-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ## e2 Security GmbH Advisory 2018-01 ## ####################################### Unencrypted transmission and usage of hardcoded encryption key ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview ######## Advisory ID: E2SA-2018-01 Advisory Version: 1.0 Advisory Status: Public Advisory URL: https://advisories.e2security.de/2018/E2SA-2018-01.txt Affected Product: MensaMax Android app Affected Version: 4.3 Vendor: Breustedt GmbH, https://mensamax.de Credits: Stefan Pietsch, e2 Security GmbH Issue Details ############# 1) The MensaMax Android application uses plain HTTP to communicate with the web server. Authentication information is transmitted in plain text with a HTTP GET request. An attacker is able to eavesdrop the communication between the application and the server because the transport layer is not encrypted. Severity: High CVSS Score: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) CVE ID: CVE-2018-15752 CWE ID: CWE-319 2) The MensaMax Android application encrypts the login username and password with a static DES key. The key is hardcoded in the Android application file. An attacker is able to retrieve the encryption key from the apk file and decrypt the login credentials retrieved from the unencrypted HTTP transmission. Severity: High CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVE ID: CVE-2018-15753 CWE ID: CWE-321 PoC (Proof of Concept) ###################### Sample HTTP request with invalid credentials: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ GET /MM_Android/Service1.svc/getURLVonProjekt/GtBWTDhwry4=,s7eTGwGP_h0=,N9NkXQvJkIQ=,iDZZxd4IXZ0=,A3smkmlKRzw=,mensahome HTTP/1.1 Host: mensahome.de Connection: close User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The GET parameters are Base64 encoded and encrypted with a static DES key. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # echo "N9NkXQvJkIQ=" | openssl enc -a -des-ecb -d -K 436f666665653130 user1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution and Workaround ####################### Do not use the MensaMax Android app until a fixed version is released. History ####### 2018-08-10: Issue found 2018-08-13: Initial Vendor contact, Issue details reported to Vendor 2018-08-15: Vendor acknowledged vulnerabilities 2018-08-23: CVE IDs added 2018-10-01: Advisory published -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEENetcDna8vCUjklqvmSVmYknuuOMFAluyLA0ACgkQmSVmYknu uOOHdQ//VFjBl+sOKkuCc/y4nH9MezI3wqMnsuk9rXgQpbdUjmZD+H9MO/Y3ylQN 0QkdQ1MSkFFHazHQD+VHJSYm/Ps7ma4+zcKAhId5zuiBFYIM2fyh6pZSGtLLB+F1 bYAWNTY45yPH/5EfeOUYd60pPPI57uic8fWLJPICnYvI5JW+1geE1I+ljNKrhSmf HCaU4JYXr19J8pZU2cVU2GWQ55CPOrIsgmGPoAbncnWguM/Seh2VL29kfy12sN3d fH70VvyZA6fBne/tKaueeYEBOYlZw0PAdBOBcktrOj19VK18xp2yE9W884F1n6fM N+EocPG2wj8irmagLvIKQZuSCbydxTC58W41WtKwSgA8LsvvOr2yZeqU+B59ouB4 Ibn6TfXSScfFj4ohPiqaPNpakGHeoREyH5sg7ipiBeELT+JyRQRNnZIQ33LFAGfN 8KkVrt6i0rkc0rXeIPLso6utng0Z52n7T3BJmny7XVqYb/YWocE0SWJ4V5TIqSw9 B0M3jD6NyMqYIJSfmDBOyangEUU6Ww0c1C272tJ/Mt5YOYK9OFo/zBERdIWXm9I+ f3yD3mauZK/oLQoVheWcqLy2ThsU5Vss6fbLobhY5EF08BaUlAIdp7ietVlbz3vQ G1yzvhgLfgWteP6nTwghyznkBqZbkC/gJ49G9/YZDpm25/inOtc= =7Jzx -----END PGP SIGNATURE-----
