MULTIPLE ISSUES IN NETTELEPHONE DIALER Nettelephone(Nettelephone.com) is a PC to Phone service provider. It's dialer client can be downloaded from http://www.nettelephone.com/netelephone_setup325.exe. Although it is a good service, with very cheap rates for international calls, it suffers from a few security problems/design errors which should be resolved to make it an even better service. 1. Weak Encryption for Account Information: The dialer (Executable tested- Netfone.exe Version 3.5.6) stores the account number and PIN, besides other account info, in the registry under the key HKEY_CURRENT_USER\Software\MediaRing.com\SDK\NetTelephone\settings and the values are "account" (a string value of length 12) and "pin" (a string value of length 6). The account number is stored in plaintext whereas the PIN is stored in encrypted form. However the encryption is very weak and can be easily broken. The encryption used is a replacement cipher with decimal place based standard cipher codes used for each valid digit ranging from 0-9. Enumerating all the standard cipher codes enables a malicious attacker to steal a valid users account information and use it to abuse the account. Demonstration: The table below gives the cipher codes used: |- - -1- -2- -3- -4- -5- -6- | | (0) 75 76 79 7E 65 6E | | (1) 74 77 78 7F 64 6F | | (2) 77 74 7B 7C 67 6C | | (3) 76 75 7A 7D 66 6D | | (4) 71 72 7D 7A 61 6A | | (5) 70 73 7C 7B 60 6B | | (6) 73 70 7F 78 63 68 | | (7) 72 71 7E 79 62 69 | | (8) 7D 7E 71 76 6D 66 | | (9) 7C 7F 70 77 6C 67 The columns indicate the decimal places and the rows indicate the digits. Suppose, if the encrypted value in the registry "pin" key is "70727A7C656B", we first separate the characters in six groups of two. Thus, we get "70" "72" "7A" "7C" "65" "6B". Now, referring the table gives us the original unencrypted value of the PIN. For instance, the number in the first place is "70". To find its original value, we look for the number "70" in the first column. We see that it is in the fifth column. Therefore, the decrypted number in the first place is "5". Continuing this, we get the decrypted PIN as "543205". Solution: Obfuscating the PIN, like it is being done here, is probably the only practical solution for small software like this one but steps should be taken to make it harder to crack. An obfuscation algo which gets cracked in 5-10 Min. is just not enough. Isn't it? 2. Demo Call Duration: The dialer (Executable tested - Netelph.exe Version 3.2.5) offers demo calls to three 1-800 numbers. The duration for these calls is 45 seconds and it is disconnected automatically after this time is up. The demo call settings are stored in the registry key HKEY_CURRENT_USER\Software\MediaRing.com\SDK\NetTelephone\One\democall. The duration of the demo call is decided by the dword value "demoduration" that is stored under the above key. It is possible to extend the duration of this call by increasing this value arbitrarily. The demo calls are mostly disconnected while the user is still in the voice menu stage and before anyone answers the call. When the duration of the demo is increased, the stage where somebody picks up the phone on the other end is reached and this may potentially cause an annoyance. Although it is not a security vulnerability, I just thought I should mention it. It is just a design error which can cause potential annoyance to the call center personnel but, obviously, this behaviour of the dialer is not intended. Regards S.G.Masood __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
