Background ---------- NNT Change Tracker Enterprise is a commercial product created by UK-based New Net Technologies, and is designed to detect changes to PC, server and network device configurations. The central component 'Core Server' is sent change data from 'Remote Angels' that monitor remote systems. It is marketed as a security product. Company homepage: http://www.newnettechnologies.com Versions affected ----------------- This vulnerability has been noted on versions 4.7. It is suspected that most previous versions are also affected. Vulnerability ------------- Encryption is used at various points by the components that make up the NNT Change Tracker Enterprise suite, but the same hard-coded encryption key is always used. The key is a byte array with values at the following indices: [0] = 21; [1] = 23; [2] = 2; [3] = 3; [4] = 8; [5] = 54; [6] = 5; [7] = 55; [8] = 4; [9] = 222; [10] = 54; [11] = 254; [12] = 7; [13] = 2; [14] = 32; [15] = 22; An attacker could use this vulnerability to prevent NNT Change Tracker Enterprise from detecting certain changes, or by fabricating changes that never took place. Additionally, NNT Change Tracker Enterprise utilises an apparently 'home-brew', weak encryption algorithm as follows (implementation in C#, where 'this.key' references the hard-coded key shown above): public string Encrypt(string plaintext) { string ciphertext = String.Empty; byte[] plainBytes = Encoding.ASCII.GetBytes(plaintext); int num = 0; for (int i = 0; i < bytes.Length; i++) { plainBytes[i] += this.key[num++]; if (num >= 16) num = 0; byte b = 15 & (int)plainBytes[i] >> 4; ciphertext += (char)(65 + b); b = (plainBytes[i] & 15); ciphertext += (char)(65 + b); } return ciphertext; } public string Decrypt(string ciphertext) { if (ciphertext.Length < 4) { return String.Empty; } byte[] cipherbytes = Encoding.ASCII.GetBytes(ciphertext); byte[] plainbytes = new byte[cipherbytes.Length / 2]; int num = 0; for (int i = 0; i < cipherbytes.Length; i += 2) { byte b = cipherbytes[i] - 65; b = (int)b << 4; byte b2 = cipherbytes[i + 1] - 65; b += b2; b -= this.key[num++]; if (num >= 16) num = 0; plainbytes[i / 2] = b; } return new string(Encoding.ASCII.GetChars(plainbytes)); } The key is hard-coded into .NET assembly NNT_CoreFuncs.dll Response from Vendor -------------------- None Timeline -------- 2011-05-12: Reported to vendor 2011-05-20: Disclosed