NNT Change Tracker - Hard-Coded Encryption Key



Background
----------

NNT Change Tracker Enterprise is a commercial product created by
UK-based New Net Technologies, and is designed to detect changes to
PC, server and network device configurations. The central component
'Core Server' is sent change data from 'Remote Angels' that monitor
remote systems.

It is marketed as a security product.

Company homepage:
http://www.newnettechnologies.com


Versions affected
-----------------
This vulnerability has been noted on versions 4.7. It is suspected
that most previous versions are also affected.


Vulnerability
-------------
Encryption is used at various points by the components that make up
the NNT Change Tracker Enterprise suite, but the same hard-coded
encryption key is always used. The key is a byte array with values at
the following indices:

[0] = 21;
[1] = 23;
[2] = 2;
[3] = 3;
[4] = 8;
[5] = 54;
[6] = 5;
[7] = 55;
[8] = 4;
[9] = 222;
[10] = 54;
[11] = 254;
[12] = 7;
[13] = 2;
[14] = 32;
[15] = 22;

An attacker could use this vulnerability to prevent NNT Change Tracker
Enterprise from detecting certain changes, or by fabricating changes
that never took place.

Additionally, NNT Change Tracker Enterprise utilises an apparently
'home-brew', weak encryption algorithm as follows (implementation in
C#, where 'this.key' references the hard-coded key shown above):

public string Encrypt(string plaintext)
{
string ciphertext = String.Empty;
byte[] plainBytes = Encoding.ASCII.GetBytes(plaintext);
int num = 0;

for (int i = 0; i < bytes.Length; i++)
{
plainBytes[i] += this.key[num++];

if (num >= 16)
num = 0;

byte b = 15 & (int)plainBytes[i] >> 4;
ciphertext += (char)(65 + b);
b = (plainBytes[i] & 15);
ciphertext += (char)(65 + b);
}

return ciphertext;
}

public string Decrypt(string ciphertext)
{
if (ciphertext.Length < 4)
{
return String.Empty;
}

byte[] cipherbytes = Encoding.ASCII.GetBytes(ciphertext);
byte[] plainbytes = new byte[cipherbytes.Length / 2];
int num = 0;

for (int i = 0; i < cipherbytes.Length; i += 2)
{
byte b = cipherbytes[i] - 65;
b = (int)b << 4;
byte b2 = cipherbytes[i + 1] - 65;
b += b2;
b -= this.key[num++];

if (num >= 16)

num = 0;

plainbytes[i / 2] = b;
}

return new string(Encoding.ASCII.GetChars(plainbytes));
}

The key is hard-coded into .NET assembly NNT_CoreFuncs.dll


Response from Vendor
--------------------
None


Timeline
--------
2011-05-12: Reported to vendor
2011-05-20: Disclosed