what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

crypt-insecure.txt

crypt-insecure.txt
Posted Jan 30, 2008
Authored by Daniel Roethlisberger | Site csnc.ch

LSrunasE version 1.0 and Supercrypt version 1.0 suffer from a vulnerability where an insecure use of RC4 is applied.

tags | advisory
advisories | CVE-2007-6340
SHA-256 | 1cf8e9786da360cf50ea789c75e0f6efd6e2213c7f35d9e4714cb9803787e474

crypt-insecure.txt

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
#
#############################################################
#
# Product: LSrunasE, Supercrypt
# Vendor: Geert Moernaut
# Type: Flawed Encryption
# Risk: Medium
# Author: Daniel Roethlisberger
# Date: 2008-01-29
# CVE Name: CVE-2007-6340
#
#############################################################



Introduction
------------
LSrunasE [1] and Supercrypt [2] are utilities used to run
commands under a different user account within Windows batch
scripts. Passwords are encrypted using strong cryptography.
Due to insecure use of the RC4 algorithm, the encryption can
be trivially broken.



Affected Product
----------------
Vulnerable:
* LSrunasE 1.0
* Supercrypt 1.0

Not vulnerable according to vendor:
* LSrunasE 2.0
* Supercrypt 2.0

Since versions 2.0 of the utilities are no longer free,
Compass Security has not been able to verify the implemented
fix.



Technical Description
---------------------
The following description of the vulnerability in LSrunasE is
also applicable to Supercrypt.

LSrunasE has two components, lsrunas.exe and lsencrypt.exe.
One would encrypt the password to the user account using
lsencrypt.exe, yielding an encrypted password. This
encrypted password is then used as parameter to
lsrunase.exe, for example in a batch script:

lsrunase.exe /user:Administrator \
/password:/kpyg/8D96HYhJ61SsJagmPw \
/domain:somecorp \
/command:"example.exe /dosomething"

LSrunasE supposedly uses AES-256 to protect the passwords,
so an attacker would have to reverse engineer the key out
of the binary, right?

However, the properties of the encrypted passwords turn out
to be very weak, leading to an easy break very quickly.
The password encryption is equivalent to a simple XOR with
a constant key, leading to the following simple break:

1) Find the XOR keystream by XORing an arbitrary string s
with its encrypted form:

keystream = unbase64(lsencrypt(s)) XOR s

2) Now you can decrypt any encrypted password:

password = unbase64(encrypted_password) XOR keystream

This result strongly suggested that AES-256 has no role in
the encryption scheme. Digging a little deeper, Compass
Security was able to unpack the PECompact packed binary and
reverse engineer the cryptographical algorithm used by
LSrunasE. The result is interesting, since it turned out
that LSrunasE is using strong cryptography, albeit in an
insecure way.

LSrunasE uses SHA1 and RC4 to encrypt the passwords. The
SHA1 hash of a constant string is directly used as 160 bit
RC4 key. There is no random IV construction.

secret = "(constant string embedded in the binary)"
key = sha1(secret)
encrypted_password = base64(rc4(key, password))

As a stream cipher, RC4 is only secure as long as you make
sure that no two plaintexts are encrypted using the same
keystream. When using raw RC4 without some form of unique
IV construction, the keystream will be the same for every
key. In the case of LSrunasE and Supercrypt, the very same
RC4 keystream is being generated for all encrypted passwords,
completely compromising the security of RC4.



Other Attacks
-------------
Note that this advisory is only about the insecure use of
the RC4 stream cipher, not about the fact that reverse
engineering is possible. Of course, utilities like LSrunasE
and Supercrypt cannot be secure against reverse engineering;
it will always be possible to reverse engineer the algorithm
and find the key within the binary.

However, encrypted passwords should not be very easily
broken without resorting to more time consuming binary
reverse engineering. And there is the obvious attack in
LSrunasE of copying the encrypted password and using it to
run arbitrary commands, which Supercrypt addresses.



Recommendation
--------------
Compass Security recommends not to use any utilities
which store credentials, especially not with privileged
accounts on untrusted systems. When used in logon
scripts or within automated staging scripts, privileged
accounts used with LSrunasE or similar tools can be
compromised, leading to privilege escalation.



PoC Code
--------
Available on request.



Disclosure Timeline
-------------------
2008-01-29: Coordinated public disclosure
2007-12-17: Initial vendor response
2007-12-17: Initial vendor notification
2007-12-14: Assigned CVE-2007-6340
2007-12-05: Discovery by Walter Sprenger, Ivan Buetler, Martin Sueess
and Daniel Roethlisberger of Compass Security AG



References
----------
[1] http://www.moernaut.com/default.aspx?item=lsrunase
[2] http://www.moernaut.com/default.aspx?item=supercrypt
[3] http://www.csnc.ch/en/downloads/advisories.html



--
Daniel Roethlisberger <daniel.roethlisberger@csnc.ch>
Compass Security Network Computing AG, Rapperswil, Switzerland
http://www.csnc.ch/ - Tel: +41 55 214 41 77 - PGP: 0x69292CBA
Security Review - Penetration Testing - Computer Forensics
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close