exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Password Safe And Repository Enterprise 7.4.4 Build 2247 Crypto Issues

Password Safe And Repository Enterprise 7.4.4 Build 2247 Crypto Issues
Posted Oct 12, 2015
Authored by Matthias Deeg | Site syss.de

Password Safe and Repository Enterprise version 7.4.4 Build 2247 suffers from insufficiently protecting credentials by using an unsalted MD5 hash for protection.

tags | exploit
SHA-256 | aa3f253285227ed11f229a3e22241cb871c5accd91980275c406e839bee0740f

Password Safe And Repository Enterprise 7.4.4 Build 2247 Crypto Issues

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-037
Product(s): Password Safe and Repository Enterprise
Manufacturer: MATESO GmbH
Affected Version(s): 7.4.4 Build 2247
Tested Version(s): 7.4.4 Build 2247
Vulnerability Type: Insufficiently Protected Credentials (CWE-522)
Use of a One-Way Hash without a Salt (CWE-759)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2015-07-09
Solution Date: 2015-10-05
Public Disclosure: 2015-10-12
CVE Reference: Not yet assigned
Author of Advisory: Matthias Deeg (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Password Safe and Repository Enterprise is a password management
software for companies with many features.

The manufacturer MATESO GmbH describes the product as follows (see [1]):

"Manage your passwords in the company according to your security needs!
Features such as password policies, multi-eyes principle, workflow and
task system makes management productive and safe.

The integrated rights management system with data transfer option and
automatic synchronization with Active Directory ensures that your
employees can only access data which they are entitled to."

Passwords of Password Safe and Repository Enterprise users are stored
as raw, unsalted MD5 hash values and thus are insufficiently protected
from attackers with access to the password management software database.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found out that user passwords are stored as raw, unsalted
MD5 hash values in the table tdUsers of the databases of the password
management software Password Safe and Repository Enterprise.

The use of a cryptographic one-way hash function MD5 without using a
salt for storing sensitive data like user passwords allows an attacker
with access to this data to perform efficient password guessing attacks
using pre-computed dictionaries, for instance rainbow tables.

The vulnerability concerning the insecure storage of user password
information as raw, unsalted MD5 hash values affects both the online and
the offline mode of the password management software.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

When using the change password functionality, the following SQL
statement is used for storing the raw, unsalted MD5 hash value of the
new login password in the database table tdUsers:

UPDATE tdUsers SET LoginPassword = 'ef2eb17e3a46818e63bf209aa58da9aa',
LastLogin = julianday('<DATE>'), LastPasswordChange = julianday('<DATE>'),
ChangeDate = julianday('<DATE>'), LastPasswords =
'9e96559b23ad93f0b8990539331441ca' WHERE ID = 2

In this example, the password "Passw0rd2015" was set, as the following
output shows:

$ echo -n "Passw0rd2015" | md5sum
ef2eb17e3a46818e63bf209aa58da9aa -

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to information by the MATESO GmbH, the described security
issue has been fixed in the software version 7.5.0.2255 that was
released on October 5, 2015.

Please contact the manufacturer for further information or support.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-07-09: Vulnerability reported to manufacturer
2015-07-09: Manufacturer acknowledges e-mail with SySS security advisory
2015-07-30: Scheduling of the publication date in agreement with the
manufacturer
2015-10-02: Rescheduling of the publication date in agreement with the
manufacturer
2015-10-12: Public release of security advisory on agreed publication
date

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Web Site for Password Safe and Repository Enterprise
http://www.passwordsafe.de/en/products/business/enterprise-edition.html
[2] SySS Security Advisory SYSS-2015-037
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-037.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Matthias Deeg of the SySS GmbH.

E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWG199AAoJENmkv2o0rU2rkc8QAKuatN3RbHAJJeqY5VadS8yy
vU3Zk0J3m/cb8i17zXPF3w52GixMWibSUFkQ4+6m5JniWtOLbf6W9XVsZt6kFRTJ
XEGFyxoHtFqpTLqg0f81s4UTRK/9vFz3LOKpEV34zuQm+worurXnodH8N6gdIY2A
ndUTPGtbRTpwbpbJbAYU2BFbQWQy2hNFWKYldq6efB81nlkCniZlAlN1wDi/QBWm
QeTgiM5gZf/+UxKvUeqPu3sEvkHsXse1BlwxJo6aNLfPUZBSFP0JWtBx8wGRDFx8
RXjtGweJGC0vxzQSodpfZe26OH1wAJF6DXFgSyQ420+B2JlZlr6VhMJLTgNFpdUd
K+KBCYLif1fUmWn0qUT4bDd/7Dib+b1QfNDYejqlI2IsbEfBaww976p4HXNCMvN9
Gjf6vGAIACg4yrqvWJNzW6Q7nUph6xneIXzwoC7iZJC07ypO+9MMElPO5gG/SSn5
ei49qDazFyHvwEySEfFWXdeFzS+PSypmqnHjSz1sHjwcOUnsc+sb2CHdHH1eq8vG
zdav6XwPy91n1eyzizdkEIA1L5XhWlQc4eS741xXP/fAOKxqM20AVok0PZA1sJfj
XDmUAVyki96vvF/Mypfg0ijzXl+RFuxx0bBd2RbtWA3GpaAOmuWBtU50TvXf7N8j
meuv9Es9GmY2qM7YcUIK
=I6jb
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close