<<< Date Index >>>     <<< Thread Index >>>

RE: A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP 8.x & 9.x and Truecrypt.



Hello,

This is an official response from the TrueCrypt development team.

First, this is not a security bug. It is a known, documented and 
expected feature. It is utilized, for example, for the volume header 
backup/restore operation.

Quotes from the TrueCrypt documentation:

"WARNING: Restoring a volume header also restores the volume password 
that was valid when the volume header backup was created."

Quote 2:
"Note that if an adversary knows your password and has access to your 
volume, he may be able to retrieve and keep its master key. If he does, 
he may be able to decrypt your volume even after you change its 
password (because the master key was not changed). In such a case, 
create a new TrueCrypt volume and move all files from the old volume to 
this new one."

Sincerely,
Ennead
TrueCrypt Foundation

>  
> Hello,
> 
> Are you aware of this issue?
> 
> Regards,
> 
> Christopher.
> 
> -----Original Message-----
> From: thesinoda@xxxxxxxxxxx [mailto:thesinoda@xxxxxxxxxxx] 
> Sent: Thursday, May 25, 2006 3:56 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: A Nasty Security Bug that affect PGP Virtual Disks & PGP 
SDA , PGP
> 8.x & 9.x and Truecrypt.
> 
> A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP 
8.x & 9.x
> and Truecrypt. 
> 
> 
> Affected Products:
> 
> 
>     * PGP 8.x PGP 9.x maybe older version too
> 
> 
>     * Truecrypt 4.2 maybe older version too
> 
> 
> // Full detail can be found here //
> 
> <> http://www.safehack.com/Advisory/pgp/PGPcrack.html
> 
> <> http://www.safehack.com/Advisory/truecrypt/truecrypt.html
> 
> 
> If you would like to watch the flash video check the following links.
> 
> <> pgpdiskvideo.html Tested on version 8.1 and the latest 9.02
> 
>    http://www.safehack.com/Advisory/pgp/pgpdiskvideo.html
> 
> 
> <> truecrypt.html Tested on the latest version truecrypt-4.2.zip
> 
>    http://www.safehack.com/Advisory/truecrypt/truecrypt.html
> 
>    Note If you put stuff inside your test file you need to use a 
> 
>    debugger to extract the data. If you just follow the video you 
> 
>    will see how it is done without a debugger and an empty file.
> 
> 
> The How?
> 
> ========
> 
> I Was able to ACCESS PGP encrypted disks if the disk was encrypted 
with a
> passphrase or a public Key. This method will work on both scary huh :-
)
> 
> 
> You need the followings tools:
> 
> ------------------------------
> 
>    1. A Brain
> 
>    2. A Hex Editor.
> 
>    3. PGP 8.1 Entreprise or Personal. You can use 9.x too. My feeling 
is
> this method will work on older versions too, because it is a design 
flaw in
> PGP application not in PGP algorithm.
> 
>    4. A Debugger. Not needed if you wana backdoor pgp (olldbg)
> 
>    
> 
> During my tests I have found that PGP virtual DISK and PGP Self 
Extractable
> file SDA have a SERIOUS security bug. I would rather say a design bug.
> 
> 
> PGP disk or SDA can be cracked in 3 major steps:
> 
> ------------------------------------------------
> 
>    1. Editing PGP protected file using a hex editor. (Patching the
> passphrase).
> 
>    2. Tracing PGP protected file using a debugger. (You need a lot of 
time
> and coding/cracking experience)
> 
>    3. Patching the responsible bytes.
> 
> 
> I have spend only couples of days debugging but surely a lot more 
time is
> needed. But once the process is understood it is question of finding 
the
> right bytes and patching them.
> 
> 
>  
> 
> Conclusions for 6 days debugging and testing:
> 
> =============================================
> 
>     * PGP Virtual Disk and PGP and PGP SDA has a serious bug. I have 
tested
> PGP 8.1 Entreprise. Other version many be vulnerable too.
> 
> 
>     * PGP corporation made the same error in PGP 9.x you can bypass 
the
> passphrase Dialog box same way.
> 
> 
>     * PGP corporation could avoid this type of issue by calculation 
the HASH
> for the encrypted file. They should make it harder to locate the 
passphrase.
> 
> 
>     * PGP Virtual Disk First Level protection bypass. Passphrase 
bypass.
> (Working 100%)
> 
> 
>     * PGP Virtual Disk Backdooring (Working 100%).
> 
> 
>     * PGP Virtual Disk Mounting / Adding Users / Deleting Users /
> Re-Encrypting Disk (Working 100%).
> 
> 
>     * PGP Virtual Disk Mounting and Data Access (Working 40%. Need 
more time
> to debug).
> 
> 
>     * PGP SDA Passphrase bypass. (Working 100%)
> 
> 
>     * PGP SDA Extraction is possible IF the input file is the same 
(Working
> 100% Patching using a Debugger)
> 
> 
>     * PGP SDA Extraction is possible of any file (Working 80%. Need 
more
> time to debug)
> 
> 
>     * OTHER AFFECT PRODUCTS:
> 
>           o iOPUS Secure Email Attachments (SEA) V1.0
> 
>           o Truecrypt Free open-source disk encryption software 4.2
> 
> 
>     * WINZIP was not affected. 1- In winzip you do not know where is 
the
> password location 2- If you change one bit your file wont work
> 
> 
>     * I DO NOT HAVE more time to test, but I am sure many smart dudes 
out
> their would love to play some more.
> 
> 
>     * To do: Build an application to mount PGP Virtual disk using 
this bug.
> 
> 
>     * To do: Build an application to extract PGP SDA files using this 
bug.
> 
> 
> After spending 6 days on this I had decided to stop. But I will be 
doing
> more testing when I have some free time. You are free to do your own 
tests.
> If you wish to share your own test or finding with me please feel 
free to
> contact me at thesinoda@xxxxxxxxxxx
> 
> 
> 
>  
> 
> PGP SDA authentication method
> 
> =============================
> 
> Let's say you created a text file and wrote inside it "aa", then 
created an
> SDA.
> 
> IF you hex edit the output exe, you will notice at the very buttom of 
the
> file some bytes seperated by 803E.
> 
> Ex:
> 
> 
> E7 93 A0 90 E9 62 D1 21
> 
> 803E
> 
> A1 50 AF 5F 6F 9E FE D6
> 
> 
> Analysing the bytes carefully, you will notice that 803E is the value 
used
> for a loop. The loop starts at 0040590D. Further analysis showed that 
the
> bytes right before 803E, are used for extraction and authentication.
> Authentication is done in the following way:
> 
> 
> When some enters a passphrase a series of instructions is executed 
against
> the bytes right before 803E, to be exact in the function at address
> 00404E8F. This function generates a series of bytes which are 
compared later
> on to the bytes AFTER 803E. If they match you are granted auth.
> 
> 
> The auth. byte comarison is done in the following instruction:
> 
> 00409797 |. F3:A7 REPE CMPS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
> 
> Anyone can easily bypass this by modifying the values provided by the 
memory
> addresses, to make them match.
> 
> 
> 
> Steps to access PGP Encrypted Disk (Passphrase) using a Backdoor type 
attack
> 
> 
========================================================================
====
> 
>     * Create a PGP disk 100K (to make stuff simpler)
> 
>     * Use a as username and 1 as passphrase for simplicity
> 
>     * Call your file pgpdisk.pgd
> 
>     * Now your disk will be created and mounted. Put a inside it
> (secret.txt) then Unmount the disk (pgpdisk.pgd)
> 
>     * Make a Back-up copy call it pgpdisk_backup.pgd (You need this 
when you
> want to access back the disk)
> 
>     * Now say you give that disk to someone and they changed the 
passphrase
> on it. You can still access it if you follow these steps
> 
>     * To put a new passphrase on your disk Right click pgpdisk.pgd 
you see
> PGP select Edit PGPdisk
> 
>     * You see a username, right click it and select change 
passphrase. Use
> WHATEVER PASSPHRASE YOU WANT
> 
>     * After changing the passphrase the OLD passphrase SHOULD NOT 
work.
> 
>     * Open pgpdisk.pgd and pgpdisk_backup.pgd in HEX editor e.g 
Ultraedit
> ONLY CHANGE WHERE YOU SEE A RED RECTANGULAR.
> 
>     * We start editing from the BOTTOM of the file at 80 3E.
> 
>     * Do some copy and past from the back-up file into pgpdisk.pgd
> 
>     * Follow the screen shots and replace indicated bits.
> 
>     * After your done save the file pgpdisk.pgd and double click on 
it. It
> will ask for the passphrase. Type 1 yes your old pass
> 
>     * The disk will mount and you see the files in it.
> 
> 
>  
> 
> // Full detail can be found here //
> 
> <> http://www.safehack.com/Advisory/pgp/PGPcrack.html
> 
> <> http://www.safehack.com/advisory/truecrypt/truecrypt.html
> 
> 
> 
> 
> LESSON LEARNED, this advisory should be a wakeup call for other 
products.
> Again as you see both commercial an OpenProject applications are 
affected by
> this. This should be more then enough to kill the Open<>close project 
myth
> and concentrate on secure coding and GOOD AUDIT.
> 
> 
> 
> Author: Adonis a.K.a NtWaK0, Abed
> 
> Date: 2006-05-08
> 
> C 2006 All rights reserved
> 
>