Home page logo
/

bugtraq logo Bugtraq mailing list archives

[R7-0035] VxWorks Authentication Library Weak Password Hashing
From: HD Moore <HD_Moore () rapid7 com>
Date: Mon, 2 Aug 2010 23:55:05 -0400

R7-0035: VxWorks Authentication Library Weak Password Hashing
August 2, 2010

-- Vulnerability Details:
This vulnerability allows remote attackers to bypass the authentication
process for the Telnet and FTP services of the VxWorks operating system.
This flaw occurs due to an insecure password hashing implementation in
the authentication library (loginLib) of the VxWorks operating system.
Regardless of what password is set for a particular account, there are a
only small number (~210k) of possible hash outputs. Typical passwords
consisting of alphanumeric characters and symbols fall within an even
smaller range of hash outputs (~8k), making this trivial to brute force
over the network. To excaberate matters, loginLib has no support for
account lockouts and the FTP daemon does not disconnect clients that
consistently fail to authenticate. This reduces the brute force time for
the FTP service to approximately 30 minutes.

To demonstrate the hash weakness, the password of "insecure" hashes to
the value "Ry99dzRcy9". The password of "s{{{{{^O" also hashes to the
same output. The hashing algorithm itself is based on an additive sum
with a small XOR operation. The resulting sums are then transformed to a
printable string, but the range of possible intermediate values is
limited and mostly sequential. The entire collision table has been
precomputed and will be released in early September as an input file for
common brute force tools. More information about the hashing algorithm
itself is available at the Metasploit blog post below:

 http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html

There are three requirements for this vulnerability to be exploited:

 * The device must be running at least one service that uses loginLib
for authentication. Telnet and FTP do so by default.

 * A valid username must be known to the attacker. This is usually easy
to determine through product manuals or a cursory review of the firmware
binaries.

 * The target service must be using with default loginLib library and
must not have changed the authentication function to point to a custom
backend.

A typical VxWorks device will meet all three requirements by default,
but customization by the device manufacturer may preclude this from
being exploited. In general, if the device displays a VxWorks banner for
Telnet or FTP, it is more than likely vulnerable.

-- Vendor Response:
Wind River Systems has notified their customers of the issue and
suggested that each downstream vendor replace the existing hash
implementation with SHA512 or SHA256. The exact extent of the
vulnerability and the complete list of affected devices is not known at
this time. Example code from Wind River Systems has been supplied to
CERT and is included in the advisory below:

 http://www.kb.cert.org/vuls/id/840249

-- Disclosure Timeline:
2009-06-02 - Vulnerability reported to CERT for vendor notification
2009-08-02 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by HD Moore

-- About Rapid7 Security
Rapid7 provides vulnerability management, compliance and penetration
testing solutions for Web application, network and database security. In
addition to developing the NeXpose Vulnerability Management system,
Rapid7 manages the Metasploit Project and is the primary sponsor of the
W3AF web assessment tool.

Our vulnerability disclosure policy is available online at:

 http://www.rapid7.com/disclosure.jsp




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]