MensaMax 4.3 Hardcoded Encryption Key Disclosure

MensaMax version 4.3 performs unencrypted transmission and usage of a hardcoded encryption key.


MD5 | 0dcd056d5e6d9e0809614df5015da39d

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

## e2 Security GmbH Advisory 2018-01 ##
#######################################


Unencrypted transmission and usage of hardcoded encryption key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Overview
########

Advisory ID: E2SA-2018-01
Advisory Version: 1.0
Advisory Status: Public
Advisory URL: https://advisories.e2security.de/2018/E2SA-2018-01.txt
Affected Product: MensaMax Android app
Affected Version: 4.3
Vendor: Breustedt GmbH, https://mensamax.de
Credits: Stefan Pietsch, e2 Security GmbH


Issue Details
#############

1) The MensaMax Android application uses plain HTTP to communicate with the web
server. Authentication information is transmitted in plain text with a HTTP GET
request. An attacker is able to eavesdrop the communication between the
application and the server because the transport layer is not encrypted.

Severity: High
CVSS Score: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
CVE ID: CVE-2018-15752
CWE ID: CWE-319


2) The MensaMax Android application encrypts the login username and password
with a static DES key. The key is hardcoded in the Android application file. An
attacker is able to retrieve the encryption key from the apk file and decrypt
the login credentials retrieved from the unencrypted HTTP transmission.

Severity: High
CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE ID: CVE-2018-15753
CWE ID: CWE-321


PoC (Proof of Concept)
######################

Sample HTTP request with invalid credentials:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GET /MM_Android/Service1.svc/getURLVonProjekt/GtBWTDhwry4=,s7eTGwGP_h0=,N9NkXQvJkIQ=,iDZZxd4IXZ0=,A3smkmlKRzw=,mensahome HTTP/1.1
Host: mensahome.de
Connection: close
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The GET parameters are Base64 encoded and encrypted with a static DES key.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# echo "N9NkXQvJkIQ=" | openssl enc -a -des-ecb -d -K 436f666665653130
user1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Solution and Workaround
#######################

Do not use the MensaMax Android app until a fixed version is released.


History
#######

2018-08-10: Issue found
2018-08-13: Initial Vendor contact, Issue details reported to Vendor
2018-08-15: Vendor acknowledged vulnerabilities
2018-08-23: CVE IDs added
2018-10-01: Advisory published
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEENetcDna8vCUjklqvmSVmYknuuOMFAluyLA0ACgkQmSVmYknu
uOOHdQ//VFjBl+sOKkuCc/y4nH9MezI3wqMnsuk9rXgQpbdUjmZD+H9MO/Y3ylQN
0QkdQ1MSkFFHazHQD+VHJSYm/Ps7ma4+zcKAhId5zuiBFYIM2fyh6pZSGtLLB+F1
bYAWNTY45yPH/5EfeOUYd60pPPI57uic8fWLJPICnYvI5JW+1geE1I+ljNKrhSmf
HCaU4JYXr19J8pZU2cVU2GWQ55CPOrIsgmGPoAbncnWguM/Seh2VL29kfy12sN3d
fH70VvyZA6fBne/tKaueeYEBOYlZw0PAdBOBcktrOj19VK18xp2yE9W884F1n6fM
N+EocPG2wj8irmagLvIKQZuSCbydxTC58W41WtKwSgA8LsvvOr2yZeqU+B59ouB4
Ibn6TfXSScfFj4ohPiqaPNpakGHeoREyH5sg7ipiBeELT+JyRQRNnZIQ33LFAGfN
8KkVrt6i0rkc0rXeIPLso6utng0Z52n7T3BJmny7XVqYb/YWocE0SWJ4V5TIqSw9
B0M3jD6NyMqYIJSfmDBOyangEUU6Ww0c1C272tJ/Mt5YOYK9OFo/zBERdIWXm9I+
f3yD3mauZK/oLQoVheWcqLy2ThsU5Vss6fbLobhY5EF08BaUlAIdp7ietVlbz3vQ
G1yzvhgLfgWteP6nTwghyznkBqZbkC/gJ49G9/YZDpm25/inOtc=
=7Jzx
-----END PGP SIGNATURE-----


Related Posts