Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Strip for Palm password vulnerability

Strip for Palm password vulnerability

by phiber on April 11th, 2001 Strip-0.5 features a function for generating passwords, which certainly has some appeal to anyone who generates passwords frequently.
However, this function has some flaws, one of which has the effect to limit the number of different passwords strip can create to 2^16 per class (alphanumeric, alphabetic, numeric, ... with N characters).



Vulnerabilities description:

- Strip uses the PalmOS SysRandom() function to generate the
passwords. SysRandom() is a very simplistic linear PRNG, which
should most likely not be used for password generation.



- Strip tries to seed this PRNG with the result of TimGetTicks().
TimGetTicks() returns the number of ticks (1 Tick = 10ms on
current devices) since the last reset of your Palm. The ticks
counter is not incremented when the device is turned off.



Obviously, small values for the TimGetTicks() result are much more
likely than large values, so an attacker could just start at 0 and
try any possible ticks value. This kind of attack would already
be quite successfull and efficient - at least against any
passwords generated during the first couple of months of regular
use of a PalmOS device after a reboot.



- The actual implementation has a bug which finally limits the
search space to trivial dimensions: TimeGetTicks() returns a 32
bit integer value, and the PRNG expects such a value as its seed.
However, the return value from TimeGetTicks() is stored in a 16
bit Int variable.



Thus, the numbers 0, ..., 0xffff are the only seeds which will
ever be used, limiting the number of possible passwords of any
class to 2^16.



An example code is available for download. It can be used to demonstrate this in the case of alphanumeric passwords containing 8 characters. Just take your encrypted, strip-generated password from /etc/shadow, and pass it as the single command line argument. (Covering the other classes of passwords strip can generate is left as an exercise.)


Credits for this vulnerability go to Ian Goldberg, Marc Haber and Thomas Roessler


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »