## e2 Security GmbH Advisory 2018-01 ##
#######################################
Unencrypted transmission and usage of hardcoded encryption key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview
########
Advisory ID: E2SA-2018-01
Advisory Version: 1.0
Advisory Status: Public
Advisory URL: https://advisories.e2security.de/2018/E2SA-2018-01.txt
Affected Product: MensaMax Android app
Affected Version: 4.3
Vendor: Breustedt GmbH, https://mensamax.de
Credits: Stefan Pietsch, e2 Security GmbH
Issue Details
#############
1) The MensaMax Android application uses plain HTTP to communicate with the web
server. Authentication information is transmitted in plain text with a HTTP GET
request. An attacker is able to eavesdrop the communication between the
application and the server because the transport layer is not encrypted.
Severity: High
CVSS Score: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
CVE ID: CVE-2018-15752
CWE ID: CWE-319
2) The MensaMax Android application encrypts the login username and password
with a static DES key. The key is hardcoded in the Android application file. An
attacker is able to retrieve the encryption key from the apk file and decrypt
the login credentials retrieved from the unencrypted HTTP transmission.
Severity: High
CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE ID: CVE-2018-15753
CWE ID: CWE-321
PoC (Proof of Concept)
######################
Sample HTTP request with invalid credentials:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GET /MM_Android/Service1.svc/getURLVonProjekt/GtBWTDhwry4=,s7eTGwGP_h0=,N9NkXQvJkIQ=,iDZZxd4IXZ0=,A3smkmlKRzw=,mensahome HTTP/1.1
Host: mensahome.de
Connection: close
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The GET parameters are Base64 encoded and encrypted with a static DES key.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# echo "N9NkXQvJkIQ=" | openssl enc -a -des-ecb -d -K 436f666665653130
user1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution and Workaround
#######################
Do not use the MensaMax Android app until a fixed version is released.
History
#######
2018-08-10: Issue found
2018-08-13: Initial Vendor contact, Issue details reported to Vendor
2018-08-15: Vendor acknowledged vulnerabilities
2018-08-23: CVE IDs added
2018-10-01: Advisory published