Vendor Response to Portculis Advisory 05-002: Spectrum Cash Receipting System
Portcullis have received a response from the vendor to the advisory we
released on January 24 2005.
For completeness the vendor response has been included in its entirety,
and demarked via <VENDOR RESPONSE> TEXT <VENDOR RESPONSE> markers.
Portcullis Security Advisory
Spectrum Cash Receipting System Weak Password Protection Vulnerability.
Vulnerability discovery and development:
Fredrik Hult
Paul J Docherty
Affected systems:
All known versions of Spectrum Cash Receipting System, vulnerability
discovered for version 6.406.08.
<VENDOR RESPONSE>
A software solution has been provided within version 6.504 which
incorporates a MD5 compliant encryption routine to restrict deciphering
of the passwords. This results in a 16 character randomly generated
password that is not available for deciphering at all.
<VENDOR RESPONSE>
Details:
The Spectrum Cash Receipting System is a client/server software solution
that allows offline work, and thus offline authentication. The
application has several layers of authority with regards to authorising
payments.
The Spectrum Cash Receipting system allows the 'receipting' of payments,
not functionality to 'authorise payments'.
<VENDOR RESPONSE>
As with most software of this type the application is installed on PC's
which are protected from unauthorised access by the use of user ID's and
passwords maintained within the operating system. Consequently, the
application is not accessible to unauthorised or casual users. In the
new release of the software, each layer of authority is subject to the
the method for encrypting passwords which makes them immune to
intruders.
<VENDOR RESPONSE>
The local authentication requires the PASSFILE password file of the
application to reside with the local application. This enables an
attacker to either attempt privilege escalation through other users
potentially present in the PASSFILE or to gain unauthorised access.
<VENDOR RESPONSE>
All passwords in the PASSFILE are subject to the new method for
encrypting passwords which makes them immune to intruders.
<VENDOR RESPONSE>
Industry Practice mitigation of this threat usually is to use a strong
cipher to protect the passwords stored in the PASSFILE. Portcullis found
the Spectrum's mechanism protecting the passwords to be a static
substitution obfuscation algorithm with properties that reduce available
key-space, expose plaintext in the ciphertext, enforce a maximum
password length and reveal the length of the password in the PASSFILE.
<VENDOR RESPONSE>
All passwords in the PASSFILE are subject to the MD5 compliant method
for encrypting passwords which makes them immune to intruders.
<VENDOR RESPONSE>
When creating a password in the application the algorithm converts all
letters entered to lowercase and limits the length to a maximum of 6
characters. In the substitution stage it statically substitutes
alphanumeric characters with a character from the range a-z and the
special characters "@+&()?\/<>". Any character in the password that is
not alphanumeric is not substituted and becomes part of the ciphertext.
If the password is shorter than 6 characters the algorithm pads the
ciphertext with white-space accordingly.
<VENDOR RESPONSE>
All passwords in the PASSFILE are subject to the MD5 compliant method
for encrypting passwords which replaces the above method of encryption,
which makes them immune to intruders.
<VENDOR RESPONSE>
Impact:
The impact of this vulnerability is that an attacker with local access
to the PASSFILE can retrieve the plaintext passwords with ease.
<VENDOR RESPONSE>
The above stated vulnerability no longer exists as a result of
implementing the MD5 compliant method for encryption.
<VENDOR RESPONSE>
Exploit:
Portcullis has a working module in-house but will not release this
publicly. Portcullis is in contact with Spectrum regarding the
vulnerability.
Copyright (c) Portcullis Computer Security Limited 2004, All rights
reserved worldwide.
Permission is hereby granted for the electronic redistribution of this
Information. It is not to be edited or altered in any way without the
express written consent of Portcullis Computer Security Limited.
Disclaimer: The information herein contained may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Portcullis
Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
Connection with the use or spread of this information.
*************************************************************
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and do not
represent the opinion of the organisation.
Access to this email by persons other than the intended
recipient is strictly prohibited.
If you are not the intended recipient, any disclosure, copying,
distribution or other action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice contained
in this email is subject to the terms and conditions expressed
in the applicable Portcullis Computer Security Limited terms
of business.
**************************************************************