file and quickly encrypt and compress it

The software has multiple vulnerabilities related to the implementation of
its passphrase and general encryption techniques. The easiest to exploit
is through use of a symmetric key injection attack. An attacker can use
the software to encrypt a dummy file with a passphrase of his or her
choosing. The resulting secret key can then be inserted into any other
file that has been encrypted with the software. The resulting file may
then be decrypted using the software and the attacker's previously
selected passphrase. Details of this and other vulnerabilities can be
found at the end of this advisory.

DETAILS

Vulnerable systems:
 * CryptoBuddy version 1.2 and earlier

Advisory Detail:
The software is intended to "effectively protect and encrypt" files. As
such, it DOES encrypt files. The EFFECTIVENESS of the method used is key
to this advisory. Since this product's primary purpose is to be used as a
data encryption system, it is imperative that users of the software are
fully aware of limitations in its effectiveness at protecting their data.

Predictable File Schema; Secret key stored, not used to encrypt data
Threat: Unknown secret key can be replaced with known secret key
Exposure: Attacker can decrypt any encrypted file created by any user of
this program
Attack: "Symmetric key injection" (see Note below).
Tools: Hex editor, CryptoBuddy; exploit could be easily scripted
Severity: High

Description: A passphrase provided by the user is simply encrypted and
stored with the resulting ciphertext and is not actually used to encrypt
the plaintext. It is stored in a predictable location (fixed-length,
reserved block) in the resulting ciphertext file (offset 120:15A). Since
the key is not used to encrypt the plaintext, the attacker can simply
encrypt an empty file, copy block 120:15A from the resulting encrypted
file, and replace the same block in ANY target file. The target file can
then be simply decrypted using the attacker's passphrase (and the
CryptoBuddy software). Payload ciphertext is always appended to the end of
the passphrase block (at offset 15C, after a spacer byte (0x00) at offset
15B). This exploit works because the key is not used to encrypt the
plaintext.

Encrypted passphrase has some predictability, weakly encrypted, not
hashed, and unseeded/unsalted
Attack:
1) Dictionary attack via predictable keys
2) Segmented brute forcing (like the LANMAN attacks)

Severity: High

Description: Obviously, these attacks are not preferred methods, as Item
#1 is easy to employ. Note: Mike did not analyze the encryption algorithm
(no debugging/reverse engineering); however, since the software develops a
predictable/known key for each passphrase, a dictionary could be easily
developed.

Additionally, there appears to be a weakness in the passphrase algorithm,
in that the passphrase is broken into 4-byte segments; thus making
dictionary and brute force attacks substantially easier (by decreasing the
work factor).

Some examples:
  [Plaintext Passphrase; (ASCII)] -> (Ciphertext Key (hex))
  -----------------------------------------------------------------------
  
  1234 -> 44F9FA2A174A3F8E 2A7D2C59DA0D6A3B
           ++++++++++++++++ ****************

  12345 -> 44F9FA2A174A3F8E 2437EE3219DED143
           ++++++++++++++++

  5678 -> 743575164122BA96 2A7D2C59DA0D6A3B
                            ****************

Analysis: + = 1st 4 bytes are split, not hashed with entire passphrase;
* = predictability related to passphrase length

  ----------------------------------------------------------------------
  12345678 -> 44F9FA2A174A3F8E 6CB1A73BD2C69BA8

  1234567812345678 -> 44F9FA2A174A3F8E E75E0CE089B45E02
                                       6CB1A73BD2C69BA8

  123456781234567812345678 -> 44F9FA2A174A3F8E E75E0CE089B45E02
                                       E75E0CE089B45E02 6CB1A73BD2C69BA8

  12345678123456781234567812345678 -> 44F9FA2A174A3F8E E75E0CE089B45E02
                                       E75E0CE089B45E02 E75E0CE089B45E02
                                       6CB1A73BD2C69BA8

Analysis: larger keys are highly repetitive and predictable

Passphrase key is truncated after the 55th byte of the passphrase
Threat: Long passwords (>55 bytes) provide no more entropy (strength) than
the first 53 bytes (see Item 4, for explanation of why this isn't the
"first 55 bytes")

Severity: Medium

Note: Items 3 and 4 are listed as "medium severity" ONLY because users are
less likely to use passphrases longer than 53 bytes.

Description: A passphrase of >55 bytes is truncated, prior to being
encrypted and stored as the key. This weakens the perceived strength of
passphrases longer than 55 bytes. Additionally, this indicates that the
passphrase is not hashed (or not well hashed).

Bytes 53 through 55 of a 55-byte or longer passphrase are stored in
plaintext
Threat: Exposure of elements of the passphrase
Severity: Medium

Description: Self-explanatory

Solution:
There is no recommended solution at this time. The vendor was very
responsive to this advisory and provided additional information to further
develop this advisory. Vendor has indicated that the issues identified in
this advisory will be mitigated in the next version of the software.

ADDITIONAL INFORMATION

The information has been provided by <mailto:mwcissp@yahoo.com> Michael
Whitehead, CISSP.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[UNIX] Buffer Overflow in AIX libIM.a"
• Previous message: support@securiteam.com: "[NT] Rouge Applet Can Crash Opera"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]