Meeting Maker Weak Password Encryption Vulnerability
BID:1151
Info
Meeting Maker Weak Password Encryption Vulnerability
| Bugtraq ID: | 1151 |
| Class: | Design Error |
| CVE: |
CVE-2000-0326 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Apr 25 2000 12:00AM |
| Updated: | Jul 11 2009 01:56AM |
| Credit: | Discovered by Matt Power <[email protected]> and posted to Bugtraq on April 25, 2000. |
| Vulnerable: |
ON Technology Meeting Maker 6.0 ON Technology Meeting Maker 5.0 ON Technology Meeting Maker 4.0 ON Technology Meeting Maker 3.0 ON Technology Meeting Maker 2.0 ON Technology Meeting Maker 1.0 |
| Not Vulnerable: | |
Discussion
Meeting Maker Weak Password Encryption Vulnerability
Meeting Maker is a client-server scheduling application. The server is available for Solaris, Windows and Macintosh systems, and the client is Java-based and works in conjunction with any browser. Due to poor encryption of passwords while in transit, user credentials can be obtained by anyone sniffing the network.
The encryption used is proprietary, and involves polyalphabetic substitution. Once the algorithm is known, the passwords can be trivially decrypted.
Meeting Maker is a client-server scheduling application. The server is available for Solaris, Windows and Macintosh systems, and the client is Java-based and works in conjunction with any browser. Due to poor encryption of passwords while in transit, user credentials can be obtained by anyone sniffing the network.
The encryption used is proprietary, and involves polyalphabetic substitution. Once the algorithm is known, the passwords can be trivially decrypted.
Exploit / POC
Meeting Maker Weak Password Encryption Vulnerability
mmdump.pl - requires tcpdump
mmdump.pl - requires tcpdump
Solution / Fix
Meeting Maker Weak Password Encryption Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Meeting Maker Weak Password Encryption Vulnerability
References:
References:
- ALL: Level of security provided by Meeting Maker passwords (ON Technology)