[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BANLkTikpis9X+=Tf+CGejrFiNarhbA29Ww@mail.gmail.com>
Date: Mon, 23 May 2011 18:56:39 +0100
From: Dennis Brunnen <dennis.brunnen@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: NNT Change Tracker - Hard-Coded Encryption Key
Background
----------
NNT Change Tracker Enterprise is a commercial product created by
UK-based New Net Technologies, and is designed to detect changes to
PC, server and network device configurations. The central component
'Core Server' is sent change data from 'Remote Angels' that monitor
remote systems.
It is marketed as a security product.
Company homepage:
http://www.newnettechnologies.com
Versions affected
-----------------
This vulnerability has been noted on versions 4.7. It is suspected
that most previous versions are also affected.
Vulnerability
-------------
Encryption is used at various points by the components that make up
the NNT Change Tracker Enterprise suite, but the same hard-coded
encryption key is always used. The key is a byte array with values at
the following indices:
[0] = 21;
[1] = 23;
[2] = 2;
[3] = 3;
[4] = 8;
[5] = 54;
[6] = 5;
[7] = 55;
[8] = 4;
[9] = 222;
[10] = 54;
[11] = 254;
[12] = 7;
[13] = 2;
[14] = 32;
[15] = 22;
An attacker could use this vulnerability to prevent NNT Change Tracker
Enterprise from detecting certain changes, or by fabricating changes
that never took place.
Additionally, NNT Change Tracker Enterprise utilises an apparently
'home-brew', weak encryption algorithm as follows (implementation in
C#, where 'this.key' references the hard-coded key shown above):
public string Encrypt(string plaintext)
{
string ciphertext = String.Empty;
byte[] plainBytes = Encoding.ASCII.GetBytes(plaintext);
int num = 0;
for (int i = 0; i < bytes.Length; i++)
{
plainBytes[i] += this.key[num++];
if (num >= 16)
num = 0;
byte b = 15 & (int)plainBytes[i] >> 4;
ciphertext += (char)(65 + b);
b = (plainBytes[i] & 15);
ciphertext += (char)(65 + b);
}
return ciphertext;
}
public string Decrypt(string ciphertext)
{
if (ciphertext.Length < 4)
{
return String.Empty;
}
byte[] cipherbytes = Encoding.ASCII.GetBytes(ciphertext);
byte[] plainbytes = new byte[cipherbytes.Length / 2];
int num = 0;
for (int i = 0; i < cipherbytes.Length; i += 2)
{
byte b = cipherbytes[i] - 65;
b = (int)b << 4;
byte b2 = cipherbytes[i + 1] - 65;
b += b2;
b -= this.key[num++];
if (num >= 16)
num = 0;
plainbytes[i / 2] = b;
}
return new string(Encoding.ASCII.GetChars(plainbytes));
}
The key is hard-coded into .NET assembly NNT_CoreFuncs.dll
Response from Vendor
--------------------
None
Timeline
--------
2011-05-12: Reported to vendor
2011-05-20: Disclosed
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists