Users login

Create an account »


Users login

Home » Hacking News » RTS CryptoBuddy Multiple Encryption Implementation Vulnerabilities

RTS CryptoBuddy Multiple Encryption Implementation Vulnerabilities

by Nikola Strahija on February 11th, 2003 An attacker can use the software to encrypt a dummy file with a passphrase of his or her choosing. The resulting secret key can then be inserted into any other file that has been encrypted with the software.

Severity: High Risk

Vendor: Research Triangle Software, Inc.

Advisory reported to vendor: February 2, 2003

Author: Michael Whitehead, CISSP
Author Contact: [email protected]

Vulnerability Summary
The software has multiple vulnerabilities related to the implementation of
its passphrase and general encryption techniques. The easiest to exploit
is through use of a symmetric key injection attack. An attacker can use
the software to encrypt a dummy file with a passphrase of his or her
choosing. The resulting secret key can then be inserted into any other
file that has been encrypted with the software. The resulting file may
then be decrypted using the software and the attacker's previously
selected passphrase. Details of this and other vulnerabilities can be
found at the end of this advisory.

There is no recommended solution at this time. The vendor was very
responsive to this advisory and provided additional information to further
develop this advisory. Vendor has indicated that the issues identified in
this advisory will be mitigated in the next version of the software.

Product Description
This shareware product would be generally classified as a "security &
encryption" file utility.

A description provided on one of the many shareware sites:

"CryptoBuddy(TM) ( is an easy-to-use encryption
program that allows individuals and corporations to effectively protect
and encrypt their files and data. As the Internet increasingly becomes an
unsafe medium for transporting confidential information, CryptoBuddy
enables you to take any file and quickly encrypt and compress it."

Affected Versions

CryptoBuddy 1.2 and earlier versions.

O/S Notes: software is only available for Windows (Win95/98/ME/NT/2000/XP)


The use of this software should be determined relative to the risk.

Advisory Detail

The software is intended to "effectively protect and encrypt" files. As
such, it DOES encrypt files. The EFFECTIVENESS of the method used is key
to this advisory. Since this product's primary purpose is to be used as
a data encryption system, it is imperative that users of the software are
fully aware of limitations in its effectiveness at protecting their data.

Item 1:
Vulnerability-- Predictable File Schema; Secret key stored, not used to
encrypt data
Threat-- Unknown secret key can be replaced with known secret key
Exposure-- Attacker can decrypt any encrypted file created by any
user of this program
Attack-- "Symmetric key injection" (see Note below).
Tools-- hex editor, CryptoBuddy; exploit could be easily scripted
Severity -- High

Note-- I am using the term "Symmetric key injection attack" as I was
unable to find another term for this technique.

Description-- A passphrase provided by the user is simply encrypted and
stored with the resulting ciphertext and is not actually used to encrypt
the plaintext. It is stored in a predictable location (fixed-length,
reserved block) in the resulting ciphertext file (offset 120:15A). Since
the key is not used to encrypt the plaintext, the attacker can simply
encrypt an empty file, copy block 120:15A from the resulting encrypted
file, and replace the same block in ANY target file. The target file can
then be simply decrypted using the attacker's passphrase (and the
CryptoBuddy software). Payload ciphertext is always appended to the end
of the passphrase block (at offset 15C, after a spacer byte (0x00) at
offset 15B). This exploit works because the key is not used to encrypt
the plaintext.

Additional note- this exploit could be easily scripted.
Item 2:

Vulnerability-- Encrypted passphrase has some predictability, weakly
encrypted, not hashed, and unseeded/unsalted
Attack-- Dictionary attack via predictable keys
Attack-- Segmented brute forcing (like the LANMAN attacks)

Severity-- High

Description-- Obviously, these attacks are not preferred methods, as
Item #1 is easy to employ. Note: I did not analyze the encryption
algorithm (no debugging/reverse engineering); however, since the software
develops a predictable/known key for each passphrase, a dictionary could
be easily developed.

Additionally, there appears to be a weakness in the passphrase algorithm,
in that the passphrase is broken into 4-byte segments; thus making
dictionary and brute force attacks substantially easier (by decreasing
the work factor).

Some examples:

[Plaintext Passphrase; (ASCII)] -> (Ciphertext Key (hex))

1234 -> 44F9FA2A174A3F8E 2A7D2C59DA0D6A3B
++++++++++++++++ ****************

12345 -> 44F9FA2A174A3F8E 2437EE3219DED143

5678 -> 743575164122BA96 2A7D2C59DA0D6A3B

analysis: + = 1st 4 bytes are split, not hashed with entire passphrase;
* = predictability related to passphrase length

12345678 -> 44F9FA2A174A3F8E 6CB1A73BD2C69BA8

1234567812345678 -> 44F9FA2A174A3F8E E75E0CE089B45E02

123456781234567812345678 -> 44F9FA2A174A3F8E E75E0CE089B45E02
E75E0CE089B45E02 6CB1A73BD2C69BA8

12345678123456781234567812345678 -> 44F9FA2A174A3F8E E75E0CE089B45E02
E75E0CE089B45E02 E75E0CE089B45E02

analysis: larger keys are highly repetitive and predictable

Item 3:
Vulnerability-- Passphrase key is truncated after the 55th byte of the
Threat-- Long passwords (>55 bytes) provide no more entropy
(strength) than the first 53 bytes (see Item 4, for
explanation of why this isn't the "first 55 bytes")
Severity-- Medium

Note-- Items 3 and 4 are listed as "medium severity" ONLY because users
are less likely to use passphrases longer than 53 bytes.

Description-- A passphrase of >55 bytes is truncated, prior to being
encrypted and stored as the key. This weakens the perceived strength of
passphrases longer than 55 bytes. Additionally, this indicates that the
passphrase is not hashed (or not well-hashed).

Item 4:
Vulnerability-- Bytes 53 through 55 of a 55-byte or longer passphrase are
stored in plaintext
Threat-- Exposure of elements of the passphrase
Severity-- Medium

Description-- Self-explanatory

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »