Meridian Prolog Manager Username and Plain Text Password Disclosure
+Note: This is being released without Meridian or CERT approval.
Meridian has been dragging their feet and has shown no good intent
since I first tried to contact them. My guess is that they will be
following all of my releases claiming I was uncooperative. The only
information Meridian ever sought was my identity. With my identity my
company assumed they would be revoking our license/contract as way to
quell the issue.
CERT - Assigned VU#120593
+Subject
Meridian Prolog Manager Username and Plain Text Password Disclosure
+Version
All Prolog Manager Versions (2007, 7.5 and pre 7.5 versions)
+Impact
Potentially High
+Description
When logging into a Prolog database all of the usernames and passwords
are sent to the workstation. Depending on the encryption level of the
database cracking the passwords is trivial to annoying.
If you attempt a login with ANY username/password combination the
entire dataset of usernames and passwords is passed to the workstation
to parse and authenticate. Any network sniffer can catch the dataset
to be cracked offline.
"No Encryption" databases passes every password in plain text as it is
returned from the sql query.
"Standard Encryption" databases use a rotational encryption to secure
the password as it is returned from the sql query.
"Enhanced Encryption" databases use the Standard Encryption and then
save it into a binary data field which is then returned from the sql
query.
No matter the encryption to the database the username is passed in
plain text inside the sql query sent to the server.
The Standard Encryption is easy to crack just by changing your
password to all of one letter and observing the data coming back in
HEX. Building the key takes less than 30 minutes.
Enhanced Encryption is only slightly better since it takes the
Standard Encryption rotational keyed password and then sends it to the
database to be stored in a binary field instead of a text/varchar
field. Even using this "encryption" once the password is over four
characters the first returned hash (16 HEX characters after a standard
lead in) is the same no matter what follows. Making a rainbow table
of the first four characters would be annoying but takes less than a
day done by hand. Once you had the first four characters making the
next four would take another day for any given first four, again by
hand. So cracking any one account's 1-8 character password would take
1-2 days (1-12 characters would take 1-3 days and so on). Given how
most people pick passwords, given the first four characters it would
be trivial to guess the rest. I would also guess that once you had a
full set of the first four characters figuring out the patterned for
the binary storage would be trivial. Building a script to build the
tables would not be difficult and would speed the process up to a
matter of hours to create a full 1-8 character rainbow table.
+Impact:
This would allow anyone to login as another user allowing them
increased privileges and/or removing or altering data which would be
logged as someone else.
+Workarounds:
No workarounds.
+Programming Fix:
The easy fix would be to only return the password for the username
entered. This would still allow anyone to put in any username and
return the password for that user in the "database" encryption type.
The best solution would be to create a one way hash and send it to the
server for authentication, instead of allowing the workstation to do
the authentication. This would eliminate known good passwords from
going across the network.
+Contact
May 29th 2007 - Email to Security and Support as well as
vendor/reseller, no response.
June 20th 2007 - Email to Security and Support as well as
vendor/reseller, no response.
August 20th 2007 - Email to Cert and SOC.
August 20th 2007 - Response from CERT - Assigned VU#120593
October 3rd 2007 - Meridian Requests contact info from CERT about who
found the issue. This was at the last moment of the 45 day limit
allowed by CERT.
October 3rd 2007 - Respond to CERT letting them know they can release
prolog.disclosure@xxxxxxxxx as my contact info; no other info can be
released for fear of contract being nullified.
November 14 2007 - Asked CERT if anything is going on. Response that
they would check with Meridian.
December 4 2007 - Asked CERT again if anything was going on. They
again contacted Meridian.
December 5th 2007 - Meridian asked for contact info and other
information. Responded with other information but not direct contact
information for fear of retaliation. Other information included
specifics about how the issue was found. Gave CERT option to release
this information with weekly release along side this release. Gave
Meridian till December 11th to respond.
December 11th 2007 – No response from Meridian or CERT. Public
notified through BugTraq, Full Disclosure, and Prolog Support Forums.