<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] Ciscos VPN-Client-Passwords can be decrypted



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello -

The Cisco PSIRT is aware of reports that claim the Cisco VPN Client
password encryption uses a breakable algorithm to encrypt user
passwords.

We are aware of reports at the following sites:

   http://www.heise.de/newsticker/meldung/64954
   http://evilscientists.de/blog/?page_id=339
   http://evilscientists.de/blog/?page_id=343

This issue is related to a Security Notice that the Cisco PSIRT
released in October of 2004.  Cisco's public announcement can be found
here:

http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml

The Cisco VPN 3000 Series has a configuration option that does not
allow the storage of the user password in the VPN client. For
customers that are concerned about the recovery of the user password,
the following option can be disabled to prevent local storage of the
user password.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee1f0.html#wp2477015

- - ---------------------

Cisco Client Parameters

Allow Password Storage on Client - Check this box to allow IPSec
clients to store their login passwords on their local client
systems. If you do not allow password storage (the default), IPSec
users must enter their password each time they seek access to the
VPN. For maximum security, we recommend that you not allow password
storage.

- - ---------------------

Note that the default configuration of the VPN 3000 Series does not
allow client password storage. Additionally, this attack only affects
passwords that are static and reused for login to the VPN
network. Customers using one-time passwords (OTP) and certificates to
connect are unaffected.

We do greatly appreciate the opportunity to work with researchers on 
security vulnerabilities, and welcome the opportunity to review and
assist in product reports.

Regards,

Clay 
Cisco PSIRT

On Sun, Oct 16, 2005 at 09:28:41PM +0200, Thierry Zoller wrote:
> 
> Dear List,
> 
> [1] heise published a news article today.
> [2] EvilScientists reverse engineered the algorithm Cisco uses to _obscufate_ 
> the
>     passwords.
> [3] PoC
> 
> Summary :
> Cisco uses 3des to encrypt the passwords, however it does so using
> a deterministic encryption sheme (no user input) and thus must be
> reproducible.
> 
> The algorithm [2] found was as follows :
> 
> * GetDate - convert to string
> * Generate an SHA Hash from that string h1 (20 Bytes)
> * h1 is modified into Hash h2
> * h1 is modified into Hash h3
> * h2 and the first 4 Bytes from h3 give the 3DES Key
> * The clear text password no encrypted in 3DES CBC Mode. The IV is the first 
> 8 Bytes of h1.
> * If the size of the clear text password is not a multiple of the
>   Block size, the differece to the next block is calculcated and padded
>   with a Digit. -> length of password is known
> * A last hash is calculated from the encrypted Password h4
> * The value of the Key ?enc_UserPassword? is: h1|h4|verschlüsseltes Passwort
> 
> Credits:
> [1] http://www.heise.de/newsticker/meldung/64954
> [2] http://evilscientists.de/blog/?page_id=339
> [3] http://www.evilscientists.de/blog/?dl=CiscoPasswordRevealer.rar
> I take no credit I am only translating and forwarding.
> 
> -- 
> Thierry Zoller
> http://thierry.sniff-em.com
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (SunOS)

iD8DBQFDVU8DEHa/Ybuq8nARAgVzAJ4mPsT5ThKc4DKJGAa76OuLSPs7CgCdFS+W
BjtwpXaQnRZvaR/UiH+/1wg=
=ivMN
-----END PGP SIGNATURE-----