lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 23 May 2011 18:54:25 +0100
From: Dennis Brunnen <dennis.brunnen@...il.com>
To: bugtraq@...urityfocus.com
Subject: NNT Change Tracker - Hard-Coded Encryption Key

Background
----------

NNT Change Tracker Enterprise is a commercial product created by
UK-based New Net Technologies, and is designed to detect changes to
PC, server and network device configurations. The central component
'Core Server' is sent change data from 'Remote Angels' that monitor
remote systems.

It is marketed as a security product.

Company homepage:
http://www.newnettechnologies.com


Versions affected
-----------------
This vulnerability has been noted on versions 4.7. It is suspected
that most previous versions are also affected.


Vulnerability
-------------
Encryption is used at various points by the components that make up
the NNT Change Tracker Enterprise suite, but the same hard-coded
encryption key is always used. The key is a byte array with values at
the following indices:

[0] = 21;
[1] = 23;
[2] = 2;
[3] = 3;
[4] = 8;
[5] = 54;
[6] = 5;
[7] = 55;
[8] = 4;
[9] = 222;
[10] = 54;
[11] = 254;
[12] = 7;
[13] = 2;
[14] = 32;
[15] = 22;

An attacker could use this vulnerability to prevent NNT Change Tracker
Enterprise from detecting certain changes, or by fabricating changes
that never took place.

Additionally, NNT Change Tracker Enterprise utilises an apparently
'home-brew', weak encryption algorithm as follows (implementation in
C#, where 'this.key' references the hard-coded key shown above):

public string Encrypt(string plaintext)
{
	string ciphertext = String.Empty;
	byte[] plainBytes = Encoding.ASCII.GetBytes(plaintext);
	int num = 0;
	
	for (int i = 0; i < bytes.Length; i++)
	{
		plainBytes[i] += this.key[num++];

		if (num >= 16)
			num = 0;

		byte b = 15 & (int)plainBytes[i] >> 4;
		ciphertext += (char)(65 + b);
		b = (plainBytes[i] & 15);
		ciphertext += (char)(65 + b);
	}
	
	return ciphertext;
}

public string Decrypt(string ciphertext)
{
	if (ciphertext.Length < 4)
	{
		return String.Empty;
	}
	
	byte[] cipherbytes = Encoding.ASCII.GetBytes(ciphertext);
	byte[] plainbytes = new byte[cipherbytes.Length / 2];
	int num = 0;
	
	for (int i = 0; i < cipherbytes.Length; i += 2)
	{
		byte b = cipherbytes[i] - 65;
		b = (int)b << 4;
		byte b2 = cipherbytes[i + 1] - 65;
		b += b2;
		b -= this.key[num++];
		
		if (num >= 16)

			num = 0;

		plainbytes[i / 2] = b;
	}
	
	return new string(Encoding.ASCII.GetChars(plainbytes));
}

The key is hard-coded into .NET assembly NNT_CoreFuncs.dll


Response from Vendor
--------------------
None


Timeline
--------
2011-05-12: Reported to vendor
2011-05-20: Disclosed

Powered by blists - more mailing lists