lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 4 Feb 2010 16:58:17 +0100
From: Michael Rossberg <michael.rossberg@...ilmenau.de>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Multiple Security Issues in Wippien

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                               Security Advisory

      Advisory: Multiple Security Issues in Wippien
  Release Date: February 4th, 2010
  Last Updated: February 4th, 2010
        Author: Michael Rossberg [michael dot rossberg at tu-ilmenau  
dot de]
   Application: Wippien (for Windows and Linux)
                MiniVPN
      Severity: Flawed key negotiation protocol allows for easy man-in- 
the-middle
                attacks
                Predictable key materials
          Risk: Critical
Vendor Status: Contacted
    References: http://wcms1.rz.tu-ilmenau.de/fakia/fileadmin/template/startIA/telematik/Mitarbeiter/rossberg/wippien-advisory.txt


SUMMARY

Wippien is a software that can automatically establish a VPN between  
jabber
contacts. In order to derive a session key for the encryption routines  
Wippien
uses a cryptographic key exchange, which is in the open source part of  
the
software. As we analyzed some of its components, it emerged that the RSA
fingerprints are not validated and the freshness of the exchange is  
not assured.
Each of both issues allows simple man-in-the-middle attacks.

The Windows version of Wippien and MiniVPN use an insecure random number
generator to derive key material.

The Linux version of Wippien does not initialize keying material. This  
results
in uninitialized memory being used to derive the symmetric encryption  
key.

AFFECTED SOFTWARE VERSIONS

All recent versions of Wippen for Windows and Linux, including 2.3.2,  
are
affected.

SEVERITY RATING

Being a VPN component, confidentiality is the essential property to be  
assured
and given the simplicity of potential attacks, the potential risk is  
high.

DETAILS

1.) Wippien creates a new private/public key pair with every startup.  
This and
     the fact that the fingerprint of the peers public key is not  
shown to the
     user, makes it impossible for users to even become aware of man- 
in-the-
     middle attacks.
2.) During the key exchange, Wippien peers exchange nonces that are  
protected
     by RSA PKCS#1. These nonces are later on used to derive a session  
key by an
     XOR operation:

         // and XOR with ours
         for (int i = 0; i < 16; i++)
			user->m_SharedKey[i] = user->m_MyKey[i] ^ dst[i + 24];

     Thus, if the key exchange is simply replayed to the connecting  
victim, it
     will simply XOR its own key part with itself, resulting in a zero  
key and an
     attacker without valid key is able to obtain a correct key.
3.) The Windows version of Wippien and MiniVPN will initialize the key  
by using
     rand():
         for (int i = 0; i < 16; i++) m_MyKey[i] = rand();
     This is neither a secure source for keying material, nor is  
srand() called
     to supply a seed. This makes key generation highly predictable.
4.) The Linux version works similar:
         for (i=0;i<16;i++)
	       u->SharedKey[i] = u->MyKey[i] ^ dst[i+24];
     Only that MyKey is never initialized, and thus random value will  
be used and
     the derived key is highly insecure.

DISCLOSURE TIMELINE

28th January, 2010 - Contact with Wippien developer by email

RECOMMENDATION

We recommend to migrate from Wippien or use an additional form of  
cryptographic
protection, e.g., SSH and SSL, immediately.

GPG KEY

pub   4096R/B105F0C3 Michael Rossberg
Key fingerprint = 8448 88F0 C803 14FD 01AF A819 D2BF 817D B105 F0C3

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)

iQIVAwUBS2q6vNK/gX2xBfDDAQLSZBAAnnQWBct0Liyp9QoOmAvpQrK8QiLhnlDT
GAepuXzBxPON1lh2og4ZObRG19Hy95TkKbt+JEPe0ZQkKvLLyjVcTcNfzaTlQOdD
SGyedlj1+Y5EH5CH08Zno+EGPBITQgIq+phSeuBijXL+q1rfISchjWGq/xrAHtvE
K3laKbhNogh0jib83F1xOrlPUlqR5OsejdqF/+uiDuwseRhWpy0HEF++ysXvLAgp
QfYrGqBn0FrQgOfLgHuysSDvqJFXzmDaS9T/HtxCmrT1OnbeD9tv0hihCk9RnKux
OrLvAZ57YP6u8IDRyGxG3CAG54A+GPN8OBC4t/ShujOd9isqGajp/PthE7l1pl+p
L1PaYxDJ/esDmM+AepMN7/XjKqh6ol3DLnIBMX76DBod/aynlln7bAuWHhQ80gyQ
zU+pgKg1N0V5uw8qhzeoEWKdXjUQY4QQovOrnQ4rqMO0Hhp4Kt4faMD1YVSLeOGJ
MXDAJCZBu4PngZeUggE8tYrLFX+ulOcyUG44juRZ+chJc7FfQwKbD73u02NLWK4H
Gw/aWcJvG9fhsZ/nSdIY+Qu5DInw0E0gECpBJPCQVI59xd1uMh79Vs25zPNfe7PI
QKWfM/iuCrL2tAXKc+1Xnh4hZoXN7k+qUvYFfAHZXTZsZJst4x0SjOthiGRu4oRV
7dUOELYP+Vo=
=meNb
-----END PGP SIGNATURE-----

-----------------------

 From the Wippien forum (http://www.wippien.com/forum.php?action=view&topic=1191281119 
):
User: [...] I was wondering what the level of security is in Wippien.  
[...]
Developer: [...] You shouldn't worry about security since we had it in  
mind when implementing Wippien. [...]
User: Thanks, [...] that puts my mind at ease.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ