MensaMax 4.3 Hardcoded Encryption Key Disclosure

2018.10.02
Credit: Stefan Pietsch
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2018-15752 | CVE-2018-15753
CWE: CWE-319
CWE-321

## e2 Security GmbH Advisory 2018-01 ## ####################################### Unencrypted transmission and usage of hardcoded encryption key ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview ######## Advisory ID: E2SA-2018-01 Advisory Version: 1.0 Advisory Status: Public Advisory URL: https://advisories.e2security.de/2018/E2SA-2018-01.txt Affected Product: MensaMax Android app Affected Version: 4.3 Vendor: Breustedt GmbH, https://mensamax.de Credits: Stefan Pietsch, e2 Security GmbH Issue Details ############# 1) The MensaMax Android application uses plain HTTP to communicate with the web server. Authentication information is transmitted in plain text with a HTTP GET request. An attacker is able to eavesdrop the communication between the application and the server because the transport layer is not encrypted. Severity: High CVSS Score: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) CVE ID: CVE-2018-15752 CWE ID: CWE-319 2) The MensaMax Android application encrypts the login username and password with a static DES key. The key is hardcoded in the Android application file. An attacker is able to retrieve the encryption key from the apk file and decrypt the login credentials retrieved from the unencrypted HTTP transmission. Severity: High CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVE ID: CVE-2018-15753 CWE ID: CWE-321 PoC (Proof of Concept) ###################### Sample HTTP request with invalid credentials: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ GET /MM_Android/Service1.svc/getURLVonProjekt/GtBWTDhwry4=,s7eTGwGP_h0=,N9NkXQvJkIQ=,iDZZxd4IXZ0=,A3smkmlKRzw=,mensahome HTTP/1.1 Host: mensahome.de Connection: close User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The GET parameters are Base64 encoded and encrypted with a static DES key. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # echo "N9NkXQvJkIQ=" | openssl enc -a -des-ecb -d -K 436f666665653130 user1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution and Workaround ####################### Do not use the MensaMax Android app until a fixed version is released. History ####### 2018-08-10: Issue found 2018-08-13: Initial Vendor contact, Issue details reported to Vendor 2018-08-15: Vendor acknowledged vulnerabilities 2018-08-23: CVE IDs added 2018-10-01: Advisory published


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top