SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   CCC/Harvest Vendors:   CA
Computer Associates CCC/Harvest Source Code Control Software Allows Attackers to Decrypt Passwords Transmitted Over the Network
SecurityTracker Alert ID:  1001196
SecurityTracker URL:  http://securitytracker.com/id/1001196
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 29 2001
Impact:   Disclosure of authentication information
Exploit Included:  Yes  
Version(s): v5.0, possibly others
Description:   An encryption-related vulnerability was reported in Computer Associates' CCC\Harvest source code control software that could allow an attacker that is sniffing the network to decrypt passwords.

CCC/Harvest reportedly authenticates users by transmitting security credentials from the user to the server using an encryption method that is susceptible to a chosen plaintext attack. The length of password does not increase the difficulty of attack. Feedback chaining is not used to prevent repeated terms in the plaintext appearing in the ciphertext. As a result, a user sniffing the network could discover the superuser password in encrypted form and then apply character substitution to reveal the plaintext.

A demonstration exploit scenario using a chosen plain text attack with character substitution is provided in the source message.

The vendor has reportedly been notified.

Impact:   A user sniffing the network could discover the superuser password in encrypted form and then apply character substitution to reveal the plaintext. If the CCC/Harvest security authentication mechanism is broken, source code can be modified and downloaded without application-level audit trail.
Solution:   No solution was available at the time of this entry.
Vendor URL:  ca.com/products/ccc_harvest.htm (Links to External Site)
Cause:   Authentication error, Randomization error
Underlying OS:   UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Date:  Wed, 28 Mar 2001 15:07:29 -0600
Subject:  CCC\Havest exploit


-=> Zero Tolerance Technologies (T) Security Advisory <=-
Reference: ZTT-SA01-27032001
Author: Richard Scott, r1ccard0@the-pentagon.com

Product: Computer Associates' CCC\Harvest Source Code
control software
     http://ca.com/products/ccc_harvest.htm
     http://ca.com/products/descriptions/ccc_harvest.pdf

Severity:
High, Application superuser can be obtained.

Systems:
CCC\Harvest v5.0 running on NT\2000, could also apply to
other platforms and versions.
Discovered: 26th March 2001

Synopsis
CCC Harvest is a tool that is used to audit and maintain
access control to source code If the security mechanism is
broken, source code can be modified and downloaded with
little audit to trail.

CCC Harvest has an authentication model that uses TCP to
transmit the security credentials to the server for
authentication.  The encryption method used is susceptible
to a chosen plaintext attack.
Length of password does not increase the security.  No
feedback chaining is used to prevent repeated terms in the
plaintext appearing in the ciphertext.  A user could
discover the superuser password in encrypted form and then
apply character substitution to reveal the plaintext.

Exploit:
Using a chosen plain text attack, the character substitution
matrix can be constructed.  Using this matrix, it is
possible to simply look up each ciphertext character to
reveal it's plaintext equivalent.

The password that was captured using a network analyzer in
encrypted form was:
yfohoh>u[ghhdptj1111111.

Using the matrix above, the resulting plain text would be:
ThisismypasswordQQQQQQQ

If other characters had been used, it's pretty easy to see
how a plain text attack would extend, just feed in the ASCII
character set and review the ciphertext that appears.  The
last few characters also reveal another weakness.  The
algorithm that is being used, seems to take one character at
a time, and doesn't use any loop back mechanism to prevent
repeating terms in the plaintext occurring in the
ciphertext.

Vendor Notification:
CCC\Harvest have been notified through their support system,
found at : http://support.ca.com/a-g.html
I've had a response that all they are willing to say is that
this is the current mechanism.  There may be some confusion
as the extent of the exploit.  But I've tried to notify them
of the problem.

Current research has led me to believe the following:
1)   the encryption key is hard coded in to the application
2)   the key is the same for all installations of
  CCC\Harvest

As of 27-03-2001 CA are aware of the problem

Solution
If CCC\Harvest supports NT authentication, it should be
used.
Changing the key is not a sufficient precaution to prevent
this attack.


_____________________________________________
Free email with personality! Over 200 domains!
http://www.MyOwnEmail.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC