|
--
Standard disclaimer: this material contains my personal oppinions and
beliefs ONLY. It has nothing to do with my employer / company. I am
writing it as a private person. It doesn't have to be upright, nor doesn't
even pretend to provide objective / useful information. All statements
should be verified before claiming they are true. I can't and will not
take any responsibility for any use / misuse of this information, nor any
kind of damage / loss caused by any interpretation of it.
--
First of all, something light:
Simple Web Counter, quite popular cgi application (distributed eg. on
Linuxberg ftp) written by Ross Thompson, is vulnerable to stack buffer
overflow when parsing ctr= parameter. Considered exploitable, exposes
some ISP servers.
Then, something more juicy:
Some time ago, we performed brief, comparative analysis of one-time
passphrases returned by different tokens (SecurID and ActivCard,
mainly) in short time periods (collecting successive one-time
passwords returned by token).
In ActivCard's case, we discovered something at least alarming.
Before continuing, please note - although we tried to collect
the most accurate and representative data and provide objective
and realible informations, there's a chance we've made some mistakes.
-- IMPORTANT STATEMENT --
Thus, please threat this message as an attempt to start futher, more
complete analysis *ONLY*. You shouldn't trust these statements
before making sure they're true - and we can't take *ANY* kind of
responsibility they are.
-- END OF IMPORTANT STATEMENT --
Theoretically, default ActivCard 8-digit display can handle up to
100,000,000 combinations.
First, while analysing output returned by different tokens kindly
provided to us, we thought ActivCard uses alarmingly small (within
around 1-2% of possible number space), but random positive increments in
random length sequences. For example:
.
05314080 .
06401172 < increment around 1.1M : --- sequence of increments
07332504 < increment around 0.9M |
08957912 < increment around 1.6M |
09134516 < increment around 0.2M /
00104910 < large decrement
... \
:
.
But that was only the first impression. We visualised output presented
by tokens, and found it isn't looking really random:
By calculating first derivate of collected values (over 100 samples),
we discovered these increments are determined by simple functions,
that looks pretty deterministic and periodic. For example, one of them
(partially responsible for that huge decrements) has simple cycle of
10). You can see it on graphics generated by our sample program (see
below) as green peaks below X axis.
To make sure we're not studying some rare set of conditions, we checked
some other tokens, with different PIN codes. I guess all of them were
previously synchronized to same server (most of them lost
synchronisation in the meantime), that's why I'm asking other people to
collect some information and try to verify these observatios.
I included simple code to visualise one of our sample data portions. It
should work on Linux/BSD box with svgalib installed:
# gcc -lvga -lm vis.c -o vis
# ./vis <DATA.in
Actually, I guess you can use any other program, like gnuplot,
Derive, Mathematica and so on to perform visualisation.
Dark blue lines are discrete measurement points. White line connects
values in these points, while green line shows delta (increments
between previous and current value).
Consequences?
It make us think that it's quite easy to predict, at least in short
term. It means, attacker, by intercepting short sequence of one-time
passwords, can easily (at least with reasonable probability)
predict next password, and enter it to obtain access to protected
systems.
Predictability of passwords is definetely against idea of such tokens.
Of course, very often ability to sniff password means ability to
intercept session, but by making such assumption in order to justify
predictable output, we have to ask if we need such tokens at all,
instead of static passwords?;)
Even basing on our rough estimations and basic analysis, we were able
to guess next number with about 35% chance within 100 attempts -
while, if returned values meant to be indeterministic, this chance
should be equal to 0.00001%. I guess in-depth analysis might
expose more details about ActivCard algorithm - or prove we've made
a mistake.
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
|
