Dienstplan 2.2 Predictive Passwords

Dienstplan 2.2 Predictive Passwords: Posted Aug 29, 2011; Authored by Dan Luedtke | Site danrl.de; Dienstplan version 2.2 suffers from multiple predictive password vulnerabilities.; tags | advisory, vulnerability; SHA-256 | a3b1ae5a968d69bc0d5fbf09c9a8eef18d7261dd23662e4cc9cb9ede23ef154c; Download | Favorite | View

Dienstplan 2.2 Predictive Passwords

Disocvered on Tue, 07 Jun 2011
by Dan Luedtke http://www.danrl.de

Abstract
========
Calendar application Dienstplan 2.2 uses predictive passwords in
user-creation and password-reset routines.


About Dienstplan
================
Dienstplan is a web-based calendar application written in PHP targeting
clubs and associations. Registered users may RSVP to sheduled events.
See http://www.thomas-gubisch.de/dienstplan.html for further
information.


Vulnerable Versions
===================
Tested on Dienstplan 2.2, others may be vulnerable


Predictive Password Generation (1/2)
====================================
When a new account is created, the password is derived from the
time()-function, which gives back the current UNIX TIME STAMP. A
non-salted md5-hash of UNIX TIME STAMP becomes the initial password and
is valid until the users changes the password manually.

--[ user_func.php lines 46-49 ]--
        // id = 0 -> new user
        if($id == 0)
                $id = master_addUser($username, $email, md5(time()));
        else
--

An attacker (roughly) knowing when a user account was created can
predict the password.


Predictive Password Generation (2/2)
====================================
A user can reset his own password. Unfortunately, everyone having access
to the application via browser can trigger this process for every known
user (e.g. admin). The application then generates a new password as
shown below. The new password is mailed to the user it was generated
for.

--[ user_func.php line 134 ]--
        $password = md5(time());
--

An attacker might predict the password, or a set of possible passwords,
by precalculating the md5-hashes of past, current, and future UNIX TIME
STAMPs (e.g. +/-10 seconds, depends on server's offset). He may trigger
the password reset process and log in with one of the precalculated
passwords.


Remarks
=======
* Author responded in less than 24h. A fix was provided soon after that.
* Disclosure has been delayed for 2+ months for users to update their
software.



regards,
   danrl


-- 
Dan Luedtke
http://www.danrl.de (private)
http://www.dlitc.com (company)

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Dienstplan 2.2 Predictive Passwords

Dienstplan 2.2 Predictive Passwords

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Dienstplan 2.2 Predictive Passwords

Share This

Dienstplan 2.2 Predictive Passwords

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems