exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Rapid7 Security Advisory 35

Rapid7 Security Advisory 35
Posted Aug 3, 2010
Authored by H D Moore, Rapid7 | Site rapid7.com

Rapid7 Security Advisory - The VxWorks authentication library suffers from a weak password hashing vulnerability.

tags | advisory
SHA-256 | 379e84021c2f004744e223233efe6130106bb86cc055a0b8c5acb03bbce54be9

Rapid7 Security Advisory 35

Change Mirror Download
R7-0035: VxWorks Authentication Library Weak Password Hashing
August 2, 2010

-- Vulnerability Details:
This vulnerability allows remote attackers to bypass the authentication
process for the Telnet and FTP services of the VxWorks operating system.
This flaw occurs due to an insecure password hashing implementation in
the authentication library (loginLib) of the VxWorks operating system.
Regardless of what password is set for a particular account, there are a
only small number (~210k) of possible hash outputs. Typical passwords
consisting of alphanumeric characters and symbols fall within an even
smaller range of hash outputs (~8k), making this trivial to brute force
over the network. To excaberate matters, loginLib has no support for
account lockouts and the FTP daemon does not disconnect clients that
consistently fail to authenticate. This reduces the brute force time for
the FTP service to approximately 30 minutes.

To demonstrate the hash weakness, the password of "insecure" hashes to
the value "Ry99dzRcy9". The password of "s{{{{{^O" also hashes to the
same output. The hashing algorithm itself is based on an additive sum
with a small XOR operation. The resulting sums are then transformed to a
printable string, but the range of possible intermediate values is
limited and mostly sequential. The entire collision table has been
precomputed and will be released in early September as an input file for
common brute force tools. More information about the hashing algorithm
itself is available at the Metasploit blog post below:

http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html

There are three requirements for this vulnerability to be exploited:

* The device must be running at least one service that uses loginLib
for authentication. Telnet and FTP do so by default.

* A valid username must be known to the attacker. This is usually easy
to determine through product manuals or a cursory review of the firmware
binaries.

* The target service must be using with default loginLib library and
must not have changed the authentication function to point to a custom
backend.

A typical VxWorks device will meet all three requirements by default,
but customization by the device manufacturer may preclude this from
being exploited. In general, if the device displays a VxWorks banner for
Telnet or FTP, it is more than likely vulnerable.

-- Vendor Response:
Wind River Systems has notified their customers of the issue and
suggested that each downstream vendor replace the existing hash
implementation with SHA512 or SHA256. The exact extent of the
vulnerability and the complete list of affected devices is not known at
this time. Example code from Wind River Systems has been supplied to
CERT and is included in the advisory below:

http://www.kb.cert.org/vuls/id/840249

-- Disclosure Timeline:
2009-06-02 - Vulnerability reported to CERT for vendor notification
2009-08-02 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by HD Moore

-- About Rapid7 Security
Rapid7 provides vulnerability management, compliance and penetration
testing solutions for Web application, network and database security. In
addition to developing the NeXpose Vulnerability Management system,
Rapid7 manages the Metasploit Project and is the primary sponsor of the
W3AF web assessment tool.

Our vulnerability disclosure policy is available online at:

http://www.rapid7.com/disclosure.jsp


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close