PDA

Bekijk Volledige Versie : Multiple Issues in Nettelephone Dialer



S G Masood
07/01/03, 04:28
MULTIPLE ISSUES IN NETTELEPHONE DIALER

Nettelephone(Nettelephone.com) is a PC to Phone
service provider. It's dialer client can be downloaded
from
http://www.nettelephone.com/netelephone_setup325.exe.
Although it is a good service, with very cheap rates
for international calls, it suffers from a few
security problems/design errors which should be
resolved to make it an even better service.


1. Weak Encryption for Account Information:

The dialer (Executable tested- Netfone.exe Version
3.5.6) stores the account number and PIN, besides
other account info, in the registry under the key
HKEY_CURRENT_USER\Software\MediaRing.com\SDK\NetTe lephone\settings
and the values are "account" (a string value of length
12) and "pin" (a string value of length 6).
The account number is stored in plaintext whereas the
PIN is stored in encrypted form. However the
encryption is very weak and can be easily broken. The
encryption used is a replacement cipher with decimal
place based standard cipher codes used for each valid
digit ranging from 0-9. Enumerating all the standard
cipher codes enables a malicious attacker to steal a
valid users account information and use it to abuse
the account.

Demonstration:

The table below gives the cipher codes used:



|- - -1- -2- -3- -4- -5- -6-
|
|
(0) 75 76 79 7E 65 6E
|
|
(1) 74 77 78 7F 64 6F
|
|
(2) 77 74 7B 7C 67 6C
|
|
(3) 76 75 7A 7D 66 6D
|
|
(4) 71 72 7D 7A 61 6A
|
|
(5) 70 73 7C 7B 60 6B
|
|
(6) 73 70 7F 78 63 68
|
|
(7) 72 71 7E 79 62 69
|
|
(8) 7D 7E 71 76 6D 66
|
|
(9) 7C 7F 70 77 6C 67

The columns indicate the decimal places and the rows
indicate the digits.
Suppose, if the encrypted value in the registry "pin"
key is "70727A7C656B", we first separate the
characters in six groups of two.
Thus, we get "70" "72" "7A" "7C" "65" "6B". Now,
referring the table gives us the original unencrypted
value of the PIN. For instance, the number in the
first place is "70". To find its original value, we
look for the number "70" in the first column. We see
that it is in the fifth column. Therefore, the
decrypted number in the first place is "5".
Continuing this, we get the decrypted PIN as "543205".

Solution:

Obfuscating the PIN, like it is being done here, is
probably the only practical solution for small
software like this one but steps should be taken to
make it harder to crack. An obfuscation algo which
gets cracked in 5-10 Min. is just not enough. Isn't
it?



2. Demo Call Duration:

The dialer (Executable tested - Netelph.exe Version
3.2.5) offers demo calls to three 1-800 numbers. The
duration for these calls is 45 seconds and it is
disconnected automatically after this time is up. The
demo call settings are stored in the registry key
HKEY_CURRENT_USER\Software\MediaRing.com\SDK\NetTe lephone\One\democall.
The duration of the demo call is decided by the dword
value "demoduration" that is stored under the above
key.
It is possible to extend the duration of this call by
increasing this value arbitrarily.
The demo calls are mostly disconnected while the user
is still in the voice menu stage and before anyone
answers the call. When the duration of the demo is
increased, the stage where somebody picks up the phone
on the other end is reached and this may potentially
cause an annoyance.

Although it is not a security vulnerability, I just
thought I should
mention it. It is just a design error which can cause
potential annoyance to the call center personnel but,
obviously, this behaviour of the dialer is not
intended.

Regards
S.G.Masood


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com