Clear text password vulnerability found in DeskNow Version 1.2 http://www.DeskNow.com Discovered by Dennis Rand ------------------------------------------------------------------------ -----[SUMMARY DeskNow is an easy-to-use and affordable communication server that can handle all the communication and collaboration needs of your company. Now you can install a highly productive environment in minutes, using a single integrated product that enables you and your coworkers to collaborate and share knowledge. The basic version of DeskNow is completely free. The Professional version offers advanced features like wireless access form PocketPC, Palm and WAP, high encryption and advanced mail filters at a very competitive price. When a user login to the Web Mail the username and password is sent in clear text. -----[AFFECTED SYSTEMS Vulnerable systems: * DeskNow v. 1.2 Immune systems: * None (Use HTTPS) -----[SEVERITY Low/Medium - An attacker is able to put a network sniffer on the network and sniff the username and password, because it is sent in a clear text form. -----[DESCRIPTION OF WHAT THE VULNERABILITY IS When logging in on the Web Mail part the password is sent in clear text. This vulnerability is quit easy to exploit if you are on the same network as the user that logs on this service. The following transcript demonstrates a sample exploitation of the vulnerabilities: ------------------------------------------------------------------- [Used Ethereal to sniff the traffic between the host and server] LOGIN PAGE: Here is the capture of the first line of defense from the DeskNow Web Mail ---------------------------- CUT HERE ---------------------------------------- OST /desknow/home.do?Action=Login HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, Referer: http:///index.html Accept-Language: da Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: 192.168.1.27 Content-Length: 67 Connection: Keep-Alive Cache-Control: no-cache Cookie: JSESSIONID=31726ABD7F50019824E8DFFBDBCE5627; username=matrix username=matrix&password=ThisIsMyPassword2&submit=Login&cbremember=checkboxHTTP/1.1 200 OK Content-Type: text/html;charset=ISO-8859-1 Date: Tue, 25 Feb 2003 16:12:18 GMT Server: Apache Tomcat/4.0.3 (HTTP/1.1 Connector) Transfer-Encoding: chunked Set-Cookie: JSESSIONID=A660DFCFEABBC6899DE5A5F4F6862BBE;Path=/desknow ---------------------------- CUT HERE ---------------------------------------- -------------------------------------------------------------------- -----[DETECTION DeskNow Version 1.2 is vulnerable to the above-described attacks. Earlier versions may be susceptible as well. To determine if a specific implementation is vulnerable, experiment by following the above transcript. -----[WORKAROUND I recommend to move the server onto a HTTPS layer, so the traffic is being transferred in an encrypted form between the server and host. Updated information Upgrade to version DeskNow 2.0 -----[VENDOR RESPONSE Hi, thanks for analyzing our software! We are of course well aware of the fact that the password is sent in clear text when using the http protocol. Users and administrators can login to DeskNow using the HTTPS protocol for maximum security with data encryption. DeskNow supports SSL 3.0 with 128 bit RC4 encryption . Regards, Dario -----[VENDOR RESPONSE UPDATE Hi Dennis, DeskNow 2.0, in addition to SSL encryption, now encrypts passwords even when users are connecting with the normal HTTP protocol. The encryption is done via MD5 message digest using 128 bit digest size. Thanks for the report! Regards, Dario -----[DISCLOSURE TIMELINE 05/03/2003 Found the Vulnerability. 10/03/2003 Reported to DeskNow (support@desknow.com) 22/03/2003 Received response from Desknow, they have no intensions on fixing this issue 02/04/2003 Public Disclosure. 07/07/2003 Recived update from Vendor -----[ADDITIONAL INFORMATION The vulnerability was discovered by Dennis Rand -----[DISCLAIMER The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.