The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery flood leading to a denial of service on the local LAN segment (e.g., CVE-2013-6014).
Attack Complexity
High
AC
The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place. For example, circumvention of address space randomization (ASLR) or data execution prevention must be performed for the attack to be successful. Obtaining target-specific secrets. The attacker must gather some target-specific secret before the attack can be successful. A secret is any piece of information that cannot be obtained through any amount of reconnaissance. To obtain the secret the attacker must perform additional attacks or break otherwise secure measures (e.g. knowledge of a secret key may be needed to break a crypto channel). This operation must be performed for each attacked target.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope
S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Title : Schneier's PasswordSafe password validation flaw
Date : November 16, 2005
Product : PasswordSafe 1.x, 2.x
Discovered by : ElcomSoft Co.Ltd.
Overview
======================================================================
PasswordSafe is a program originally written by security expert
Bruce Schneier (http://www.schneier.com) that allows one to store
users' passwords in single file (called "safe") which is
encrypted and protected by user's master password (called "Safe
Combination") with the Blowfish encryption algorithm. As noted on
PasswordSafe web page, "the program's security has been thoroughly
verified by Counterpane Labs under the supervision of Bruce Schneier,
author of Applied Cryptography and creator of the Blowfish algorithm."
As noted in "Password Safe FAQ", "there is no back door in
PasswordSafe to recover your Safe Combination, but there is a
password-guessing program that some people have used successfully.
The program works by going through a list of possible passwords
and checking each one".
However, there is a design flaw in PasswordSafe, that allows to
perform Safe Combination validation a several times faster than it has
been conceived by the author, which makes brute-force and dictionary
attacks much more effective.
Details
======================================================================
As described in PasswordSafe documentation, the PasswordSafe database
has the following format:
RND|H(RND)|SALT|IP|Name1|Password1|Notes1|...|NameN|PasswordN|NotesN
where
RND : 8-byte (64-bit) random value
H(RND) : hash value which depends on password, used along
with RND to check password (Safe Combination) validity
IP : 8-byte (64-bit) initial vector involved in
encryption/decryption process
SALT : 20-byte random value used involved in key derivation
PasswordSafe verifies password validity in following way:
bf_key = sha1 (RND | { 0x00, 0x00 } | PASSWORD);
bf_block = RND;
for (i=0; i<1000; i++)
bf_block = blowfish_encrypt (bf_block, bf_key);
finalhash = sha1_mod (bf_block | {0x00, 0x00});
Then, the 'finalhash' is compared to 'H(RND)' and, if the're
equal then the password is correct.
In pseudocode above sha1_mod() denotes usual SHA-1 computation
with zeroed initial state (this seems to be an implementation
error).
The above key derivation function (KDF) uses so-called
key-stretching method to withstand password-guessing attacks.
This method was introduced in 1997 by Schneier, Kelsey, Hall
and Wagner in "Secure Applications of Low-Entropy Keys" paper.
However, PasswordSafe contains design flaw which allows
attacker to verify password validity without computing
(relatively slow) KDF.
All records in PasswordSafe database are encrypted with
Blowfish algorithm in CBC (Cipher Block Chaining) mode.
According to the documentation, the first block contains the
length (in bytes) of encrypted data stored as 32-bit (4-byte)
unsigned integer, fifth byte holds type value for current
record (in PasswordSsafe 1.x, it is always zero), and three
remaining bytes are zeros.
Encryption key is derived from user's password simply by
computing sha1(PASSWORD | SALT). Note that this is much
simpler and faster than KDF described above.
To check password for validity, the attacker can simply
calculate the encryption key, decrypt first encrypted block
and check if three most significant bytes are all zero.
The probability for this to occur on random password is
about 2^(-24). If this is true, then the attacker can check
candidate password with full KDF. Since full KDF will be
called rarely (approximately 1 time per 16 million passwords),
this protection against password-guessing attacks becomes
absolutely useless.
With PasswordSafe 2.x, slightly more effective attack is
possible. The first record of PasswordSafe 2.x database
always has fixed length and type (i.e. full plaintext block
is known), and this allows to check passwords with
probability 2^(-64).
Impact
======================================================================
PasswordSafe is used to store sensitive data, and so the presence
of such flaws may help attacker to disclose user's logins,
passwords and PINs by implementing fast and effective brute-force
and dictionaery attacks.
Solution/workaround
======================================================================
No known solution is available at the time of publishing this
advisory.
Users should use strong passwords or passphrases. We recommend to use
random alphanumeric passwords that are not shorter than 8 characters.
References
======================================================================
Bruce Schneier - Password Safe
http://www.schneier.com/passsafe.html
Password Safe FAQ
http://www.schneier.com/passsafe-faq.html
SourceForge.net: Project Info - Password Safe
http://sourceforge.net/projects/passwordsafe/
Secure Applications of Low-Entropy Keys
http://www.schneier.com/paper-low-entropy.html
FIPS 180-1 - Secure Hash Standard
http://www.itl.nist.gov/fipspubs/fip180-1.htm
The Blowfish Encryption Algorithm
http://www.schneier.com/blowfish.html
Bypassing the Password Prompt (Washington Post)
http://www.washingtonpost.com/wp-dyn/content/article/2005/10/15/AR200510
1500178.html
About ElcomSoft Co.Ltd.
======================================================================
Since 1990, ElcomSoft Co.Ltd. (http://www.elcomsoft.com) has been
developing and marketing password recovery, forensics, and security
software for Windows. The company offers a comprehensive line of
password recovery software for more than 80 popular file and document
types, email clients, compression programs, instant messengers, and
other applications. ElcomSoft tools are used by most of the
Fortune 500 corporations, many branches of the military all over the
world, foreign governments, and all major accounting companies.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum