CVE-1999-0470 : Détail

CVE-1999-0470

0.84%V4
Network
2000-01-04
04h00 +00:00
2024-08-01
16h41 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

A weak encryption algorithm is used for passwords in Novell Remote.NLM, allowing them to be easily decrypted.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 5 AV:N/AC:L/Au:N/C:P/I:N/A:N nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 19364

Date de publication : 1999-04-08 22h00 +00:00
Auteur : dreamer
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/482/info The encrypted passwords for Remote.NLM are remotely accessible to anyone with the ability to view SYS:System\LDRemote.NCF. The password encryption algorithm for Remote.NLM has been broken and can be decrypted with pencil and paper. The password will look something like this: AF8CBBF48CA9955F5ADAFDADAA23 The structure of the password is as follows: AF8CBBF48CA99 55F5ADAFDADAA - 23 The first section contains the low-order bits, and the second, the high-order bits. 23 is the time byte, which is decremented by the server once every two seconds, from FF to 02, then back up to FF, etc. Step 1) Realign the low-order bits and high-order bits. This is extremely simple to do. The high-order bits are in order from the first character to the last, and so are the low-order bits. Example: Password: AF8CBBF48CA99 - 55F5ADAFDADAA, Output: 5A 5F F8 5C AB DB AF F4 D8 AC DA A9 A9 At this point, ignore 5A 5F F8 5C, or the first four bytes. They are appended somewhere during encryption, and decrypt to "%*@$". It was a TERRIBLE idea for Novell to implement those four characters into every single password, as those are what helped me rebuild their hash table from scratch. Also, if the length of the password is 10, the password is automatically decryptable to nul. Step 2) Match each of the password characters (group of two hex characters) to the hash table below. Use their position from the beginning of the table to determine the value of the pre-hash encrypted password. Example: F4, the 8th character of the password, matches the hash table at 95. This means that 95 is the pre-hash value of F4. Thus far, (ignoring the first four characters) the password was: AB DB AF F4 D8 AC DA A9 A9 and now the password is: 98 A0 9B 95 A1 9D A6 9C 9C Remote.NLM Hash Table 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00 5B 58 5E 5F 59 5C 5A 5D-73 70 76 77 71 74 72 75 10 13 10 16 17 11 14 12 15-7B 78 7E 7F 79 7C 7A 7D 20 53 50 56 57 51 54 52 55-03 00 06 07 01 04 02 05 30 1B 18 1E 1F 19 1C 1A 1D-0B 08 0E 0F 09 0C 0A 0D 40 2B 28 2E 2F 29 2C 2A 2D-63 60 66 67 61 64 62 65 50 83 80 86 87 81 84 82 85-3B 38 3E 3F 39 3C 3A 3D 60 8B 88 8E 8F 89 8C 8A 8D-33 30 36 37 31 34 32 35 70 93 90 96 97 91 94 92 95-6B 68 6E 6F 69 6C 6A 6D 80 9B 98 9E 9F 99 9C 9A 9D-A3 A0 A6 A7 A1 A4 A2 A5 90 F3 F0 F6 F7 F1 F4 F2 F5-AB A8 AE AF A9 AC AA AD A0 DB D8 DE DF D9 DC DA DD-FB F8 FE FF F9 FC FA FD B0 23 20 26 27 21 24 22 25-B3 B0 B6 B7 B1 B4 B2 B5 C0 CB C8 CE CF C9 CC CA CD-BB B8 BE BF B9 BC BA BD D0 C3 C0 C6 C7 C1 C4 C2 C5-D3 D0 D6 D7 D1 D4 D2 D5 E0 43 40 46 47 41 44 42 45-E3 E0 E6 E7 E1 E4 E2 E5 F0 4B 48 4E 4F 49 4C 4A 4D-EB E8 EE EF E9 EC EA ED Step 3) Subtract the length (the number of groups of hex characters, excluding the time character) of the full password from each encrypted password character. Now you have the ACTUAL pre-hash encrypted password. If the subtracted value is negative then simply continue from FF down to the negative value. Example: if the password character is at 04, and the length is 6, the value of the password character will be FF. The length is 13 (D in hex), so the password was: 98 A0 9B 95 A1 9D A6 9C 9C and is now: 8B 93 8E 88 94 90 99 8F 8F Step 4) Get the time var, in this situation 23 (hex), and subtract it from FF. This new character is for use in Step 5. Example: FF-23=DC. Step 5) Finally, XOR each character (group of 2 hex characters) of the encrypted password with the new time character, and you now have the decrypted password! The password was: 8B 93 8E 88 94 90 99 8F 8F (before the XOR) Now, the decrypted password is: 57 4F 52 54 48 4C 45 53 53 "WORTHLESS" The exploit program does all this automatically. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19364.zip

Products Mentioned

Configuraton 0

Novell>>Netware >> Version 4.0

Références

http://www.securityfocus.com/bid/482
Tags : vdb-entry, x_refsource_BID
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.