Re: [Full-disclosure] Resolved - NNT Change Tracker - Hard-Coded Encryption Key - Originally posted as http://seclists.org/fulldisclosure/2011/May/460

2011-06-29 Thread Dennis Brunnen 
As is probably obvious to other readers, I did indeed notify NNT by
email of the vulnerability before making it public - as mentioned in
my initial disclosue. I'm not sure what possible reason anyone would
have to say that if it were not true.

Glad to see you apparently did the right thing and eventually fixed it though.

On Wed, Jun 29, 2011 at 3:34 PM, NNT Support supp...@nntws.com wrote:
 Background
 -

 The product employs a portion of legacy code as referenced in the original
 post. This is used for the product key and some database entries but whilst
 the strength of the encryption being used here may be a problem for the NNT
 licensing team, there is no genuine security risk for device data. This
 portion of code has subsequently been replaced in Versions 5 and patches are
 available from www.nntws.com

 Change Tracker works on the principle of layered, multi-dimensional security
 in line with the PCI DSS that it is commonly used to underpin. The secure
 commissioning process should include standard lockdown and
 access-restriction procedures for the Change Tracker server and database
 server used for device and configuration data storage. Access security
 should also  be complemented with monitoring using a SIEM solution such as
 NNT Log Tracker, so any access to the Change Tracker server, the Change
 Tracker console program or the database will be logged and alerted as
 unusual activity.

 NNT take security of our customer systems extremely seriously. Anyone with
 any concerns regarding best practise in Production System security should
 contact us for further assistance.

 Regarding any vulnerabilities discovered by independent security researchers
 in the future, we would prefer these are reported to us at supp...@nntws.com
 before being published. This was not the case in this instance, delaying our
 opportunity to respond. Thank you.

 Company Homepage
 --

 http://www.newnettechnologies.com



 Regards

 NNT Support


 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] NNT Change Tracker - Hard-Coded Encryption Key

2011-05-24 Thread Dennis Brunnen 
Background
--

NNT Change Tracker Enterprise is a commercial product created by
UK-based New Net Technologies, and is designed to detect changes to
PC, server and network device configurations. The central component
'Core Server' is sent change data from 'Remote Angels' that monitor
remote systems.

It is marketed as a security product.

Company homepage:
http://www.newnettechnologies.com


Versions affected
-
This vulnerability has been noted on versions 4.7. It is suspected
that most previous versions are also affected.


Vulnerability
-
Encryption is used at various points by the components that make up
the NNT Change Tracker Enterprise suite, but the same hard-coded
encryption key is always used. The key is a byte array with values at
the following indices:

[0] = 21;
[1] = 23;
[2] = 2;
[3] = 3;
[4] = 8;
[5] = 54;
[6] = 5;
[7] = 55;
[8] = 4;
[9] = 222;
[10] = 54;
[11] = 254;
[12] = 7;
[13] = 2;
[14] = 32;
[15] = 22;

An attacker could use this vulnerability to prevent NNT Change Tracker
Enterprise from detecting certain changes, or by fabricating changes
that never took place.

Additionally, NNT Change Tracker Enterprise utilises an apparently
'home-brew', weak encryption algorithm as follows (implementation in
C#, where 'this.key' references the hard-coded key shown above):

public string Encrypt(string plaintext)
{
string ciphertext = String.Empty;
byte[] plainBytes = Encoding.ASCII.GetBytes(plaintext);
int num = 0;

for (int i = 0; i  bytes.Length; i++)
{
plainBytes[i] += this.key[num++];

if (num = 16)
num = 0;

byte b = 15  (int)plainBytes[i]  4;
ciphertext += (char)(65 + b);
b = (plainBytes[i]  15);
ciphertext += (char)(65 + b);
}

return ciphertext;
}

public string Decrypt(string ciphertext)
{
if (ciphertext.Length  4)
{
return String.Empty;
}

byte[] cipherbytes = Encoding.ASCII.GetBytes(ciphertext);
byte[] plainbytes = new byte[cipherbytes.Length / 2];
int num = 0;

for (int i = 0; i  cipherbytes.Length; i += 2)
{
byte b = cipherbytes[i] - 65;
b = (int)b  4;
byte b2 = cipherbytes[i + 1] - 65;
b += b2;
b -= this.key[num++];

if (num = 16)

num = 0;

plainbytes[i / 2] = b;
}

return new string(Encoding.ASCII.GetChars(plainbytes));
}

The key is hard-coded into .NET assembly NNT_CoreFuncs.dll


Response from Vendor

None


Timeline

2011-05-12: Reported to vendor
2011-05-20: Disclosed

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/