Computer Associates CCC/Harvest Source Code Control Software Allows Attackers to Decrypt Passwords Transmitted Over the Network
SecurityTracker Alert ID: 1001196|
SecurityTracker URL: http://securitytracker.com/id/1001196
(Links to External Site)
Date: Mar 29 2001
Disclosure of authentication information|
Exploit Included: Yes |
Version(s): v5.0, possibly others|
An encryption-related vulnerability was reported in Computer Associates' CCC\Harvest source code control software that could allow an attacker that is sniffing the network to decrypt passwords.|
CCC/Harvest reportedly authenticates users by transmitting security credentials from the user to the server using an encryption method that is susceptible to a chosen plaintext attack. The length of password does not increase the difficulty of attack. Feedback chaining is not used to prevent repeated terms in the plaintext appearing in the ciphertext. As a result, a user sniffing the network could discover the superuser password in encrypted form and then apply character substitution to reveal the plaintext.
A demonstration exploit scenario using a chosen plain text attack with character substitution is provided in the source message.
The vendor has reportedly been notified.
A user sniffing the network could discover the superuser password in encrypted form and then apply character substitution to reveal the plaintext. If the CCC/Harvest security authentication mechanism is broken, source code can be modified and downloaded without application-level audit trail.|
No solution was available at the time of this entry.|
Vendor URL: ca.com/products/ccc_harvest.htm (Links to External Site)
Authentication error, Randomization error|
UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)|
Source Message Contents
Date: Wed, 28 Mar 2001 15:07:29 -0600|
Subject: CCC\Havest exploit
-=> Zero Tolerance Technologies (T) Security Advisory <=-
Author: Richard Scott, firstname.lastname@example.org
Product: Computer Associates' CCC\Harvest Source Code
High, Application superuser can be obtained.
CCC\Harvest v5.0 running on NT\2000, could also apply to
other platforms and versions.
Discovered: 26th March 2001
CCC Harvest is a tool that is used to audit and maintain
access control to source code If the security mechanism is
broken, source code can be modified and downloaded with
little audit to trail.
CCC Harvest has an authentication model that uses TCP to
transmit the security credentials to the server for
authentication. The encryption method used is susceptible
to a chosen plaintext attack.
Length of password does not increase the security. No
feedback chaining is used to prevent repeated terms in the
plaintext appearing in the ciphertext. A user could
discover the superuser password in encrypted form and then
apply character substitution to reveal the plaintext.
Using a chosen plain text attack, the character substitution
matrix can be constructed. Using this matrix, it is
possible to simply look up each ciphertext character to
reveal it's plaintext equivalent.
The password that was captured using a network analyzer in
encrypted form was:
Using the matrix above, the resulting plain text would be:
If other characters had been used, it's pretty easy to see
how a plain text attack would extend, just feed in the ASCII
character set and review the ciphertext that appears. The
last few characters also reveal another weakness. The
algorithm that is being used, seems to take one character at
a time, and doesn't use any loop back mechanism to prevent
repeating terms in the plaintext occurring in the
CCC\Harvest have been notified through their support system,
found at : http://support.ca.com/a-g.html
I've had a response that all they are willing to say is that
this is the current mechanism. There may be some confusion
as the extent of the exploit. But I've tried to notify them
of the problem.
Current research has led me to believe the following:
1) the encryption key is hard coded in to the application
2) the key is the same for all installations of
As of 27-03-2001 CA are aware of the problem
If CCC\Harvest supports NT authentication, it should be
Changing the key is not a sufficient precaution to prevent
Free email with personality! Over 200 domains!