lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <5.1.0.14.2.20030526151400.04020850@mail.tht.net>
Date: Mon, 26 May 2003 15:17:35 -0400
From: flur <flur@...rnet.org>
To: bugtraq Security List <bugtraq@...urityfocus.com>
Subject: PalmVNC 1.40 Insecure Records


Flurnet Security
----------------

Application:    PalmVNC 1.40
Developer(s):   Harkan Software (http://www.harakan.btinternet.co.uk/PalmVNC/)
                 Vladimir Minenko (http://www.wind-networks.de/PalmVNC/)
Scope:          VNC passwords saved in plaintext with backup bit.
Tested on:      PalmVNC 1.40 (older versions probably vulnerable)

PalmVNC saves passwords in plaintext, relying on the fact that PalmOS is 
hard to navigate, and thus finding the corresponding records would be 
relatively difficult. This is not the case. VNC stores saved passwords in a 
database called:

PalmVNCDB with creator ID: PVNC/Data.

To make matters worse, this database is configured with the 'backup bit' 
and thus it is copied into the users directory on any PC that the palm 
synchronizes with (filename: PalmVNCDB.PDB).

The PalmVNCDB database contains record #0 (4bytes- nothing interesting) 
followed by records for each saved server profile. These profile records 
are typically 172 bytes long and contain VNC server ip or hostname, 
username and password in plaintext.

Suggested solutions:
  - Encrypt this database and code client support.
  - If it is critical that PalmVNC is used, it is not recommended that 
passwords be saved.
  - Unset the backup bit on PalmVNCDB
    (2 attribute bytes in the PDB header after 32 byte null terminated 
name. Unset 0x0008.)



____________________ __ _
~FluRDoInG                        flur@...rnet.org
                             http://www.flurnet.org
KEY ID 0x8C2C37C4 (pgp.mit.edu) RSA-CAST 2048/2048
1876 B762 F909 91EB 0C02  C06B 83FF E6C5 8C2C 37C4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ