lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <F289C67D9898304C92D4D6A6E57A6C5B117364B0AE@exchange02.tor.rapid7.com>
Date: Mon, 2 Aug 2010 23:55:05 -0400
From: HD Moore <HD_Moore@...id7.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [R7-0035] VxWorks Authentication Library Weak Password Hashing

R7-0035: VxWorks Authentication Library Weak Password Hashing
August 2, 2010

-- Vulnerability Details:
This vulnerability allows remote attackers to bypass the authentication
process for the Telnet and FTP services of the VxWorks operating system.
This flaw occurs due to an insecure password hashing implementation in
the authentication library (loginLib) of the VxWorks operating system.
Regardless of what password is set for a particular account, there are a
only small number (~210k) of possible hash outputs. Typical passwords
consisting of alphanumeric characters and symbols fall within an even
smaller range of hash outputs (~8k), making this trivial to brute force
over the network. To excaberate matters, loginLib has no support for
account lockouts and the FTP daemon does not disconnect clients that
consistently fail to authenticate. This reduces the brute force time for
the FTP service to approximately 30 minutes.

To demonstrate the hash weakness, the password of "insecure" hashes to
the value "Ry99dzRcy9". The password of "s{{{{{^O" also hashes to the
same output. The hashing algorithm itself is based on an additive sum
with a small XOR operation. The resulting sums are then transformed to a
printable string, but the range of possible intermediate values is
limited and mostly sequential. The entire collision table has been
precomputed and will be released in early September as an input file for
common brute force tools. More information about the hashing algorithm
itself is available at the Metasploit blog post below:

 http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html

There are three requirements for this vulnerability to be exploited:

 * The device must be running at least one service that uses loginLib
for authentication. Telnet and FTP do so by default.

 * A valid username must be known to the attacker. This is usually easy
to determine through product manuals or a cursory review of the firmware
binaries.

 * The target service must be using with default loginLib library and
must not have changed the authentication function to point to a custom
backend.

A typical VxWorks device will meet all three requirements by default,
but customization by the device manufacturer may preclude this from
being exploited. In general, if the device displays a VxWorks banner for
Telnet or FTP, it is more than likely vulnerable.

-- Vendor Response:
Wind River Systems has notified their customers of the issue and
suggested that each downstream vendor replace the existing hash
implementation with SHA512 or SHA256. The exact extent of the
vulnerability and the complete list of affected devices is not known at
this time. Example code from Wind River Systems has been supplied to
CERT and is included in the advisory below:

 http://www.kb.cert.org/vuls/id/840249

-- Disclosure Timeline:
2009-06-02 - Vulnerability reported to CERT for vendor notification
2009-08-02 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by HD Moore

-- About Rapid7 Security
Rapid7 provides vulnerability management, compliance and penetration
testing solutions for Web application, network and database security. In
addition to developing the NeXpose Vulnerability Management system,
Rapid7 manages the Metasploit Project and is the primary sponsor of the
W3AF web assessment tool.

Our vulnerability disclosure policy is available online at:

 http://www.rapid7.com/disclosure.jsp



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ