what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Rapid7 Security Advisory 35

Rapid7 Security Advisory 35
Posted Aug 3, 2010
Authored by H D Moore, Rapid7 | Site rapid7.com

Rapid7 Security Advisory - The VxWorks authentication library suffers from a weak password hashing vulnerability.

tags | advisory
SHA-256 | 379e84021c2f004744e223233efe6130106bb86cc055a0b8c5acb03bbce54be9

Rapid7 Security Advisory 35

Change Mirror Download
R7-0035: VxWorks Authentication Library Weak Password Hashing
August 2, 2010

-- Vulnerability Details:
This vulnerability allows remote attackers to bypass the authentication
process for the Telnet and FTP services of the VxWorks operating system.
This flaw occurs due to an insecure password hashing implementation in
the authentication library (loginLib) of the VxWorks operating system.
Regardless of what password is set for a particular account, there are a
only small number (~210k) of possible hash outputs. Typical passwords
consisting of alphanumeric characters and symbols fall within an even
smaller range of hash outputs (~8k), making this trivial to brute force
over the network. To excaberate matters, loginLib has no support for
account lockouts and the FTP daemon does not disconnect clients that
consistently fail to authenticate. This reduces the brute force time for
the FTP service to approximately 30 minutes.

To demonstrate the hash weakness, the password of "insecure" hashes to
the value "Ry99dzRcy9". The password of "s{{{{{^O" also hashes to the
same output. The hashing algorithm itself is based on an additive sum
with a small XOR operation. The resulting sums are then transformed to a
printable string, but the range of possible intermediate values is
limited and mostly sequential. The entire collision table has been
precomputed and will be released in early September as an input file for
common brute force tools. More information about the hashing algorithm
itself is available at the Metasploit blog post below:

http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html

There are three requirements for this vulnerability to be exploited:

* The device must be running at least one service that uses loginLib
for authentication. Telnet and FTP do so by default.

* A valid username must be known to the attacker. This is usually easy
to determine through product manuals or a cursory review of the firmware
binaries.

* The target service must be using with default loginLib library and
must not have changed the authentication function to point to a custom
backend.

A typical VxWorks device will meet all three requirements by default,
but customization by the device manufacturer may preclude this from
being exploited. In general, if the device displays a VxWorks banner for
Telnet or FTP, it is more than likely vulnerable.

-- Vendor Response:
Wind River Systems has notified their customers of the issue and
suggested that each downstream vendor replace the existing hash
implementation with SHA512 or SHA256. The exact extent of the
vulnerability and the complete list of affected devices is not known at
this time. Example code from Wind River Systems has been supplied to
CERT and is included in the advisory below:

http://www.kb.cert.org/vuls/id/840249

-- Disclosure Timeline:
2009-06-02 - Vulnerability reported to CERT for vendor notification
2009-08-02 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by HD Moore

-- About Rapid7 Security
Rapid7 provides vulnerability management, compliance and penetration
testing solutions for Web application, network and database security. In
addition to developing the NeXpose Vulnerability Management system,
Rapid7 manages the Metasploit Project and is the primary sponsor of the
W3AF web assessment tool.

Our vulnerability disclosure policy is available online at:

http://www.rapid7.com/disclosure.jsp


Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close