AGR IT Advisory May 2, 2006
AGR-ADV-2006-01 TITLE: Vulnerability in the way [EMAIL PROTECTED] handles MS-Logon Authentication. Overview Deon Force discovered a vulnerability in [EMAIL PROTECTED] 1.0.1 and earlier versions with MS-Logon I and MS-Logon II authentication that may allow attackers to crack the windows password directly from the intercepted challenge response of MS-Logon traffic. This is due to the way [EMAIL PROTECTED] handle the MS-Logon authentication. Description [EMAIL PROTECTED] (available at http://ultravnc.sourceforge.net/) is a free software that can display the screen of another computer (via internet or network) on your own screen. The program remotely controls the other PC over any TCP/IP connection for administering and support. While analyzing the MS-Logon authentication of [EMAIL PROTECTED], our team had found that it is possible to crack the MS-Logon authentication. It uses a simple algorithm to generate a response from the challenge sent by the VNC server to the VNC client and the username is sent in plain text. Our team has made an update to the VNCrackX4 which is capable to crack the intercepted challenge response of the MS-Logon authentication. It is based on the original version of VNCrackX4 from phenoelit available for download at www.phenoelit.de/vnccrack/download.html. The updated version of VNCrackX4 is or will be available at the same location. Problems The challenge response authentication process involve insecure and reversible algorithm (XOR). An attacker can extract the windows password from the intercepted challenge // response. Impact Successfully sniffing the authentication session will compromise the windows account used for authentication. This account can further be used to compromise the system or other system in the same domain or network. Solution We recommend not to use MS-Logon authentication method with [EMAIL PROTECTED] until the algorithms used for authentication are improved. A workaround to this vulnerability would be to use end-to-end encryption for the communication between the server and the client. Implementing a VPN solution could prevent an attacker from intercepting the session authentication exchange. Another solution is to use the DSM Plug-in available at http://msrc4plugin.home.comcast.net/index.html provided that the key file is kept secure. Credit This vulnerability was discovered and researched by Deon Force. It was first reported to the [EMAIL PROTECTED] team on 21 April 2006. Copyright This document is not to be edited or altered in any way without the express written consent of AGR(B) Sdn. Bhd. If you wish to reprint the whole or any part of this document, please email [EMAIL PROTECTED]@asia-global-risk.com for permission. You may provide links to this document from your web site, and you may make copies of this document in accordance with international copyright laws. Disclaimer The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. About Deon Force Deon Force is a team of security experts working in collaboration with Asia Global Risk. About Asia Global Risk Asia Global Risk is a risk management company providing a wide range of security services, including IT security. Website: http://www.asia-global-risk.com Revisions: Version 0.1 April 21 -2006 Draft version. Version 1.0 May 2 -2006 First Public Version. An updated version of this document may be found at this address: http://www.asia-global-risk.com/IT/AGR_IT_ADV_2006-01-VNC.pdf
