| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <02F5CA2A-F6B8-4421-80B7-AA47BAA83669@dataix.net> Date: Sun, 25 Aug 2024 06:31:26 -0500 From: "J. Hellenthal via Fulldisclosure" <fulldisclosure@...lists.org> To: noloader@...il.com Cc: fulldisclosure@...lists.org, Sebastian Hamann <sebastian.hamann@...s.de> Subject: Re: [FD] [SYSS-2024-038] DiCal-RED - Use of Password Hash Instead of Password for Authentication Correct me if I'm wrong but I believe he is trying to relay that "on the backend" where the password hashes are stored.... if accessed by those with admin access or a bad actor if you will gives them the immediate ability to access every account without needing to decrypt the passwords. This is a very bad practice. -- J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume. > On Aug 24, 2024, at 22:25, Jeffrey Walton <noloader@...il.com> wrote: > > There's no difference between sending the password or Hash(password) > at the client. It is similar to (but weaker than) HTTP digest > authentication. > > There's nothing to see here. > > Jeff > >> On Thu, Aug 22, 2024 at 5:13 PM Sebastian Hamann via Fulldisclosure >> <fulldisclosure@...lists.org> wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> Advisory ID: SYSS-2024-038 >> Product: DiCal-RED >> Manufacturer: Swissphone Wireless AG >> Affected Version(s): Unknown >> Tested Version(s): 4009 >> Vulnerability Type: Use of Password Hash Instead of Password for Authentication (CWE-836) >> Risk Level: Medium >> Solution Status: Open >> Manufacturer Notification: 2024-04-16 >> Solution Date: None >> Public Disclosure: 2024-08-20 >> CVE Reference: CVE-2024-36439 >> Author of Advisory: Sebastian Hamann, SySS GmbH >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> Overview: >> >> DiCal-RED is a radio module for communication between emergency vehicles and >> control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity >> and runs a Linux- and BusyBox-based operating system. >> >> The manufacturer describes the product as follows (see [1]): >> >> "The DiCal-Red radio data module reliably guides you to your destination. This >> is ensured by the linking of navigation (also for the transmission of position >> data) and various radio modules." >> >> Due to the use of a password hash instead of a password for authentication, >> the device is vulnerable to unauthorized access to administrative >> functionality. >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> Vulnerability Details: >> >> The device provides an administrative web interface that requests the >> administrative system password before it can be used. Instead of submitting >> the user-supplied password, its MD5 hash is calculated on the client side >> and submitted. >> An attacker who knows the hash of the correct password but not the password >> itself can simply replace the value of the password URL parameter with the >> correct hash and subsequently gain full access to the administrative web >> interface. >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> Proof of Concept (PoC): >> >> 1. Access the device's web interface and log in with an arbitrary password. >> 2. Use a local proxy or browser plug-in to intercept the HTTP requests. >> One of them looks like this: >> http://192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=validatepassword&password=2ab96390c7dbe3439de74d0c9b0b1767 >> 3. Replace the value of the password parameter with the hash of the correct >> device password. >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> Solution: >> >> The manufacturer recommends not running the device in an untrusted network. >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> Disclosure Timeline: >> >> 2024-02-29: Vulnerability discovered >> 2024-04-16: Vulnerability reported to manufacturer >> 2024-05-10: Manufacturer states that the vulnerability will not be fixed >> 2024-05-14: Vulnerability reported to CERT-Bund >> 2024-08-13: CERT-Bund informs us that the vendor declared the product EOL >> 2024-08-20: Public disclosure of vulnerability >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> References: >> >> [1] Product website for DiCal-RED >> https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/ >> [2] SySS Security Advisory SYSS-2024-038 >> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-038.txt >> [3] SySS Responsible Disclosure Policy >> https://www.syss.de/en/responsible-disclosure-policy >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> Credits: >> >> This security vulnerability was found by Sebastian Hamann of SySS GmbH. >> >> E-Mail: sebastian.hamann@...s.de >> Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc >> Key ID: 0x9CE0E440429D8B96 >> Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96 >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> Disclaimer: >> >> The information provided in this security advisory is provided "as is" >> and without warranty of any kind. Details of this security advisory may >> be updated in order to provide as accurate information as possible. The >> latest version of this security advisory is available on the SySS website. >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> Copyright: >> >> Creative Commons - Attribution (by) - Version 3.0 >> URL: http://creativecommons.org/licenses/by/3.0/deed.en >> >> -----BEGIN PGP SIGNATURE----- >> >> iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd >> i5bDcg//QqSSeXrwj8+F+lGJBRgcwK8Qf7LWK3IWovj+DSKR0II7n6voq+ZG2LPS >> BpO8EEjhSbWDkGHCBgyuvZ8NoXu3LSX3mAVpAvrK+Rq8rPXE1dTxINAilq9Z8Q0r >> bjwybUrN6T0W7uc/Z9VtQiMH1hY1fbkcRbp0RWtzdo0cIjhKs7aBWf1bNIdDaiX8 >> Mnyc/5nM65IXPjUdGSFvgNDcUOxG7IRlrPvHncjeiJge8JVqSJUiD410ZpvcBS8x >> 6SPBwl+OqWxF5mnmP2iOixDVMyiZl9AlzaUMA4BISsTRrkSugJmOJTwZGusCZIlZ >> KjikGfjvtIIjC31pqzBuX9uwWT59YBlA4zoNl2gHBzFy0zwZKVSIX2IxhsmqfHci >> XthTlkjX+sY8u9XiMKZU6hYAwUOGFo9+i6L34X/XykztFmwjUluOdOQDzXVoA0wm >> mZ1OEAYOdccr/BakIhTJQONKGzGErZWEUGBcyHOccw4AYQwn19bR7kGXqXZ6/DQB >> w0od4XFWuWVVO/OC6HPCH+vsrjFCze4pPAuGbzKzuPc3bBxWp/gYS5znKFGMwyTf >> wOGCi3YKfPzqze4yC46wbviDfjStEe7ljbAVkuy4r8XLh5MPMLCb/3YPgbhdiqUk >> X1OuQWRmHGp9WnzB2uYfK/+EKZNPthT3gDqZoyGWlISm+6C22no= >> =Y5jL >> -----END PGP SIGNATURE----- >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> https://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: https://seclists.org/fulldisclosure/ > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: https://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists