mailing list archives
Multiple Security Issues in Wippien
From: Michael Rossberg <michael.rossberg () tu-ilmenau de>
Date: Thu, 4 Feb 2010 16:58:17 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Advisory: Multiple Security Issues in Wippien
Release Date: February 4th, 2010
Last Updated: February 4th, 2010
Author: Michael Rossberg [michael dot rossberg at tu-ilmenau
Application: Wippien (for Windows and Linux)
Severity: Flawed key negotiation protocol allows for easy man-in-
Predictable key materials
Vendor Status: Contacted
Wippien is a software that can automatically establish a VPN between
contacts. In order to derive a session key for the encryption routines
uses a cryptographic key exchange, which is in the open source part of
software. As we analyzed some of its components, it emerged that the RSA
fingerprints are not validated and the freshness of the exchange is
Each of both issues allows simple man-in-the-middle attacks.
The Windows version of Wippien and MiniVPN use an insecure random number
generator to derive key material.
The Linux version of Wippien does not initialize keying material. This
in uninitialized memory being used to derive the symmetric encryption
AFFECTED SOFTWARE VERSIONS
All recent versions of Wippen for Windows and Linux, including 2.3.2,
Being a VPN component, confidentiality is the essential property to be
and given the simplicity of potential attacks, the potential risk is
1.) Wippien creates a new private/public key pair with every startup.
the fact that the fingerprint of the peers public key is not
shown to the
user, makes it impossible for users to even become aware of man-
2.) During the key exchange, Wippien peers exchange nonces that are
by RSA PKCS#1. These nonces are later on used to derive a session
key by an
// and XOR with ours
for (int i = 0; i < 16; i++)
user->m_SharedKey[i] = user->m_MyKey[i] ^ dst[i + 24];
Thus, if the key exchange is simply replayed to the connecting
will simply XOR its own key part with itself, resulting in a zero
key and an
attacker without valid key is able to obtain a correct key.
3.) The Windows version of Wippien and MiniVPN will initialize the key
for (int i = 0; i < 16; i++) m_MyKey[i] = rand();
This is neither a secure source for keying material, nor is
to supply a seed. This makes key generation highly predictable.
4.) The Linux version works similar:
u->SharedKey[i] = u->MyKey[i] ^ dst[i+24];
Only that MyKey is never initialized, and thus random value will
be used and
the derived key is highly insecure.
28th January, 2010 - Contact with Wippien developer by email
We recommend to migrate from Wippien or use an additional form of
protection, e.g., SSH and SSL, immediately.
pub 4096R/B105F0C3 Michael Rossberg
Key fingerprint = 8448 88F0 C803 14FD 01AF A819 D2BF 817D B105 F0C3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
-----END PGP SIGNATURE-----
From the Wippien forum (http://www.wippien.com/forum.php?action=view&topic=1191281119
User: [...] I was wondering what the level of security is in Wippien.
Developer: [...] You shouldn't worry about security since we had it in
mind when implementing Wippien. [...]
User: Thanks, [...] that puts my mind at ease.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Multiple Security Issues in Wippien Michael Rossberg (Feb 04)