Portcullis have received a response from the vendor to the advisory we released on January 24 2005. For completeness the vendor response has been included in its entirety, and demarked via <VENDOR RESPONSE> TEXT <VENDOR RESPONSE> markers. Portcullis Security Advisory Spectrum Cash Receipting System Weak Password Protection Vulnerability. Vulnerability discovery and development: Fredrik Hult Paul J Docherty Affected systems: All known versions of Spectrum Cash Receipting System, vulnerability discovered for version 6.406.08. <VENDOR RESPONSE> A software solution has been provided within version 6.504 which incorporates a MD5 compliant encryption routine to restrict deciphering of the passwords. This results in a 16 character randomly generated password that is not available for deciphering at all. <VENDOR RESPONSE> Details: The Spectrum Cash Receipting System is a client/server software solution that allows offline work, and thus offline authentication. The application has several layers of authority with regards to authorising payments. The Spectrum Cash Receipting system allows the 'receipting' of payments, not functionality to 'authorise payments'. <VENDOR RESPONSE> As with most software of this type the application is installed on PC's which are protected from unauthorised access by the use of user ID's and passwords maintained within the operating system. Consequently, the application is not accessible to unauthorised or casual users. In the new release of the software, each layer of authority is subject to the the method for encrypting passwords which makes them immune to intruders. <VENDOR RESPONSE> The local authentication requires the PASSFILE password file of the application to reside with the local application. This enables an attacker to either attempt privilege escalation through other users potentially present in the PASSFILE or to gain unauthorised access. <VENDOR RESPONSE> All passwords in the PASSFILE are subject to the new method for encrypting passwords which makes them immune to intruders. <VENDOR RESPONSE> Industry Practice mitigation of this threat usually is to use a strong cipher to protect the passwords stored in the PASSFILE. Portcullis found the Spectrum's mechanism protecting the passwords to be a static substitution obfuscation algorithm with properties that reduce available key-space, expose plaintext in the ciphertext, enforce a maximum password length and reveal the length of the password in the PASSFILE. <VENDOR RESPONSE> All passwords in the PASSFILE are subject to the MD5 compliant method for encrypting passwords which makes them immune to intruders. <VENDOR RESPONSE> When creating a password in the application the algorithm converts all letters entered to lowercase and limits the length to a maximum of 6 characters. In the substitution stage it statically substitutes alphanumeric characters with a character from the range a-z and the special characters "@+&()?\/<>". Any character in the password that is not alphanumeric is not substituted and becomes part of the ciphertext. If the password is shorter than 6 characters the algorithm pads the ciphertext with white-space accordingly. <VENDOR RESPONSE> All passwords in the PASSFILE are subject to the MD5 compliant method for encrypting passwords which replaces the above method of encryption, which makes them immune to intruders. <VENDOR RESPONSE> Impact: The impact of this vulnerability is that an attacker with local access to the PASSFILE can retrieve the plaintext passwords with ease. <VENDOR RESPONSE> The above stated vulnerability no longer exists as a result of implementing the MD5 compliant method for encryption. <VENDOR RESPONSE> Exploit: Portcullis has a working module in-house but will not release this publicly. Portcullis is in contact with Spectrum regarding the vulnerability. Copyright (c) Portcullis Computer Security Limited 2004, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this Information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in Connection with the use or spread of this information. ************************************************************* The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Any opinions expressed are those of the individual and do not represent the opinion of the organisation. Access to this email by persons other than the intended recipient is strictly prohibited. If you are not the intended recipient, any disclosure, copying, distribution or other action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email is subject to the terms and conditions expressed in the applicable Portcullis Computer Security Limited terms of business. **************************************************************
