Addendum to my previous letter:
Note that this design (master key encrypted with header key) is common
and has been used for many years by many products (for example,
Scramdisk, E4M, etc.)
The main advantage of the design is that the user can change his
password within a few seconds without having to re-encrypt the entire
volume (which could take even days or weeks).
In case of TrueCrypt, this also allows administrators in large
corporations to "reset" passwords when a user forgets his password.
This is described in the manual and in the FAQ:
Quote from the TrueCrypt FAQ:
"Q: We use TrueCrypt in a corporate environment. Is there a way for an
administrator to reset a volume password when a user forgets it (or
when he or she loses the keyfile)?
A: There is no ?back door? implemented in TrueCrypt. However, there is
a way to ?reset? a TrueCrypt volume password/keyfile. After you create
a volume, backup its header (select Tools -> Backup Volume Header)
before you allow a non-admin user to use the volume. Note that the
volume header (which is encrypted with a header key derived from a
password/keyfile) contains the master key with which the volume is
encrypted. Then ask the user to choose a password, and set it for
him/her (Volumes -> Change Volume Password); or generate a user keyfile
for him/her. Then you can allow the user to use the volume and to
change the password/keyfiles without your assistance/permission. In
case he/she forgets his/her password or loses his/her keyfile, you
can ?reset? the volume password/keyfiles to your original admin
password/keyfiles by restoring the volume header (Tools -> Restore
In conclusion, this is not a "security bug", but design/feature. Also,
to exploit the design, the adversary would have to know your password
first (or have your keyfiles). That means, for example, that he would
capture it using a keystroke logger. If that was the case, then all
security would be practically lost on that machine.
SDA , PGP
Are you aware of this issue?
From: thesinoda@xxxxxxxxxxx [mailto:thesinoda@xxxxxxxxxxx]
Sent: Thursday, May 25, 2006 3:56 AM
Subject: A Nasty Security Bug that affect PGP Virtual Disks & PGP
8.x & 9.x and Truecrypt.8.x & 9.x
A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP
and Truecrypt.with a
* PGP 8.x PGP 9.x maybe older version too
* Truecrypt 4.2 maybe older version too
// Full detail can be found here //
If you would like to watch the flash video check the following links.
<> pgpdiskvideo.html Tested on version 8.1 and the latest 9.02
<> truecrypt.html Tested on the latest version truecrypt-4.2.zip
Note If you put stuff inside your test file you need to use a
debugger to extract the data. If you just follow the video you
will see how it is done without a debugger and an empty file.
I Was able to ACCESS PGP encrypted disks if the disk was encrypted
passphrase or a public Key. This method will work on both scary huh :-)
You need the followings tools:
1. A Brain
2. A Hex Editor.
3. PGP 8.1 Entreprise or Personal. You can use 9.x too. My feeling
this method will work on older versions too, because it is a designflaw in
PGP application not in PGP algorithm.Extractable
4. A Debugger. Not needed if you wana backdoor pgp (olldbg)
During my tests I have found that PGP virtual DISK and PGP Self
file SDA have a SERIOUS security bug. I would rather say a design bug.time
PGP disk or SDA can be cracked in 3 major steps:
1. Editing PGP protected file using a hex editor. (Patching the
2. Tracing PGP protected file using a debugger. (You need a lot of
and coding/cracking experience)time is
3. Patching the responsible bytes.
I have spend only couples of days debugging but surely a lot more
needed. But once the process is understood it is question of findingthe
right bytes and patching them.tested
Conclusions for 6 days debugging and testing:
* PGP Virtual Disk and PGP and PGP SDA has a serious bug. I have
PGP 8.1 Entreprise. Other version many be vulnerable too.the
* PGP corporation made the same error in PGP 9.x you can bypass
passphrase Dialog box same way.the HASH
* PGP corporation could avoid this type of issue by calculation
for the encrypted file. They should make it harder to locate thepassphrase.
* PGP Virtual Disk First Level protection bypass. Passphrase
(Working 100%)more time
* PGP Virtual Disk Backdooring (Working 100%).
* PGP Virtual Disk Mounting / Adding Users / Deleting Users /
Re-Encrypting Disk (Working 100%).
* PGP Virtual Disk Mounting and Data Access (Working 40%. Need
* PGP SDA Passphrase bypass. (Working 100%)
* PGP SDA Extraction is possible IF the input file is the same
100% Patching using a Debugger)more
* PGP SDA Extraction is possible of any file (Working 80%. Need
time to debug)the
* OTHER AFFECT PRODUCTS:
o iOPUS Secure Email Attachments (SEA) V1.0
o Truecrypt Free open-source disk encryption software 4.2
* WINZIP was not affected. 1- In winzip you do not know where is
password location 2- If you change one bit your file wont workout
* I DO NOT HAVE more time to test, but I am sure many smart dudes
their would love to play some more.this bug.
* To do: Build an application to mount PGP Virtual disk using
* To do: Build an application to extract PGP SDA files using this
After spending 6 days on this I had decided to stop. But I will be
more testing when I have some free time. You are free to do your owntests.
If you wish to share your own test or finding with me please feelfree to
contact me at thesinoda@xxxxxxxxxxxcreated an
PGP SDA authentication method
Let's say you created a text file and wrote inside it "aa", then
IF you hex edit the output exe, you will notice at the very buttom of
file some bytes seperated by 803E.used
E7 93 A0 90 E9 62 D1 21
A1 50 AF 5F 6F 9E FE D6
Analysing the bytes carefully, you will notice that 803E is the value
for a loop. The loop starts at 0040590D. Further analysis showed thatthe
bytes right before 803E, are used for extraction and authentication.against
Authentication is done in the following way:
When some enters a passphrase a series of instructions is executed
the bytes right before 803E, to be exact in the function at addresscompared later
00404E8F. This function generates a series of bytes which are
on to the bytes AFTER 803E. If they match you are granted auth.memory
The auth. byte comarison is done in the following instruction:
00409797 |. F3:A7 REPE CMPS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
Anyone can easily bypass this by modifying the values provided by the
addresses, to make them match.attack
Steps to access PGP Encrypted Disk (Passphrase) using a Backdoor type
* Create a PGP disk 100K (to make stuff simpler)
* Use a as username and 1 as passphrase for simplicity
* Call your file pgpdisk.pgd
* Now your disk will be created and mounted. Put a inside it
(secret.txt) then Unmount the disk (pgpdisk.pgd)
* Make a Back-up copy call it pgpdisk_backup.pgd (You need this
want to access back the disk)passphrase
* Now say you give that disk to someone and they changed the
on it. You can still access it if you follow these stepsyou see
* To put a new passphrase on your disk Right click pgpdisk.pgd
PGP select Edit PGPdiskpassphrase. Use
* You see a username, right click it and select change
WHATEVER PASSPHRASE YOU WANTwork.
* After changing the passphrase the OLD passphrase SHOULD NOT
* Open pgpdisk.pgd and pgpdisk_backup.pgd in HEX editor e.g
ONLY CHANGE WHERE YOU SEE A RED RECTANGULAR.it. It
* We start editing from the BOTTOM of the file at 80 3E.
* Do some copy and past from the back-up file into pgpdisk.pgd
* Follow the screen shots and replace indicated bits.
* After your done save the file pgpdisk.pgd and double click on
will ask for the passphrase. Type 1 yes your old passproducts.
* The disk will mount and you see the files in it.
// Full detail can be found here //
LESSON LEARNED, this advisory should be a wakeup call for other
Again as you see both commercial an OpenProject applications areaffected by
this. This should be more then enough to kill the Open<>close projectmyth
and concentrate on secure coding and GOOD AUDIT.
Author: Adonis a.K.a NtWaK0, Abed
C 2006 All rights reserved
- Prev by Date: [KAPDA::#44] - NewsCMSLite Login ByPass by Cookie
- Next by Date: RE: A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP 8.x & 9.x and Truecrypt.
- Previous by thread: [KAPDA::#44] - NewsCMSLite Login ByPass by Cookie
- Next by thread: TSLSA-2006-0030 - multi