Portcullis Security Advisory 05-002 Spectrum Cash Receipting System Weak Password Encryption
Portcullis Security Advisory
Vulnerable System:
Spectrum Cash Receipting System
Vulnerability Title:
Spectrum Cash Receipting System Weak Password Protection Vulnerability.
Vulnerability discovery and development:
Portcullis Security Testing Services.
Affected systems:
All known versions of Spectrum Cash Receipting System, vulnerability
discovered for version 6.406.08.
Details:
The Spectrum Cash Receipting System is a client/server software solution
that allows offline work, and thus offline authentication. The
application has several layers of authority with regards to authorising
payments.
The local authentication requires the password file for the application
to reside locally.
Portcullis discovered that Spectrum's mechanism for protecting the
passwords within the password file is a static substitution algorithm.
Additional properties of the system reduce the available key-space,
expose plaintext in the ciphertext, enforce a maximum password length
and reveal the length of the password in the password file.
Having the password file locally allows an attacker to enumerate valid
users on the system and potentially gain unauthorised access to the
system through brute force attempts on those valid user's passwords.
Furthermore valid users of the system could attempt privilege escalation
as they have full details of all valid user accounts.
When creating a password in the application the algorithm converts all
letters entered to lowercase and limits the length to a maximum of 6
characters. In the substitution stage it statically substitutes
alphanumeric characters with a character from the range a-z and the
special characters "@+&()?\/<>". Any character in the password that is
not alphanumeric is not substituted and becomes part of the ciphertext.
If the password is shorter than 6 characters the algorithm pads the
ciphertext with white-space accordingly.
Impact:
The impact of this vulnerability is that an attacker with local access
to the password file can retrieve the plaintext passwords of all the
system users.
Exploit:
Portcullis have developed Proof of Concept code for this issue, however,
due to the sensitivity of the application will not release this
publicly.
Copyright:
Copyright (c) Portcullis Computer Security Limited 2005, All rights
reserved worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the
express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
*************************************************************
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and do not
represent the opinion of the organisation.
Access to this email by persons other than the intended
recipient is strictly prohibited.
If you are not the intended recipient, any disclosure, copying,
distribution or other action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice contained
in this email is subject to the terms and conditions expressed
in the applicable Portcullis Computer Security Limited terms
of business.
**************************************************************