lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAfuxnLJgZbeq1x-JUBvUBaGq0mxZ1H4B5nP-SM56zPv1gCHSA@mail.gmail.com>
Date: Mon, 29 Aug 2011 09:23:27 +0200
From: Dan Luedtke <maildanrl@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Dienstplan 2.2 predictive password generation

Disocvered on Tue, 07 Jun 2011
by Dan Luedtke http://www.danrl.de

Abstract
========
Calendar application Dienstplan 2.2 uses predictive passwords in
user-creation and password-reset routines.


About Dienstplan
================
Dienstplan is a web-based calendar application written in PHP targeting
clubs and associations. Registered users may RSVP to sheduled events.
See http://www.thomas-gubisch.de/dienstplan.html for further
information.


Vulnerable Versions
===================
Tested on Dienstplan 2.2, others may be vulnerable


Predictive Password Generation (1/2)
====================================
When a new account is created, the password is derived from the
time()-function, which gives back the current UNIX TIME STAMP. A
non-salted md5-hash of UNIX TIME STAMP becomes the initial password and
is valid until the users changes the password manually.

--[ user_func.php lines 46-49 ]--
        // id = 0 -> new user
        if($id == 0)
                $id = master_addUser($username, $email, md5(time()));
        else
--

An attacker (roughly) knowing when a user account was created can
predict the password.


Predictive Password Generation (2/2)
====================================
A user can reset his own password. Unfortunately, everyone having access
to the application via browser can trigger this process for every known
user (e.g. admin). The application then generates a new password as
shown below. The new password is mailed to the user it was generated
for.

--[ user_func.php line 134 ]--
        $password = md5(time());
--

An attacker might predict the password, or a set of possible passwords,
by precalculating the md5-hashes of past, current, and future UNIX TIME
STAMPs (e.g. +/-10 seconds, depends on server's offset). He may trigger
the password reset process and log in with one of the precalculated
passwords.


Remarks
=======
* Author responded in less than 24h. A fix was provided soon after that.
* Disclosure has been delayed for 2+ months for users to update their
software.



regards,
   danrl


-- 
Dan Luedtke
http://www.danrl.de (private)
http://www.dlitc.com (company)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ