lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 18 Jun 2014 19:18:38 +0000
From: gassyjack@...nmailbox.org
To: fulldisclosure@...lists.org
Subject: [FD] Vulnerabilities in CDVI ACAC22 [2-Door Controller]

Vulnerabilities in CDVI ACAC22 [2-Door Controller]
==================================================
Vulnerabilities has been found in the CDVI ACAC22 door controller web 
interface. These vulnerabilities include:

- Client-side encryption for username and password without SSL
- Denial of service attacks leading to inability to use the web 
interface and a possible fail-open on the lock

This issue has been assigned an ID for reference:
1dd4a586

No CVE has been assigned to this.

Contacting CVDI
===============
CVDI was reached out to but did not return any requests for assistance. 
It has been decided to post this information to the Full Disclosure 
mailing list.

CVDI's website is as follows:
http://www.cdvi.co.uk/

Authentication issues
=====================
Authentication is performed using RC4 to encrypt the username and MD5 to 
encrypt the password at the login screen using a JavaScript function 
that performs both before submitting the form data. The key used to 
encrypt with RC4 is retrieved from the server and is sent with the login 
details in the form of a cookie. It is also used as a salt during the 
MD5 process.

An example from the JS code can be found in the 'login_preSubmit()' 
function found in the main login page.

$("#login_user").val(rc4($("#login_key").val(), username_str));
$("#login_pass").val(md5($("#login_key").val() + 
$("#login_password").val()));

The server checks to see if the key has been determined but it is 
unknown to when it expires. The MD5 key itself is supplied in base-16 
and the server application is sensitive to its case sensitivity, meaning 
that the server does a comparison on the other end using the supplied 
key. It also means that the server is likely storing the passwords using 
plaintext.

With regards to the key exposure, there is no SSL employed on the web 
interface, meaning that the key is received and sent with no encryption.

Denial of service attack
========================
One can exhaust the available login sessions and keys by making multiple 
requests. The server attempts to thwart this by limiting you to at least 
five sessions per IP address and user-agent, but a change in user-agent 
alone will allow you to max it out at around 15.

This can lead to an inability to log into the web interface.

Additionally, the device is configured by default to fail open, meaning 
that an attacker could potentially cause the door to unlock if the 
system becomes overloaded in the process.

Yes. One could possibly unlock the door through a DoS attack.

Our opinion
===========
You should contact the device manufacturer for further assistance and 
avoid buying the device if you’re looking to implement such a system.

Yours truly,
Gassy Jack

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists