lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070107182412.18476.qmail@securityfocus.com>
Date: 7 Jan 2007 18:24:12 -0000
From: thesinoda@...mail.com
To: bugtraq@...urityfocus.com
Subject: A Major design Bug in Camouflage 1.2.1 (latest)

A Major design Bug in Camouflage 1.2.1 (latest)

Direct Link: http://homepage.mac.com/adonismac/Advisory/steg/camouflage.html

Disclaimer
==========
This material is presented for informational purposes ONLY. I do not condone or encourage vandalism or theft.

I do not accept any liability for anything anyone does with this information. So, don't shoot the messenger.
Remember: Use a computer in ways that ensure respect for your fellows.


Author
======
Adonis a.K.a. NtWaK0
Abed a.K.a. NoPh0BiA

 
Affected Product
================
Camouflage 1.2.1 (latest).
http://camouflage.unfiction.com/


Bug Type and Date
=================
Type: Very Bad Design
Date: 01/07/2007


Bug Results
===========
Cracking encrypted (Camouflage 1.2.1) files without any bruteforce.

WHY LOSING TIME ON MATH AND BRUTEFORCE WHEN YOU CAN PLAY WITH YOUR HEX EDITOR :-).


Bug Description
===============
Firstly, computer forensic investigators can take advantage of this bug to access file protected with (Camouflage 1.2.1) without the knowledge of the original password. Now it is time to check your cold cases for steganography files.

You can crack (Camouflage 1.2.1) encrypted files very easy, in fact in less than two minute. The problem is similar to the bug I found in PGP last year.


(Camouflage 1.2.1) leave a footprint after you stag a file.
If you look at the end of your stagged file you will notice the following:
http://homepage.mac.com/adonismac/Advisory/steg/camouf3.jpg
 
So now we have identified the stagged file our next step is to access the HIDDEN messages or files without cracking the password, here is how.


Proof-of-Concept (THIS WILL WORK HIDDEN FILES)
==============================================
For screen capture please check http://homepage.mac.com/adonismac/Advisory/steg/camouflage.html

Step 01

   1. We use a file cover (carrier file) called "Adonis_Carrier_File1.jpg"
   2. We will hide inside it a file called "Adonis_Hidden_File1.txt"
   3. We will right click "Adonis_Hidden_File1.txt" and select camouflage
   4. We will use a password "aaaa"
   5. We generated the stagged file we will call it "Adonis_Camouflage_Stagged_File.jpg"

http://homepage.mac.com/adonismac/Advisory/steg/camouf1.jpg


Step02

NOTE: We will use different carrier and different input file to show you it will work even if you have different input and different carriers.

To access the hidden file WITHOUT the original password "aaaa" we will do the followings:

   1. We use a file cover (carrier file) called "Adonis_Carrier_File2.jpg"
   2. We will hide inside it a file called "Adonis_Hidden_File2.txt"
   3. We will right click "Adonis_Hidden_File2.txt" and select camouflage
   4. We will use a password "a"
   5. We generated the stagged file we will call it "Adonis_break_camouflage.jpg"
   6. We will open Both pictures in a hex editor
   7. We will replace as indicated in the screen capture below "Adonis_Camouflage_Stagged_File.jpg" with the one from "Adonis_break_camouflage.jpg"
   8. We will Save the file.
   9. We will right click "Adonis_Camouflage_Stagged_File.jpg" and select camouflage and use "a" as password. YES we overwrite the password with something we know.

Simple hein !!!


Now time to break camouflage.
=============================
We will open "Adonis_Camouflage_Stagged_File.jpg" and "Adonis_break_camouflage.jpg" in hex edit. We will start from the END of the file and try to locate 00 02 63 (like 10 lines from the end of the file).

Once we have located the values we start REPLACING from LEFT to right starting after 00 20 63 (63 is the first letter of the password a) (Do not replace 63 it is your password = a).

In this example I will replace the password aaaa with a. So I will replace F4 1B 43 with 20 20 20.

http://homepage.mac.com/adonismac/Advisory/steg/camouf2.jpg

To resume the password is saved starting from 00 00 20 00 (ANYTHING AFTER THIS POINT IS THE PASSWORD AND THIS CAN BE OVERWRITTEN AS YOU SEE)

 
Testing the results
===================
http://homepage.mac.com/adonismac/Advisory/steg/camouflage.html
 

Peace to you all
 
 
Copyright © 2007 Adonis a.K.a NtWaK0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ