Type packetstorm
Reporter Richard Scott
Modified 2001-04-07T00:00:00


                                            `-=> Zero Tolerance Technologies (T) Security Advisory <=-  
Reference: ZTT-SA01-27032001  
Author: Richard Scott,  
Product: Computer Associates' CCC\Harvest Source Code  
control software  
High, Application superuser can be obtained.  
CCC\Harvest v5.0 running on NT\2000, could also apply to  
other platforms and versions.  
Discovered: 26th March 2001  
CCC Harvest is a tool that is used to audit and maintain  
access control to source code If the security mechanism is  
broken, source code can be modified and downloaded with  
little audit to trail.  
CCC Harvest has an authentication model that uses TCP to  
transmit the security credentials to the server for  
authentication. The encryption method used is susceptible  
to a chosen plaintext attack.  
Length of password does not increase the security. No  
feedback chaining is used to prevent repeated terms in the  
plaintext appearing in the ciphertext. A user could  
discover the superuser password in encrypted form and then  
apply character substitution to reveal the plaintext.  
Using a chosen plain text attack, the character substitution  
matrix can be constructed. Using this matrix, it is  
possible to simply look up each ciphertext character to  
reveal it's plaintext equivalent.  
The password that was captured using a network analyzer in  
encrypted form was:  
Using the matrix above, the resulting plain text would be:  
If other characters had been used, it's pretty easy to see  
how a plain text attack would extend, just feed in the ASCII  
character set and review the ciphertext that appears. The  
last few characters also reveal another weakness. The  
algorithm that is being used, seems to take one character at  
a time, and doesn't use any loop back mechanism to prevent  
repeating terms in the plaintext occurring in the  
Vendor Notification:  
CCC\Harvest have been notified through their support system,  
found at :  
I've had a response that all they are willing to say is that  
this is the current mechanism. There may be some confusion  
as the extent of the exploit. But I've tried to notify them  
of the problem.  
Current research has led me to believe the following:  
1) the encryption key is hard coded in to the application  
2) the key is the same for all installations of  
As of 27-03-2001 CA are aware of the problem  
If CCC\Harvest supports NT authentication, it should be  
Changing the key is not a sufficient precaution to prevent  
this attack.  
Free email with personality! Over 200 domains!