Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Raidsonic NAS-4220 Crypt Disk Key Leak

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Raidsonic NAS-4220 Crypt Disk Key Leak
Date: 16 Mar 2008 18:58:00 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Raidsonic NAS-4220 Crypt Disk Key Leak
------------------------------------------------------------------------


SUMMARY

The  
<http://www.raidsonic.de/de/pages/products/details.php?we_objectID=5051> 
NAS-4220-B offers disk encryption through it's web interface. The key used 
for encrypting the disk(s) is stored on a unencrypted partition. Therefore 
one can extract the encryption key by removing the disk from the Raidsonic 
NAS-4220 and reading the value from the unencrypted partition. The key 
itself is stored in a file in plain (base64 encoded). Therefore the 
NAS-4220 crypt disk support can not be considered secure.

DETAILS

The NAS-4220-B can hold two SATA disks. Disk are encrypted through a loop 
back device using AES128. The problem came to Collin's attention when he 
could access the NAS after reboot without suppling the hard disk key.

The key is stored in /system/.crypt, "/system" is a small configuration 
partition on the same disk that holds the encrypted partition. The system 
partition is created by the system software running on the NAS-4220. The 
configuration partition of the second hard disk is not mounted by default 
but also contains the .crypt file holding the key for the encrypted 
partition on the same disk.

Accessing the key (key value is the example Collin used):
  $ cat /system/.crypt
  MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
 
  key in plain key in base64
  12345678901234567890 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=

Base64 decode:
#!/usr/bin/python
from base64 import *
print b64decode("MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=")


ADDITIONAL INFORMATION

The information has been provided by  <mailto:collin@betaversion.net> 
Collin Mulliner.
The original article can be found at:  
<http://www.mulliner.org/security/advisories/raidsonic_nas4220_crypt_disk_key_leak_09Mar2008.txt>
 
http://www.mulliner.org/security/advisories/raidsonic_nas4220_crypt_disk_key_leak_09Mar2008.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Raidsonic NAS-4220 Crypt Disk Key Leak, SecuriTeam <=
Previous by Date:  [EXPL] Firebird Integer Overflow (Exploit), SecuriTeam
Next by Date:  [NEWS] Ruby WEBrick Directory Traversal, SecuriTeam
Previous by Thread:  [EXPL] Firebird Integer Overflow (Exploit), SecuriTeam
Next by Thread:  [NEWS] Ruby WEBrick Directory Traversal, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]